Technical controls are the heart of hybrid cloud security. The centralized management of a hybrid cloud makes technical controls easier to implement.
Some of the most powerful technical controls in your hybrid cloud toolbox are encryption, automation, orchestration, access control, and endpoint security.
Encryption
Encryption greatly reduces the risk that any readable data would be exposed even if a physical machine is compromised.
You can encrypt data at rest and data in motion. Here’s how:
Protect your data at rest:
Full disk (partition encryption) protects your data while your computer is off. Try the Linux Unified Key Setup-on-disk (LUSK) format which can encrypt your hard drive partitions in bulk.
Hardware encryption that will protect the hard drive from unauthorized access. Try the Trusted Platform Module (TPM), which is a hardware chip that stores cryptographic keys. When the TPM is enabled, the hard drive is locked until the user is able to authenticate their login.
Encrypt root volumes without manually entering your passwords. If you have built a highly automated cloud environment, build upon that work with automated encryption. If you are using Linux, try the Network Bound Disk Encryption (NBDE), which works on both physical and virtual machines. Bonus: make TPM part of the NBDE and provide two layers of security (the NMDE will help protect networked environments, while the TPM will work on premises).
Protect your data in motion:
Encrypt your network session. Data in motion is at a much higher risk of interception and alteration. Try the Internet Protocol Security (IPsec) which is an extension of the Internet Protocol that uses cryptography.
Select products that already implement security standards. Look for products that support the Federal Information Processing Standard (FIPS) Publication 140-2 which uses cryptographic modules to protect high-risk data.
Automation
To appreciate why automation is a natural fit for hybrid clouds, consider the drawbacks of manual monitoring and patching.
Manual monitoring for security and compliance often has more risks than rewards. Manual patches and configuration management risk being implemented asynchronously. It also makes implementing self-service systems more difficult. If there is a security breach, records of manual patches and configurations risk being lost and can lead to team in-fighting and finger-pointing. Additionally, manual processes tend to be more error prone and take more time.
Automation, by contrast, allows you to stay ahead of risks, rather than react to them. Automation gives you the ability to set rules, share, and verify processes which ultimately make it easier to pass security audits. As you evaluate your hybrid cloud environments, think about automating the following processes:
Monitoring your environments
Managing your data
Checking for compliance
Implementing patches
Implementing custom or regulatory security baselines
Orchestration
Cloud orchestration goes a step further. You can think of automation as defining specific ingredients, and orchestration as a cookbook of recipes that bring the ingredients together.
Orchestration makes it possible to manage cloud resources and their software components as a single unit, and then deploy them in an automated, repeatable way through a template.
Orchestration’s biggest boon to security is standardization. You can deliver the flexibility of the cloud while still making sure the systems deployed meet your standards for security and compliance.
Access control
Hybrid clouds also depend on access control. Restrict user accounts to only the privileges they need and consider requiring two-factor authentication. Limiting access to users connected to a Virtual Private Network (VPN) can also help you maintain security standards.
Endpoint security
Endpoint security often means using software to remotely revoke access or wipe sensitive data if a user’s smartphone, tablet, or computer gets lost, stolen, or hacked.
Users can connect to a hybrid cloud with personal devices from anywhere, making endpoint security an essential control. Adversaries may target your systems with phishing attacks on individual users and malware that compromises individual devices.
We’re listing it here as a technical control, but endpoint security combines physical, technical and administrative controls: Keep physical devices secure, use technical controls to limit the risks if a device falls into the wrong hands, and train users in good security practices.