Everyone in Silicon Valley and the tech industry, in general, is talking about “The Cloud.” “The Cloud” is something that’s not only trendy but also very useful for business. Why deal with the burden of running your own datacenters when companies like Amazon, Google and Microsoft offer third-party cloud services that will be less expensive for your enterprise in the long run?
Let a company with their own massive datacenters on every major continent handle your internet-driven backend. You don’t need the huge amount of space and overwhelming electricity costs that are required to run your own datacenter. The leading corporations in the cloud services space have all of the expensive infrastructure, constant staffing and expertise.
There’s a lot of jargon in the cloud services space which you may be unfamiliar with if your business is shopping for cloud services for the first time. “Hybrid cloud” is one of the phrases you’ll see, and it’s no mere buzzword.
What’s a hybrid cloud?
A hybrid cloud combines a public cloud and a private cloud as one computing system.
A public cloud is the sort of thing I mentioned at the beginning of this piece. It’s what you get when you use third-party cloud services, such as Amazon’s AWS, Microsoft’s Azure, or Google’s Cloud Platform. You’re responsible for the security of your data, and they’re responsible for securing the infrastructure that your data runs on.
A private cloud is hosted on infrastructure that’s only accessible to specific users in one organization. Sometimes a private cloud can be hosted in a datacenter on a company’s own premises. Other times, a private cloud is hosted on a third-party’s infrastructure, but your company is the only external entity that can access the particular server machines that the cloud runs on. Private clouds offer enterprises more control than public clouds, but they’re more expensive and take more work to deploy.
So, a hybrid cloud offers the best of both worlds. Your enterprise might categorize your cloud data into low or medium sensitive data and highly sensitive data groups. Regulations particular to your company’s jurisdiction and industry may provide a framework for determining what types of data are more sensitive than others and how the different security levels should be managed. A sensible approach delegates your less sensitive data to your public cloud and your highly sensitive data to your private cloud. But even your less sensitive data in your public cloud should be secured as much as possible. Cybersecurity services can be deployed to secure both the private and public components of your hybrid cloud.
5 key considerations for keeping your hybrid cloud secure
These are the five most important things to consider in order to keep every component of your hybrid cloud secure.
1. Compliance is a special challenge
By design, your hybrid cloud will be hosted in two or more datacentres with multiple groups of networking professionals tending to them. The different companies involved (including yours) will each have their own cybersecurity policies and procedures. A hybrid cloud offers your enterprises the benefits of both a private cloud and a public cloud, but the multiple facets of such a system pose a special challenge when it comes to security compliance.
Make sure to examine the policies and regulatory compliance of your private cloud, of your public cloud, and then the overall compliance of both your private and public clouds as one integrated system. Your overall hybrid cloud compliance should be checked regularly.
2. Remember to protect your intellectual property
Your hybrid cloud will have data that pertains to your company’s own intellectual property. That can include proprietary software code created by your own developers and sensitive corporate data contained in documents and digital media files.
Your enterprise should create a permission matrix. Which internal and external entities should have access to which sensitive data? Your permission matrix should be designed based on a “need-to-know” basis. Which roles inside and outside of your company need access to which of your company’s intellectual property? No one should know more than they need to know in order to do their jobs. Your permission matrix should be applied to data both in your public cloud and in your private cloud as a singular reference.
3. Check for security tool compatibility
Your private cloud could be using one set of security tools, such as firewalls, IPS devices and antivirus software. Your public cloud might be using a different set of security tools. In a hybrid cloud, your private cloud and your public cloud are integrated, so your different sets of security product and service vendors should play nicely with each other. That’s especially important if the network logs from both your public and private clouds are fed into the same SIEM, which is a good idea if it’s possible for your hybrid cloud.
4. Risk assessment needs as much “uptime” as your servers do
Constant risk assessments must be performed for each facet of your hybrid cloud and for your entire hybrid cloud system as a whole.
A software composition analysis can examine which third-party code libraries might compromise your application they’re used in. Penetration testing and technical vulnerability assessments can help determine your hybrid cloud’s overall security posture. Vendor risk assessments look at each vendor your enterprise uses and how their approaches to security affect the security of your hybrid cloud.
Your hybrid cloud system will change over time. New server machines will be introduced to both your private and public clouds. New applications will be deployed. The data you run in your cloud will change. That’s why risk assessments must be done frequently in order to know how to keep your entire cloud secure. Leave no stone unturned!
5. Watch your APIs and encrypt as much as possible
All of the Application Programming Interfaces to your cloud software, both those developed by third parties and possibly ones created by your own developers, need to be watched very carefully. As I wrote in 6 Top Cloud Security Threats in 2018:
In many cloud systems, APIs are the only facets outside of the trusted organizational boundary with a public IP address. Exploiting a cloud API gives cyber attackers considerable access to your cloud applications. This is a huge problem!
Cloud APIs represent a public front door to your applications. Secure them very carefully.
While you secure your hybrid cloud’s APIs, you should also limit how much plaintext travels across your network and the internet. Both the data that goes from your hybrid cloud to the public internet and the data that travels inside your hybrid cloud can be subject to man-in-the-middle attacks,
Deploy VPNs as much as you can. Your employees and contractors should use a VPN client in order to access your cloud, which will assure that data they receive from your cloud is encrypted in transit. Every endpoint that communicates with your cloud should have proper authentication systems to protect access to cryptographic keys. SSL/TLS should be deployed to manage server authentication. Any traffic which can’t be encrypted by any other means can be tunneled through Secure Shell (SSH.) Reducing plaintext transmission to zero is ideal.
Learn more about how Tripwire can help secure your assets across physical, virtual, private and public cloud environments here.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.