Hybrid cloud security is the protection of the data, applications, and infrastructure associated with an IT architecture that incorporates some degree of workload portability, orchestration, and management across multiple IT environments, including at least 1 cloud—public or private.
Hybrid clouds offer the opportunity to reduce the potential exposure of your data. You can keep sensitive or critical data off the public cloud while still taking advantage of the cloud for data that doesn’t have the same kinds of risk associated with it.
Why choose hybrid cloud for enhanced security?
Hybrid clouds let enterprises choose where to place workloads and data based on compliance, audit, policy, or security requirements.
While the various environments that make up a hybrid cloud remain unique and separate entities, migrating between them is facilitated by containers or encrypted application programming interfaces (APIs) that help transmit resources and workloads. This separate—yet connected—architecture is what allows enterprises to run critical workloads in the private cloud and less sensitive workloads in the public cloud. It’s an arrangement that minimizes data exposure and allows enterprises to customize a flexible IT portfolio.
Hybrid cloud security, like computer security in general, consists of three components: physical, technical, and administrative.
Physical controls are for securing your actual hardware. Examples include locks, guards, and security cameras.
Technical controls are protections designed into IT systems themselves, such as encryption, network authentication, and management software. Many of the strongest security tools for hybrid cloud are technical controls.
Finally, administrative controls are programs to help people act in ways that enhance security, such as training and disaster planning.
Hybrid clouds can span multiple locations, which makes physical security a special challenge. You can’t build a perimeter around all your machines and lock the door.
In the case of shared resources like a public cloud, you may have Service Level Agreements (SLAs) with your cloud provider that define which physical security standards will be met. For example, some public cloud providers have arrangements with government clients to restrict which personnel have access to the physical hardware.
But even with good SLAs, you’re giving up some level of control when you’re relying on a public cloud provider. This means other security controls become even more important.
Technical controls are the heart of hybrid cloud security. The centralized management of a hybrid cloud makes technical controls easier to implement.
Some of the most powerful technical controls in your hybrid cloud toolbox are encryption, automation, orchestration, access control, and endpoint security.
Encryption greatly reduces the risk that any readable data would be exposed even if a physical machine is compromised.
You can encrypt data at rest and data in motion. Here’s how:
Protect your data at rest:
Full disk (partition encryption) protects your data while your computer is off. Try the Linux Unified Key Setup-on-disk (LUSK) format which can encrypt your hard drive partitions in bulk.
Hardware encryption that will protect the hard drive from unauthorized access. Try the Trusted Platform Module (TPM), which is a hardware chip that stores cryptographic keys. When the TPM is enabled, the hard drive is locked until the user is able to authenticate their login.
Encrypt root volumes without manually entering your passwords. If you have built a highly automated cloud environment, build upon that work with automated encryption. If you are using Linux, try the Network Bound Disk Encryption (NBDE), which works on both physical and virtual machines. Bonus: make TPM part of the NBDE and provide two layers of security (the NMDE will help protect networked environments, while the TPM will work on premises).
Protect your data in motion:
Encrypt your network session. Data in motion is at a much higher risk of interception and alteration. Try the Internet Protocol Security (IPsec) which is an extension of the Internet Protocol that uses cryptography.
Select products that already implement security standards. Look for products that support the Federal Information Processing Standard (FIPS) Publication 140-2 which uses cryptographic modules to protect high-risk data.
To appreciate why automation is a natural fit for hybrid clouds, consider the drawbacks of manual monitoring and patching.
Manual monitoring for security and compliance often has more risks than rewards. Manual patches and configuration management risk being implemented asynchronously. It also makes implementing self-service systems more difficult. If there is a security breach, records of manual patches and configurations risk being lost and can lead to team in-fighting and finger-pointing. Additionally, manual processes tend to be more error prone and take more time.
Automation, by contrast, allows you to stay ahead of risks, rather than react to them. Automation gives you the ability to set rules, share, and verify processes which ultimately make it easier to pass security audits. As you evaluate your hybrid cloud environments, think about automating the following processes:
Monitoring your environments
Checking for compliance
Implementing custom or regulatory security baselines
Cloud orchestration goes a step further. You can think of automation as defining specific ingredients, and orchestration as a cookbook of recipes that bring the ingredients together.
Orchestration makes it possible to manage cloud resources and their software components as a single unit, and then deploy them in an automated, repeatable way through a template.
Orchestration’s biggest boon to security is standardization. You can deliver the flexibility of the cloud while still making sure the systems deployed meet your standards for security and compliance.
Hybrid clouds also depend on access control. Restrict user accounts to only the privileges they need and consider requiring two-factor authentication. Limiting access to users connected to a Virtual Private Network (VPN) can also help you maintain security standards.
Endpoint security often means using software to remotely revoke access or wipe sensitive data if a user’s smartphone, tablet, or computer gets lost, stolen, or hacked.
Users can connect to a hybrid cloud with personal devices from anywhere, making endpoint security an essential control. Adversaries may target your systems with phishing attacks on individual users and malware that compromises individual devices.
We’re listing it here as a technical control, but endpoint security combines physical, technical and administrative controls: Keep physical devices secure, use technical controls to limit the risks if a device falls into the wrong hands, and train users in good security practices.
Lastly, administrative controls in hybrid cloud security are implemented to account for human factors. Because hybrid cloud environments are highly connected, security is every user’s responsibility.
Disaster preparedness and recovery are an example of an administrative control. If part of your hybrid cloud is knocked offline, who’s responsible for what actions? Do you have protocols in place for data recovery?
Hybrid architecture offers significant advantages for administrative security. With your resources potentially distributed among on-site and off-site hardware, you have options for backups and redundancies. In hybrid clouds that involve public and private clouds, you can fail over to the public cloud if a system on your private data center cloud fails.
IT security takes time and needs iteration. The security landscape is always changing. Instead of putting pressure on yourself to get to a state of perfect security (which does not exist), focus on placing one foot in front of the other and taking reasonable, well-thought-out actions to make you more secure today than you were yesterday.