Pointers for a Secure Hybrid Cloud

By CIOReview | Monday, July 11, 2016
666
1105
230

Before the existence of information age, post pigeons were used to transmit information by individuals and monarchies—from the Iron Age until World War. Risks like possible loss of information owing to pigeons unable to navigate paths due to bad weather, or disclosure of critical information to foes always vexed the carriers of the vital information. These risks would have severe impacts on fore coming events creating great loss or a black eye for the victims.

Such vexations have travelled along with time and evolution of technology, compelling IT organizations to optimizing their IT budgets for quality delivery of services and products. Apart from reducing infrastructure costs, crafting and shaping IT management, and boosting the quality of the service delivery, IT companies are bewildered with the unprecedented competition in today’s business world.

The advent and inclusion of hybrid cloud technology in the mainstream is the silver lining for various organizations as it holds the potentials to solve the aforementioned exigencies. The only thing here stirring the hornet’s nest is the security problem. “Hybrid cloud brings new capabilities as well as security concerns”—as mentioned by John Pescatore, former VP and distinguished analyst at Gartner Research, in Key Issues for Securing Public and Private Cloud Computing. He added, “The use of public and private cloud technologies raises security and management challenges, but none of that are impossible to meet. In order to effectively and efficiently secure the use of cloud computing, enterprises need to match threats and business demands with the right management security approach. Public, private, and hybrid cloud technologies will also present opportunities to develop new architectures and processes that will advance security and management capabilities in ways that were not possible with physical computing restrictions.”

Hybrid cloud lets you reap the benefits of both private and public cloud leading to a flexible cloud infrastructure model. Hybrid cloud offers a scalable and cost-effective approach that public cloud provides, and the privacy and strategic decisions to allocate off-and-on premise operations, an inherited trait of private cloud. The outcome of hybrid cloud differs from industry to industry and so does its safety concerns. But some security issues are common among organization adopting cloud like the security of data when migrating to the cloud; the protection of data that resides in the cloud; and the impact to the work cycle if data protection and recovery practices fail. With due diligence and solid knowledge, organizations can reap the vantages of hybrid cloud to ensure added value and innovation to their business.

Migrating to Cloud

Companies can migrate to cloud efficiently and securely with unification of in-house cloud noesis and cloud service provider’s migration expertise, with the aid of proven technologies like secure tunnels and VPNs. Amid this, the greatest challenge is classification of existing and new application workloads. Usually, internal IT infrastructure and cloud infrastructure have remarkable differences. Taking out such discrepancies is achievable but only partially in some cases. Data can be highly sensitive at times–such as confidential health record datasets, which could end up in a ‘hanging by a thread’ position if it is kept in the public cloud. So, classifying workloads on their security requirements can help sort workloads into groups. These groups can act as a guide to know whether any specific workload will be compliant with security policies if it is run outside the corporate firewall. By determining security requirements of the data, a cloud model which is most appropriate for the organization can be selected under the council of an experienced cloud service provider.

“A key part of our cloud migration strategy was working with our legal department to define a new information security framework, which was launched in early 2014,” says Ed Happ, global CIO of the International Red Cross and Red Crescent Societies in Geneva, Switzerland. In 2013, the organization extended its agreement with Microsoft to move as many as 80 of its 187 National Societies to cloud computing services, including Microsoft Office 365. The goal was to free up capacity and IT spending, and provide smaller National Societies around the world with access to the same tools.

Compliance Requirements and SLA’s

Organizations are concerned with the kind of security controls they require in their hybrid cloud environment. Some companies are hesitant to use public cloud, considering that it might not be able to meet their security and compliance requirements to keep the data safe. On the other hand companies doubt if private cloud can live up to their expectations detailed in the service-level agreement (SLA). One of the solutions is to create SLA’s based on the cloud which forebodes to a lesser extent.

To make certain that right security provisions are incorporated in the hybrid cloud SLA’s and contracts, and right assistance is delivered to ensure compliance, it is important to read the SLA carefully. Enterprises have to make sure that the cloud service provider addresses compliance and security at the environment and user levels. Ensure that the provider is certified for various standards, including Sarbanes-Oxley and AT 101 compliance. Industries with specific requirements should work with the cloud service provider to prepare solutions that align with their specific guidelines.

Security and Protection

If all the resources of the company are only one username and password away, then it makes complete sense to execute multifactor authentication (MFA) and single sign on methods (SSO) to protect your assets. Many of the SSO products automate logins for large numbers of application. Few SSO tools such as Centrify, Okta, Ping and SecureAuth, identify MFA for particular applications as portion of a risk-based authentication approach.  Such features make SSO a great protective tool and it can make logins safer and better than relying on users to choose their own passwords.

Security protections such as authentication, authorization and identity management need to function efficiently in both private and public cloud. Integrating hybrid cloud security protocols can be achieved by two ways—(a) use ID management service that gives a solo service to systems running in either private or public cloud and (b) mirror controls in both the clouds and keep security data synchronized.

Hybrid cloud service providers must follow practices such as segregating customers initially at network level and later using multi-tenant technologies to check on overall segregation at the storage level due to which infrastructure remains undisturbed by avoiding overlap between customers.

Business Continuity

Enterprises are concerned with turning their data over to a service provider fearing impairment to business continuity. A wrong choice of service provider can lead to severe impact on employee productivity, client satisfaction, and profitability due to downtime of fixing the issue. The hybrid cloud service should be architected for high availability and the providers should improvise on the current disaster recovery programs. This can be achieved by replicating data across geographically distributed servers, which in-turn reduce the chances of data loss. The hybrid cloud protocols should include methodical data duplication to offsite disk storage while providing on-demand restoration.