Developing a Secure Hybrid Environment
A thoughtful approach to security can succeed in mitigating against many security risks. Here are some pointers about how to develop a secure hybrid environment.
Assess your current state
In a hybrid environment, security starts with assessing your current state. We recommend that you begin by answering a set of questions that can help you form your approach to your security strategy. Here are a few important questions to consider:
Have you evaluated your own traditional security infrastructure recently?
How do you control access rights to applications and networks — both those within your company and those outside your firewall? Who has the right to access IT resources? How do you ensure that only the right identities gain access to your applications and information?
Can you identify web application vulnerabilities and risks and then correct any weaknesses?
Do you have a way of tracking your security risk over time so you can easily share updated information with those who need it?
Are your server environments protected at all times from external security threats?
Do you maintain your own keys, if you are using encryption, or do you get them from a trusted, reliable provider? Do you use standard algorithms?
Are you able to monitor and quantify security risks in real time?
Can you implement security policies consistently across all types of on-premises and cloud architectures?
How do you protect all your data no matter where it’s stored?
Can you satisfy auditing and reporting requirements for data in the cloud?
Can you meet the compliance requirements of your industry?
What is your application security program?
What are your disaster and recovery plans? How do you ensure service continuity?
Assess your cloud vendor
A hybrid cloud environment poses a special set of challenges when it comes to security and governance. Hybrid clouds utilize your own infrastructure plus that of your service provider. For example, data may be stored on your premises but processed in the cloud. This means that your own on-premises infrastructure may be connected to a more public cloud, which is going to affect the kinds of security controls you need to have in place.
Controls must be in place for perimeter security, access, data integrity, malware, and the like — not only at your location, but also with your cloud provider. Cloud service providers each have their own way of managing security. They may or may not be compatible with the compliance and overall security plan of your organization. It’s absolutely critical that your company not bury its head in the sand by assuming that the cloud provider has security covered.
You need to verify that your cloud provider ensures the same level of security that you demand internally (or a superior level, if you’re looking to improve your overall security strategy). You must ask a lot of hard questions to guarantee that your company’s security and governance strategy can be integrated with your provider’s.
Here are some tips that can get you started and that may also be useful in assessing your security strategy:
Ask your cloud provider what kind of companies they service. Also ask questions about system architecture in order to understand more about how multi-tenancy is handled.
Visit the facility unannounced in order to understand what physical security measures are in place. According to the CSA, this means walking through all areas, from the reception area to the generator room and even inspecting the fuel tanks. You also need to check for perimeter security (for example, check how people access the building) and whether the operator is prepared for a crisis (for example, fire extinguishers, alarms, and the like).
Check where the cloud provider is located. For example, is it in a high crime area or an area prone to natural disasters such as earthquakes or flooding?
What sort of up-to-date documentation does the cloud provider have in place? Does it have incident response plans? Emergency response plans? Backup plans? Restoration plans? Background checks of security personnel and other staff members?
What sort of certifications does the provider have in place? Do cloud security personnel have certifications such as CISSP, CISA, and ITIL. Find out which third parties have done a review.
Find out where your data will be stored. If your company has compliance regulations it must meet about data residing in foreign countries, this is important to know. Refer to Chapter 11 for more about data management issues.
Find out who will have access to your data. Also check to see how data will be protected.
Find out more about the provider’s data backup and retention plans. You will want to know if your data is co-mingled with other data. If you want your data back when you terminate your contract, these issues may be important.
How will your provider prevent denial-of-service (DoS) attacks?
What sort of maintenance contracts does your provider have in place for its equipment?
Does your cloud provider utilize continuous monitoring of its operations? Can you have visibility into this monitoring capability?
How are incidents detected? How is information logged?
How are incidents handled? What is the definition of an incident? Who is your point of contact at your service provider? What are the roles and responsibilities of team members?
How does your provider handle application security and data security?
What metrics does your cloud provider monitor to ensure that applications remain secure?
This list proposes a lot of questions, and we don’t expect you to be able to answer them in a few seconds. We present them because the information you’ll gather should be the foundation for assessing your current security environment.
Given the importance of security in the cloud environment, you might assume that a major cloud service provider will have a set of comprehensive service level agreements for its customers. In fact, many of the standard agreements are intended to protect the service provider — not the customer. So, your company really must understand the contract as well as the infrastructure, processes, and certifications your cloud provider holds.
You must clearly articulate your cloud security requirements and governance strategy and determine accountability. If your cloud provider doesn’t want to talk about these items, you should probably consider a new cloud provider. On the other hand, your cloud provider may actually have some tricks up its sleeve that can improve your own security! In fact, it probably does.
Completing this assessment will give you a lot to think about. At that point, you’ll have an idea about the strengths and weaknesses in your own security environment, as well as any issues you need to discuss with your cloud provider. You’ll have a better idea of the tools and techniques you may have to put in place, both on your own premises as well as in the cloud. And, your provider may surprise you. Cloud providers are now making it their business to understand the ins and outs of security. This means that you should not be surprised if they have a much better handle on security than you do! Here are some additional pointers:
If your company is large and you are implementing a complex cloud environment, it makes sense to have security people on staff that can help you do your assessments and assess security products.
In most circumstances, approach cloud security from a risk-management perspective. If your organization has risk-management specialists, involve them in cloud security planning.
Try to create general awareness of security risks by educating and warning staff members about specific dangers. It is easy to become complacent; however, threats come from within and from outside the organization.
Regularly have external IT security consultants check your company’s IT security policy and IT network and the policies and practices of all your cloud service providers.
Stay abreast of news about IT security breaches in other companies and the causes of those breaches.
Continue to review backup and disaster-recovery systems in light of your security strategy. Apart from anything else, security breaches can require complete application recovery.
Review your governance strategies on an ongoing basis to make sure that your cloud security strategy is enforced. We discuss governance in the next section.