For a growing number of organizations, IT environments encompass a blend of public cloud services, private clouds, and on-premises infrastructure—with the latter becoming an ever-smaller portion of the mix.
The past two years have seen a major uptick in the use of cloud services, and the trend shows no signs of slowing. An April 2021 report by research firm Gartner forecast that worldwide spending on public cloud services will grow 23% this year.
Emerging technologies such as containerization, virtualization, and edge
computing are becoming more mainstream and driving cloud spending, the report said. Software as a service (SaaS) remains the largest market segment.
Rather than deploying one type of cloud service, companies are opting for a mix to meet their business goals. The hybrid cloud model can deliver unprecedented flexibility for businesses. They can shift capacity up or down as needed and move data and workloads to and from any number of cloud services. Hybrid cloud also presents cybersecurity risks that if left unaddressed can lead to significant losses.
Here are the five top challenges security leaders and teams face with the hybrid cloud model and how they can address them.
As companies deploy more public cloud services and add private cloud capabilities, their IT environments are becoming much more complex from a management and security standpoint. Without taking steps to monitor usage of the services, they lose visibility of what’s going on in this environment.
“A hybrid environment naturally introduces more complexity; there are just so many more ‘windows and doors’ to lock, and more security maintenance—patching, etc.—to perform,” says Chris Kanaracus, research director for dedicated and hybrid cloud infrastructure/services at research firm International Data Corp. (IDC). “We have seen so many high-profile media stories about data leaks caused by human error [such as] misconfigured storage buckets on public clouds.”
The Cloud Security Alliance (CSA), an organization that defines standards, certifications, and best practices to help ensure a secure cloud computing environment, cited misconfiguration and inadequate change control, and limited cloud usage visibility as being among the top threats to cloud computing in 2020.
The preponderance of cloud services will often require a change in how organizations approach security. “While choosing a hybrid cloud environment can offer organizations choice and flexibility, it also means IT leaders need to re-evaluate their security practices and consider how they may need to be adapted,” says Mandy Andress, the CISO of Elastic, a provider of online search products. “The saying, ‘You can’t secure what you can’t see,’ is especially true in hybrid cloud architectures. “Mixing public and private clouds or infrastructure can increase complexity and heighten an organization’s risk, making visibility and control paramount to securing a distributed system.”
The severe shortage of cybersecurity skills has been well documented. Many organizations are struggling to find people to fill a variety of roles, but identifying and hiring security professionals who also understand the cloud takes the challenge to a whole other level. This cloud security knowledge gap can leave enterprises exposed to risk, and they need to find ways to close the gap before it’s too late.
One way is to offer internal and external training. It takes a concerted effort between business lines, cybersecurity leadership and team, training, and human resources to develop a curriculum and multi-modal training paths for continual skills growth to support a complex hybrid cloud environment, says Vikram Kunchala, risk and financial advisory cyber cloud leader and principal at consulting firm Deloitte.
“It is vital to note that most non-technology organizations and non-cloud service providers are competing for the same cloud talent pool,” Kunchala says. “As such, hiring is a challenge and [companies] should not solely rely on it as an option. Developing training programs to up-skill/cross-skill current employees can help in this area.”
Strong governance is another key component in a hybrid cloud environment, Kunchala says. Having a well-defined responsibility matrix and operational models can alleviate concerns and enable effective governance. “Monitoring metrics provide visibility into the efficacy of various security teams and effectiveness of controls implemented,” he says.
CISOs and other security leaders “need to consider the efficiency of their people resources and skills usage,” Andress says. “In a hybrid cloud environment, security teams might need to learn the security functions of two [or more] cloud services.”
The responsibility of putting in place controls around perimeter security, infrastructure, and virtualization incrementally shifts to cloud providers in a public cloud ecosystem, so understanding the changing security shared responsibility model is vital, Kunchala says. “Organizations attempt to extend private cloud security controls and technology stack to public clouds, which does not work in some cases,” he says. “Not having a clearly defined [responsibility assignment matrix] and/or operating model in a hybrid cloud ecosystem leaves room for unmitigated threats and unaddressed capabilities that prevent the organization from scaling and meeting business goals.”
Despite the importance of knowing and following the shared responsibility model that comes with the use of cloud services, it’s not something all companies are doing. “The shared responsibility model used by public cloud companies is something many enterprises still grapple with keeping top of mind,” Kanaracus says.
Network security is a key area where organizations continue to be challenged, as existing vendor tools supporting private cloud might not be suitable for public clouds, Kunchala says. “Organizations leverage containers for seamless transition and management across hybrid cloud, and not understanding the nuances like service mesh and API security [can] lead to potential compromise of containers and further exploitation.”
Most public cloud-based security tool vendors support private cloud environments, Kunchala says. “But traditional vendor tools purpose built for on-premises or private cloud may not extend or provide full features for public cloud,” he says. “Vendor analysis is key and should be performed once all requirements and use cases have been identified.”
In a hybrid cloud environment, log sources are spread across on-premises systems, public cloud systems, vendor tools, and cloud-native services, Kunchala says. “It is critical to identify log telemetry [and] build metrics for monitoring.” Organizations need key performance indicators (KPIs) for operational- and functional-level metrics and key risk indicators (KRIs) for executive reporting, he says.
“However, maturation of logging and monitoring capabilities is a one- to two-year journey, which takes a number of steps and tools for processing logs and correlating across multiple sources to arrive at defined metrics,” Kunchala says. The end goal is to develop custom reporting dashboards to cater to executives, to help them understand the residual risk and impact of cloud services, he says. Meanwhile, operational teams will gain full visibility into advanced persistent threats across the landscape.