The 2020 COVID-19 pandemic became a catalyst for digital transformation since its onset. Enterprises are moving fast to adopt â€˜cloud-first’ strategy. An estimated 50% of workloads will run in the cloud by 2023, revealsOpens a new window a Spiceworks Ziff Davis study. While hybrid cloud adoption is rising at a meteoric speed as more organizations embrace remote work, cyberattacks and data security challenges in the cloud need an in-depth analysis. According to Statista, 21% of hybrid cloud customers wish for improvements in security and risk reduction in the technology.
â€œCyberattacks are often successful because they take advantage of a vast supply chain of technology vendors, and exploit vulnerabilities created through misconfiguration or insecure practices,â€ explains Nataraj Nagaratnam, chief technology officer, cloud security, IBM Cloud. â€œAlso, enterprises are challenged with taking effective measures to protect their data and to achieve continuous detection and response to their security and compliance posture.â€
As organizations deploy critical workloads and data into the cloud, it becomes essential for enterprises to reflect on the widespread adoption of hybrid cloud. In this exclusive chat with Toolbox, top cloud leaders, discuss the key infrastructure challenges enterprises need to address to protect data in hybrid cloud and the emerging best practices for adhering to security compliance and auditing requirements in the cloud:
1. Start With Centralized Authorization and Access Control Across Hybrid Cloud Environments
â€œI would start with centralized authorization and access control across the environments which is key to avoid privilege creep and orphaned accounts. From there, automate everything. Infrastructure and security as code are going to quickly become table stakes for managing the myriad of capabilities and compliance requirements in a hybrid environment. This will necessitate choosing tools that are cloud agnostic where possible to maximize reusability and minimize overhead.
â€œEnterprises must also build or acquire capability to collate output from multiple systems into centralized reporting. They must also audit visibility capability as data traverses network and storage infrastructure across multiple security zones and cloud environments.â€
2. Build Data Centric Protection on Zero Trust Architectures in Hybrid Cloud
â€œAs reliance on data grows in the hybrid cloud era, there’s increased commitment to security across industries, especially in highly-regulated sectors. An industry-specific approach is needed to address unique regulatory compliance and security needs.
â€œBest practices include:
- Data centric protection built on zero trust architectures: Deliver unique data protection technologies, such as Keep Your Own Key, built on confidential computing.
- Continuous detection and response: Include capabilities to monitor security posture with built-in controls and profiles.â€
3. Calibrate Hybrid Cloud Security By Integrating Detailed Logs Into SIEM and UEBA Apps
â€œYour cloud provider must provide as good, if not better data protection, auditing, and compliance capabilities than what their customer supports on-premise. This means, detailed transaction, configuration, and user logs are critical to maintaining forensic insight into how, where, when, and by whom the data is accessed and used. Integrating these detailed logs into security information and event management (SIEM) and/or user and entity behavior analytics (UEBA) applications is essential to continuously calibrate the security and privacy controls of each cloud application used.â€
4. Train Resources To Plan for a Transition to Hybrid Cloud
â€œEnterprises should acknowledge that this is a transformation journey. They should invest in the training of resources to plan for a transition to a hybrid cloud and establish a clear strategy in executing against the required storage, bandwidth, and number of connections systems will have in order to properly budget for the cloud system and service usage based on pay-as-you-go models.â€
â€œA key challenge to address will be ensuring that the organization has created proper governance by creating a Cloud Center of Excellence (CCE) which would include committees that make financial decisions, provide leadership, seek and communicate guidance from qualified security consultants. Enterprises should maintain management of cloud administration and ensure deployment follows the proper approvals to solidify that process controls are followed to meet security and compliance requirements.â€
5. Keep Encryption Keys Outside the Hybrid Cloud With External Key Management
â€œA best practice for securing data at cloud scale is encryption. Encryption decouples security from infrastructure, keeping data secure anywhere, even when the underlying cloud infrastructure is insecure. Enterprises that encrypt their sensitive data, need an external key management service that keeps encryption keys outside the cloud.
â€œCloud providers that don’t have access to keys can’t be legally compelled to provide data, nor can unauthorized get access to the data. With external key management, enterprises can keep their most valuable data both secure and useable.â€
6. Ensure Hybrid Cloud Infrastructure Is Consistently Patched To Meet NIST Standards
Ciaran ChuOpens a new window , head of cloud, ACI WorldwideOpens a new window
â€œEnterprises should identify holistic business strategies that encompass strong business outcomes, cloud security best practices and guidelines that are offered by cloud service providers, specific vendors, and known industry standard organizations such as PCI, International Organization for Standardization (ISO), and National Institute of Standards and Technology (NIST).
â€œI recommend starting with NIST, cloud security alliance, and cloud security controls matrix. And, then review the cloud service provider’s best practice documentation, training and tools offered to assist with those transitions. Enterprises could also use a qualified third party for consulting offerings on cloud architecture, design, or compliance.â€
â€œIt all starts with the ability to support consistent governance regardless of where data is maintained and processed.Â Governance also includes the ability to maintain dominion, control, and visibility over data while meeting various regulatory compliance requirements. Lastly, supply chain risk is sometimes overlooked.
â€œThe ability for your cloud partner to ensure the infrastructure hardware and software are consistently patched to meet acceptable standard practices (NIST, PCI, etc.) is also essential for a sound hygiene approach.â€
7. Meet Data Protection Needs Based on the Hybrid Cloud Provider’s Data Storage Locations
â€œWhat will be key is making sure that data protection requirements are being met based on the cloud provider’s data storage locations. Planning a cloud deployment must include making sure that personal data and transactions remain in a specific country and not be transferred out, the cloud design includes storage of that data and the controls to keep that data in those regions.
â€œVisibility across platforms and tooling bifurcation are two significant challenges to the hybrid cloud model. Many of the best-in-class solutions for management, visibility, monitoring, and reporting are point specific tools that provide great coverage in a single cloud platform and either limited or no coverage in other platforms. When supporting multiple cloud environments, enterprises are often forced to use multiple tools to do the same job in different parts of their infrastructure or forego enhanced capabilities that help them achieve their security goals. This makes it more difficult to correlate events, streamline incident response and alerting or provide consolidated reporting to the business.â€
Moving Workloads and Applications to Hybrid Cloud Successfully
Businesses need to adopt hybrid cloud technologies to keep pace with the developing technology environment. Interestingly, SWZD also reveals that more than two-thirds of all companies plan to adopt at least one new cloud technology by 2023, which explains the growing popularity for cloud services.
Yet keeping data and workloads secure in the cloud is critical to call any hybrid cloud adoption a success. Talking about successfully moving data and apps to cloud, Kumar also feels that organizations are finding their data becoming fragmented across multiple clouds, databases, and SaaS applications.
â€œTraditional security solutions don’t work when you don’t control the infrastructure, yet keeping all this data secure and private is critical for successful digital transformation. Regulations like GDPR / Schrems II further require enterprises to secure their data without trusting the cloud providers,â€ he added.
How is your company embracing these hybrid cloud adoption best practices to tackle security, risk, and compliance challenges? Share it with us on Â LinkedInOpens a new window ,Â TwitterOpens a new window , orÂ FacebookOpens a new window .Â