Building an effective cybersecurity strategy is a challenge for even the most skilled IT professionals. For the typical IT department in a mid-sized company, it may seem almost impossible. That’s especially true for IT departments that are dealing with new multicloud or hybrid IT environment. With so many cloud platforms to choose from, how do they overcome cloud computing security risks?
Organizations today have many cloud platforms. There are public clouds, private on-premise clouds, and hosted private clouds, all of which use may use different cloud platforms, often in addition to on-premise legacy systems. How does an IT department develop a single security framework for a hybrid environment?
Each of these platforms have unique security advantages and disadvantages.
Cloud platform advantages & disadvantages
Public cloud includes software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS). Public cloud applications, platforms, and infrastructure services provide organizations with a quick and affordable way to deploy computing resources without investing in hardware, software, and IT staff. The public cloud providers manage the network and IT systems, upgrade software automatically, and monitor the performance and security of the underlying infrastructure.
The downside of the public cloud, from a security standpoint, is that it operates outside of the customer’s firewall and existing security applications. In addition, the responsibility of securing public cloud applications is divided between the provider and the customer. This can be confusing to those who may believe that their cloud provider takes care of all security, from applications to infrastructure. However, the you would be responsible for securing whatever resources you bring to the cloud.
Private cloud (on-site or hosted)
A private cloud offers a flexible, scalable cloud architecture over which you retain full control. You can choose to locate a private cloud on-site, within the corporate firewall, or have it hosted at a nearby data center, and decide what type of hardware and security measures to be used.
One major advantage of a hosted private cloud is that you can rely on the security services provided by the data center provider. The hosting data center also takes care of the physical security of the facility. Top providers of hosted private clouds will have facility security that includes 24×7 video monitoring, on-site staff, multi-factor authentication — biometric identification — two or more security checkpoints.
Hosting data centers may also provide disaster recovery (DR) services, in case of a power failure or natural disaster. Without DR, a company is vulnerable to ransomware, as well as natural disasters. Ransomware was one of the top threats to businesses in 2019.
The flip side of having total control, however, is that you also have total responsibility for ensuring security and performance. That includes buying and deploying all security technologies, setting security policies and user access privileges, maintaining and upgrading hardware, and updating and patching software.
In hosted private cloud environments, a hosting provider may provide managed operating system, patching, and security services to assist in securing your environment. It’s important to understand the definition of the service that is offered and what is still your responsibility. For example, your hosting provider may offer endpoint protection services which would include sending an alert when there is malware found on the system, but you must still take action to remove that vulnerability if you are managing the operating system.
A note about hybrid and multicloud environments
A hybrid environment is a mix of cloud and non-cloud IT systems. A multicloud environment has multiple cloud platforms and applications. Multicloud is typically considered to be a subset of hybrid cloud.
An IBM survey found that 98% of companies will have hybrid cloud environments by 2021. Organizations adopt hybrid and multicloud environments for many different reasons. These include the need to meet diverse workload requirements, accommodate remote workers, create off-site disaster recovery, or provide on-demand computing resources during periods of peak loads.
A hybrid environment has all the challenges of the other environments, with one extra: you must bridge the disparate security systems used by each cloud provider. Ensuring cross-platform security for multicloud and hybrid environments can be a major challenge, especially for IT departments that lack cloud security expertise. Nearly half of companies with multicloud environments consider security to be their top concern, according to Forrester’s report Empower Your IT Teams with Security As A Service.
With the right planning and technologies, just about any cloud or hybrid environment can be fully secure.
Overcoming cloud computing risks starts with a Cloud Security Strategy
Good cloud security must start with a cloud security strategy. Following are the four stages of creating a cloud security framework for your cloud environments.
Audit your security practices
Most companies tend to accumulate individual security applications and practices as they buy other companies and department heads buy their own software. IT staff may not be aware of all these different systems. An experienced cloud security consultant can inventory your IT environments and assess your security practices, compliance requirements, and existing security technologies. A security consultant will identify security vulnerabilities and then collaborate with you on a cross-platform security strategy.
Develop a security strategy
A security strategy will spell out how the company plans to safeguard its data and IT systems, both cloud and non-cloud. The strategy will define all security processes and practices, including the responsibilities of employees, IT staff, and partners. It will document the controls to be used for different security concerns, such as encrypting all outgoing documents, or implementing multi-factor authentication for access to the company’s network. (The Cloud Security Alliances Cloud Controls Matrix lists possible security controls. Another excellent resource for IT security controls is the NIST Special Publication 800 series.)
Examples of areas to cover in a security strategy are:
- types of critical data, access control and data encryption
- data retention, backups and disaster recover
- compliance requirements
- remote work and use of mobile devices
- password security
- employee training
Implement cloud security technology
Two applications useful for implementing cloud security are cloud access security brokers (CASB) and identity and access management (IAM).
A CASB is a policy enforcement “gateway” that is deployed between the end users and the cloud. Users access their work applications through the CASB, ensuring that all activity complies with company policies and protocols.
IAM controls access privileges to data and cloud resources. IAM authenticates end-users and imposes role-based authorization, so that different types of end users can be assigned different privileges. In the case of pre-existing IAM applications, you may have to bridge the different systems using an identity broker and an open standard such as Security Assertion Markup Language (SAML).
Consider a managed security services provider (MSSP)
Few companies can afford to have the in-house expertise needed to plan, implement, and maintain a hybrid, multicloud security environment. Instead, they may turn to an MSSP who can map out a cross-platform strategy, help the customer select the appropriate security technologies, and handle the deployment and management of the solution. A security services provider should have certified expertise in a range of cloud and non-cloud security requirements, including government compliance, and have partnerships with leading cloud services providers, such as Amazon, Dell EMC, Nutanix, and Microsoft.
We can help you overcome those cloud risks
Ensuring security for a hybrid and multicloud security is a common topic. Learn more about it by downloading TierPoint’s Strategic Guide to IT Security. Also, visit TierPoint’s security services page for information on how TierPoint’s consulting and managed services can improve your IT security.