Hybrid cloud security: it’s your responsibility!

A new article from Steven Heyde, Regional Director Trend Micro Benelux

steven-heydeThe last few years, whenever VMware holds its annual user event VMworld, the concept of hybrid cloud is discussed at length. The topic is still the same but the questions have gradually shifted, from ‘how do I prepare for the hybrid cloud when it arrives?’ to ‘the hybrid cloud is already here. How do I deal with it?’.

Indeed, nearly every Belgian and Luxembourg organization is already using some form of hybrid cloud. Next to our own internal and/or external servers, we are all using at least some apps in the cloud, ranging from a very specific contact management tool to a complete cloud infrastructure hosting most of our applications and data.

Hybrid cloud is a reality, and most organizations are taking this reality into account when designing their next strategy for their digital infrastructure. These strategies usually evolve towards a hybrid cloud by allowing more and more public services. Starting with one or two public cloud services, they gain experience in integrating both private and public clouds. We see this happen both in private and in public organizations. Think, for instance, of the Belgian government’s initiative to create the G-Cloud, a shared cloud environment for all federal public services that allows for considerable cost savings and efficiencies.

But what about security for such hybrid environments? How should you deal with that aspect? If you are planning to use the hybrid cloud strategically, you should also provide a hybrid cloud security strategy, right? And what should that security strategy look like? Do you just go with the flow and accept whatever security level the cloud provider is offering, like ‘cloud-native’ organizations do? Or are you reluctant to hand over any level of security for whatever application, like most legacy organizations tend to do?

Flexible environments require flexible security

Most organizations are probably between those two extremes. But we can also safely say that most organizations haven’t thought through what is required to create an effective yet affordable security infrastructure and according policy for their (hybrid) cloud environment. If you want to embrace security, you should consider all aspects of your data and applications. Have you thought about the implications of GDPR when placing data in the clouds? Are you fully aware that any breach on your data in the cloud are ultimately still your responsibility? All these aspects should be considered when drawing up your security strategy.

And we haven’t even started on the complexity of the hybrid cloud yet. Hybrid clouds require a dynamic, flexible approach that tailors the security to your specific context and environment. Hardening your hardware is seldom the best approach here: you need a security solution that automatically applies your security policy to the different environments where your data and apps are being used: in the office, on your smartphone, at home, … Or to put it simply: if your data moves  , your security should move along with them. And your security should be able to adapt to the different forms of cloud as well: your own internal cloud will require entirely different security measures from a public cloud offering such as Amazon AWS or Microsoft Azure. This awareness obviously hasn’t fully reached all organizations, that has become very clear during the recent ransomware attack that targeted Office 365 users. Organizations expect the same level of security from their SaaS provider as they used to provide themselves locally, but they have come to realize that this is not always the case, and that they need specialized security solutions to be completely harnessed against such attacks.

Raising the red flag (once again)

Is this difficult? Technically speaking: no. There are solutions available that are cloud-ready, scalable and mature. But organizationally speaking, cloud security is still a challenge. Many top managers seem to think that moving your infrastructure to the cloud relieves you of all security worries, “because the cloud provider will take care of that”. As indicated above, this is not always the case. But you are ultimately responsible for your own data, so this may create a dangerous situation. In the case of a security incident or breach, it remains your reputation which is at stake. And with GDPR on its way, not only your reputation…Convincing the board that new investments are needed may prove even more challenging, as many security officers have urged for investments in perimeter security, which now proves to be partly obsolete. Why should the board trust the security officer this time? Make sure you are well prepared to provide a detailed account of where the organization’s infrastructure should be heading, before they can claim any new security budgets.

Recently I experienced a completely different approach with a customer who in my opinion really gets it. This company made a strategic decision to reduce the number of datacenters in their infrastructure globally from 70 to 3 before 2019 by enabling the use of public cloud. They initiated the discussions and projects by looking at how infrastructure, security and telecoms will have to change in order to achieve the desired result. By setting this challenging goal and by inviting thought leadership to help them on their cloud journey, they will achieve operational excellence and boost their overall performance.

But no matter how difficult it turns out to be, the investment in an adequate and appropriate hybrid cloud security will have to be made. Everyone within your organization will have to understand the importance of security and how it can enable the use of different cloud models without losing control. Especially when dealing with the public cloud.

It may be useful to set up a dedicated task force to investigate the requirements and to raise the general awareness. That way you can avoid that hybrid cloud security become an afterthought instead of an integral part of the design, as it should be. And you make sure that the awareness is raised company-wide and across departments, which is also key to the success of your security strategy.