With almost every company moving toward using the cloud in some part of the business, the mixture of cloud services, cloud infrastructure and on-premises technology has become a reality for most companies.
While about two-thirds of companies acknowledge that they operate in a hybrid-cloud environment, another 18 percent have IT environments that qualify as hybrid-cloud as well, according to Microsoft's State of the Hybrid Cloud 2017 report.
"You don't have an option today," said Rajiv Gupta, senior vice president of McAfee's Cloud Security Business Unit. "I have not met an organization that thinks they have an option to not use the cloud, so everyone is in a hybrid environment."
This type of environment is becoming the default use case of cloud, said David Linthicum, an independent cloud-management consultant, who uses the term "pragmatic hybrid cloud" to differentiate the messy reality of corporate IT with the more straight-laced definition of hybrid cloud as a mix of public- and private-cloud infrastructure.
"Pragmatic hybrid cloud seems to be the trend right now," he said.
Information-technology environments that mix on-premise networks and cloud services tends to be chaotic, and difficult to secure. Companies need to abstract their approach to securing the technology and simplify their infrastructure to ease the challenges, experts told eWEEK.
1. Start with a new project and iterate
The largest hybrid-cloud problem for many companies are that they are taking on far too much, far too quickly. As a result, security gets left behind in the confusion. Rich Mogull, CEO and analyst of cloud-management consultancy Securosis, has seen companies' cloud projects flounder because they try to jump into the cloud with both feet, rather than dipping a toe into the water.
"I've had multiple clients that I have worked with, where something comes down from management that we are going to go cloud first," he said. "But there is really no central control” in terms of security policies that are in place. As a result, “it turns into a big, ugly mess. I've seen that a few times," Mogull said.
Mogull recommends that companies start with a totally new project, rather than move an existing on-premises application to the cloud—the so-called "lift and shift." While many cloud-security providers focus on inventory assets, he disagrees: You will never find all of your assets, and the project is too big to take on as the initial task.
2. Don't count on either your network or the cloud being secure
Most companies already have concerns about the degree to which their data is protected in the cloud. Yet, those same organizations assume that they can keep attackers out from their on-premises infrastructure.
Instead, companies should accept that attackers will be insider their network at some point in time.
"The biggest mistake that companies make is assuming that anything on premises is secure—Equifax has proven that; Target has proven that," said Amir Sharif, co-founder and vice president of business development at container-security firm Aporeto.
"When people think they are operating in a mixed environment, they are taking mental shortcuts that are leading down the wrong path," he said. "The right assumption has to be that everything I have is effectively exposed to the internet. You have to operate in a zero-trust environment."
3. Focus on protecting the most important assets—the data
As devices have proliferated, the number of locations were business data can reside has exponentially increased—from the mainframe four decades ago, to PCs three decades ago, to mobile devices and the cloud over the last decade.
"We have to treat the data the same, no matter where it is, because the threats to our data are the same," said McAfee's Gupta.
Many companies attempt to protect the data by restricting the access to information through network controls. But in the hybrid world, that whole network-centric model becomes less meaningful, Gupta said.
"Focus on what you really care about, which is your data—that is your most important asset—not the network, not the device, but your data," he said. "The best CISOs treat their entire environment as infected and protect the data under that assumption."
4. Simplify identities and use single sign-on technologies
With the average employee using 36 cloud services at work, companies seeking to reduce the complexity of their mixed cloud and on-premises environments should consolidate those identities as much as possible.
Many cloud providers—such as Amazon Web Services and Microsoft's Azure—offer ways to bring together a user's identities. Identity-management providers give users a single portal to connect to corporate services. Such capabilities are necessary to allow companies to normalize their access controls.
"Federated identity is absolutely crucial," said Securosis's Mogull. "You don't want to do anything crazy, but you probably want to buy a federated identity broker. Most people want a Web portal to bounce them into their environment."
Yet, companies should not try to tackle combining on-premises identities with cloud identities unless there is an easy path. "On-premise remains on-premise," he said. "You manage that the way you have been managing it."
5. Use visibility to manage cloud more effectively and securely
Along with consolidating identity and making data protection more consistent, companies need to gain visibility into how those components connect with workloads.
Gaining visibility into who is running what workloads on which data is a key step towards improving management of overall infrastructure and being aware of potential security issues.
"That is probably the most difficult thing to get a grip on," said David Linthicum, an independent cloud-management consultant. "That is going to be something that the enterprise itself has to figure out."
A key tool for companies looking for more visibility is to focus on building out automation to collect log files and process them. Yet, while companies may have hopes that they will be able to see everything going on across their network and their cloud infrastructure, that will often not be true, according to Mogull.
6. Refine policies and identify rule breakers
With users mapped to single identities and the company gaining more visibility with each iteration of its cloud project, the company should focus on refining its policies. By applying a unified set of policies across both cloud and on-premises architecture, IT security teams can—at a high level—simplify the security picture, said McAfee's Gupta.
"You define the policies irrespective of where the data is residing and map the policy to the specific service or storage medium," he said. "Data shared over Exchange will have different rules than data shared over Slack—but the policy is the same."
The policies, along with efforts to increase visibility, also give the company a better chance to catch anomalous behavior. By setting rules, and looking for bad behavior, IT security teams can detect attackers before they have time to do damage.
7. Metrics help reduce complexity and improve management
To improve security with every iteration, and with every cloud project, requires that companies have data on how well they are doing. Measuring success is important. For cloud security it can be as simple as how many cloud services are being used and how many are being covered by security policies.
Without the metrics, however, managing the hybrid infrastructure is impossible, said Linthicum.
"Do you want a dashboard on your car that you are driving down the street? Yes, you do," he said.
Visibility become even more important as a company's cloud projects scale up in size, he said. "The complexity issues will only become larger," Linthicum said. "I would advise that corporations and the government get ahead of it, before it becomes a major problem."