Options for Hybrid Cloud Security
In this article, we explore shared responsibility models for hybrid cloud management, along with cyber insurance security controls.
January 11, 2023
Not every company has a multi-cloud or hybrid cloud presence today and it comes down to cloud security. As cloud vendors roll out new Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) offerings, some enterprises will find it challenging not to migrate, that’s only if the security controls are in place to protect the data that security teams cannot access directly.
Security was the top reason that respondents use multiple clouds as they try to balance performance and scale, according to Cisco’s 2022 Global Hybrid Cloud Trends Report by 451 Research. The report highlights hybrid cloud gives enterprises more security options by facilitating the rollout of segmentation. Hybrid cloud also enhances isolation, using different cloud providers for different workloads, according to the report.
More than 80% of the 2,500 survey respondents have adopted a hybrid cloud, while 92% use more than two public cloud providers. And 80% say more than half of their workloads will run on different hardware across all environments, reinforcing the need for a comprehensive toolset for managing workloads.
Another key finding from the study: Hybrid cloud is now the norm among enterprises. Here’s why:
manage security,
enhance application development, and
improve business agility, (choosing the best location for each workload)
Adopting a hybrid cloud and shared responsibility
Organizations planning to adopt a hybrid cloud should create a shared responsibility model to map security controls for IaaS, PaaS, and SaaS deployment models, said Doug Glair, director of cyber security with the global technology research and advisory firm, ISG.
While most organizations eventually learn this theoretical shared responsibility concept, many still need to test their shared responsibility models against real-life cybersecurity threat use cases with their own applications and vendors, he said.
Although vendors like to boast about products meeting “best practices,” cybersecurity defenses are changing rapidly as ransomware, state-sponsored attacks, and other cyber threats increase in sophistication. Security teams today need to look beyond yesterday’s best practices to determine if more aggressive security steps need to be taken.
"While counter-intuitive, the most important consideration in building a secure datacenter is simplicity,” said Ugur Tigli, CTO of MinIO. “The underlying technology may be remarkably sophisticated, [but] the deployment, configuration, management and performance of the security software needs to be simple - otherwise that becomes the vulnerability.
Managing day-two security needs to be simple and performant, he noted. “Security that imposes performance constraints is security that is architected out or compromised for performant workloads. This matters for data at rest and data in flight.”
Implementing cyber insurance security controls
Some cyber insurance brokers and carriers determine whether to cover a company based on the cybersecurity controls they have in place. Lists of insurer-provided controls can be helpful as a starting point for identifying the controls that an organization should have in place, said Daniel Chan, CTO for Marketplace Fairness. However, these lists are not necessarily comprehensive and might not reflect the specific risks and needs of every organization. Industry-specific compliance controls could take precedence over insurer-required controls.
“Nearly all organizations today are having to contend with a hybrid data center model, including the management of on-prem and cloud-based data,” noted Cliff Madru, vice president of Global Digital Operations at Iron Mountain. “They are likely dealing with substantial challenges and risks as it relates to data protection. Many are likely dealing with data sprawl, shadow IT and many of the other data management challenges associated with these types of environments.”
Although cloud providers might not be able to share exacting details of their entire operation, look for providers that meet or exceed your defined standards, he continued. Among the essential data security standards your provider should be able to demonstrate they follow are ISO 27001, SOC 2 (Systems and Organization Controls) Type 2, Global Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), or US FedRAMP.
To ensure compliance, ask for attestation letters from providers or third-party assessment organizations to ensure that standards are met for data that is not within your direct control.
About the Author
You May Also Like