I recently walked you through a check-list, on what CIOs need to know about hybrid cloud—the IT sweet spot that marries in-house and cloud-based infrastructure—and what it could mean to their organizations. With all its versatility and promise, there is no doubt that hybrid clouds are the future for many at the enterprise level. But, with all that versatility and promise comes a few concerns, namely how to maintain privacy and security while operating partly within a public domain that is, by it’s very nature, vulnerable to third-party interference. Well, the good news is that maintaining security on a hybrid cloud model is definitely possible, but because it’s also laden with moving parts and many variables, you’ll need to adopt a new way of approaching information security—and we’re not talking about your grandpa’s firewalls.
Well, okay, perimeter-based controls (like firewalls and log management) do still have a place—albeit a small one—when we’re talking about cloud security tools. Just because the hybrid cloud is something new doesn’t mean all your traditional security measures are now obsolete. It’s just that now, instead of standing alone, traditional security measures become pieces in the hybrid cloud security puzzle. And while it can feel confusing, due to the many “right ways of doing things” when it comes to hybrid cloud and security, there is also, happily, some common ground. Let’s break it all down.
Before you Make a Move, Make a Prioritized Plan
Understand that there will be a learning curve as you navigate the duality of hybrid cloud security. So, if you’re just getting started, create a plan hinged on prioritization and held together by boundaries. (It’s important to note here that the best strategies involve starting with security tools native to the cloud and branching outward from there, but use your best judgment when deciding what route to take.) As you begin to move assets, work slowly and start with those that are lower-risk. Do you have some marketing collateral? Most things customer-facing aren’t going to contain anything proprietary, so consider starting there. Oh, and here’s a bonus: save money by not purchasing a new storage area network just to backup non-critical data! Just move it to the cloud instead of keeping it on-premise.
Note that you’ll need to work on data classification to efficiently pinpoint what can enter the cloud (and what you should keep to yourself). This data classification should be visible to all who interact with the information to avoid costly mistakes. In other words, everyone who has the capacity to move a piece of information from private to public should know its classification and understand the implications of improper handling. Thorough communication is key. Also, take a look at your applications—how complex are they and how sensitive is the data within each? Pick out the ones that are the most proprietary and evaluate their placement in your hybrid cloud model.
Separate Workloads to Narrow Down Hybrid Cloud Data Placement
Evaluating application placement—and with that, of course, data placement—within a hybrid cloud model is key to properly protecting your information and assets.
A lot of CIOs think of their company’s IT strategy in terms of separating workloads: The core of your business is what sets you apart and makes you profitable. Build and cultivate those core functions on-premise in the private half of your hybrid cloud model. The other workload, the enterprise workload, contains functional applications like messaging, customer relationship management, and supply chain management—those are the nuts and bolts that keep your company running, and where you can consider using a public cloud provider to round out the other side of your hybrid model.
Fortify Authentication Methods and Embrace Encryption
The login process for those who have secure cloud access should be supported and substantial. To accomplish this, make use of both multifactor authentication (MFA) and single sign-on methods (SSO). Two URLs are provided here: Administrators can log into a management portal, and general users have another portal with built-in permissions. Many SSO products automate application logins, and some even can specify MFA when better suited. The resulting combination is a system that encourages the setting of workforce security levels that match data accessibility. Plus, you don’t have to count on users to choose individual passwords (and worry about them being weak).
There are additional security fortification steps you can take beyond passwords and login screens. If you’re taking the hybrid cloud road and don’t currently encrypt file transfers and emails, you’ll definitely want to add it to your to-do list for confidential collateral exchanges or other communications. (Think correspondence or file sharing among governing agencies, for example.) For emails, zero-knowledge clients use a shared passphrase that decrypts messages. When it comes to file sharing, some services even offer encryption at all stages of transmission—from standstill to delivery.
Define Who Controls your Virtual Machines and Target Workloads with Virtual Containers
Virtual machines (VMs) are powerful computing tools, and maintaining proper permissions for them is imperative to the safety of your information. To make sure the appropriate people have permissions on and access to only appropriate functions on their VMs, consider using a product that focuses on granular access controls. Use these tools in the cloud or out of it; they’re versatile and necessary additions to your hybrid cloud security plan.
Virtual containers—portable packages containing complete file systems—are so powerful that some have even called for them to replace VMs altogether in cloud environments. Although I don’t think we’re quite there yet, there is a lot of merit to virtual containers as a tool for security in the hybrid cloud. With an additional nod to efficiency, a virtual container allows you to initiate a virtual process or series of processes automatically without having to load the whole VM, reducing both the third-party risk and margin for error.
Be Safe Out There Among the [Hybrid] Clouds.
Information drives us all—the information we have, the information we need, the information we’re seeking. Data is the blood pumping through the veins of the enterprise, and we all want to protect what’s proprietary within our organizations. It’s no wonder, then, that sending our information to the cloud is a big decision for companies and their IT teams. The good thing is that while it requires a leap of faith to get going, with the right measures in place and the use of a combination of public and private cloud where applicable, you can be confident that data and propriety information is safe and secure.
I hope that, after reading this, you feel better equipped to address hybrid cloud security at work. Tell me . . . if you’ve adopted a hybrid cloud model, how have you addressed privacy and security needs? If you’re on the fence, what are your concerns? I’d love to hear your thoughts.
Other Resources on this Topic:
Sun Tzu-as-a-Service: How to Protect the Hybrid Cloud
Three Dominant Trends that will Drive Cloud Security in the Coming Years
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell’s thought leadership site Power More. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.
Photo Credit: braunkarljr2002 via Compfight cc