Developing a Secure Hybrid Cloud Environment
A thoughtful approach to security can succeed in mitigating many security risks in a hybrid cloud environment. To develop a secure hybrid environment, you must assess the current state of your security strategy as well as the security strategy offered by your cloud provider.
Assess your current state of security
In a hybrid environment, security starts with assessing your current state. You may begin by answering a set of questions that can help you form your approach to your security strategy. Here are some important questions to consider:
Have you evaluated your own traditional security infrastructure recently?
How do you control access rights to applications and networks — both those within your company and those outside your firewall? Who has the right to access IT resources? How do you ensure that only the right identities gain access to your applications and information?
Can you identify web application vulnerabilities and risks and then correct any weaknesses?
Do you have a way of tracking your security risk over time so you can easily share updated information with those who need it?
Are your server environments protected at all times from external security threats?
If you are using encryption, do you maintain your own keys or get them from a trusted, reliable provider? Do you use standard algorithms?
Can you monitor and quantify security risks in real time?
Can you implement security policies consistently across all types of on-premises and cloud architectures?
How do you protect all your data no matter where it’s stored?
Can you satisfy auditing and reporting requirements for data in the cloud?
Can you meet the compliance requirements of your industry?
What is your application security program?
What are your disaster and recovery plans? How do you ensure service continuity?
Assess your cloud vendor’s security
A hybrid cloud environment poses a special set of challenges when it comes to security and governance. Hybrid clouds use your own infrastructure plus that of your service provider. For example, data may be stored on your premises but processed in the cloud. This means that your on-premises infrastructure may be connected to a more public cloud, which is going to affect the kinds of security controls you need.
Controls must be in place for perimeter security, access, data integrity, malware, and the like — not only at your location, but also with your cloud provider. Cloud service providers each have their own way of managing security. They may or may not be compatible with the compliance and overall security plan of your organization. It’s absolutely critical that your company not bury its head in the sand by assuming that the cloud provider has security covered.
You need to verify that your cloud provider ensures the same level of security that you demand internally (or a superior level, if you’re looking to improve your overall security strategy). You must ask a lot of hard questions to guarantee that your company’s security and governance strategy can be integrated with your provider’s.
Here are some tips that can get you started and that may also be useful in assessing your security strategy:
Visit the facility unannounced in order to understand what physical security measures are in place. According to the CSA, this means walking through all areas, from the reception area to the generator room and even inspecting the fuel tanks. You also need to check for perimeter security (for example, check how people access the building) and whether the operator is prepared for a crisis (for example, fire extinguishers, alarms, and the like).
Check where the cloud provider is located. For example, is it in a high crime area or an area prone to natural disasters such as earthquakes or flooding?
What sort of up-to-date documentation does the cloud provider have in place? Does it have incident response plans? Emergency response plans? Backup plans? Restoration plans? Background checks of security personnel and other staff members?
What sort of certifications does the provider? Do cloud security personnel have certifications such as CISSP, CISA, and ITIL?
Find out where your data will be stored. If your company has compliance regulations it must meet about data residing in foreign countries, this is important to know.
Find out who will have access to your data. Also check to see how data will be protected.
Find out more about the provider’s data backup and retention plans. You will want to know if your data is commingled with other data. If you want your data back when you terminate your contract, these issues may be important.
How will your provider prevent denial-of-service (DoS) attacks?
What sort of maintenance contracts does your provider have in place for its equipment?
Does your cloud provider continuously monitor its operations? Can you have visibility into this monitoring capability?
How are incidents detected? How is information logged?
How are incidents handled? What is the definition of an incident? Who is your point of contact at your service provider? What are the roles and responsibilities of team members?
How does your provider handle application security and data security?
What metrics does your cloud provider monitor to ensure that applications remain secure?
Given the importance of security in the cloud environment, you might assume that a major cloud service provider will have a set of comprehensive service level agreements for its customers. In fact, many of the standard agreements are intended to protect the service provider — not the customer. So, your company really must understand the contract as well as the infrastructure, processes, and certifications your cloud provider holds.
You must clearly articulate your cloud security requirements and governance strategy and determine accountability. If your cloud provider doesn’t want to talk about these items, you should probably consider a different cloud provider. On the other hand, your cloud provider may actually have some tricks up its sleeve that can improve your own security!