Charting a Path to Hybrid Cloud Security

Experts discuss how to protect data across mixed private-public cloud environments today and amid the increased complexity still to come.

By Charlotte Jensen

By Charlotte Jensen February 20, 2020

The majority of IT pros worldwide consider the most secure IT operating environment to be the hybrid cloud, according to recent research. In a hybrid cloud, some applications and workloads run in private cloud infrastructure, either on-premises or in a third-party hosting environment, while others reside in the public cloud.

More than 2,600 worldwide IT professionals who participated in the recent Nutanix-sponsored 2019 Enterprise Cloud Index survey said hybrid cloud was inherently more secure than on-premises data centers and private clouds. Still, that doesn't mean that those who embrace hybrid cloud automatically have data security and compliance all sewn up.

The IT professionals surveyed see the hybrid cloud as ultimately the ideal IT environment for the flexibility it affords to optimize cost, performance, and other variables on a per-workload basis. However, they expressed concern about security when it comes to things they run in the public cloud portion of the hybrid setup. 

And though public cloud providers have instituted solid physical security measures and maintained documented, stringent standards for protecting their infrastructures from intrusions, high-profile attacks like the Capital One AWS data breach in 2019 remind us that no one is immune.

“Think of it like your garage,” said Mike Lloyd, CTO of Redseal Networks, a cybersecurity firm in Sunnyvale, Calif. 

“If you’re running out of space, you could rent space from your neighbor’s garage, and this adds some flexibility. The trick with this kind of approach is to make sure ‘your’ part of your neighbor’s garage can only be opened by you. If you’re not careful…you may find that your stuff disappears.”

‘Hybrid’ Equals ‘Complicated’

Moving some workloads to the public cloud to create a hybrid setup isn’t the panacea many imagined it would be for on-prem security struggles. 

“The public cloud threat landscape is vast, which I think people underestimate when it comes to cloud security,” said Harold Bell, cloud specialist and content marketing manager at Nutanix.

“Cloud adopters assume that security is the responsibility of the cloud provider, which can leave organizations vulnerable to internal attack vectors and human error.”

On top of that, the emerging hybrid cloud is new and can be complicated for IT departments used to running legacy infrastructure, according to Lloyd.

“Competitors that are building clouds all offer different services, with different complex details, and different skills required,” he said.

Competing management systems are one issue. Because each vendor innovates and builds its own management layer, effectively maintaining a hybrid environment means that “every IT organization has to become fluent in multiple languages at once,” according to Lloyd. 

“It’s no simple thing to translate between all these languages,” he said.

Lloyd recommends getting the help of “network linguists”– people who specialize in understanding and comparing the different network management interfaces to each other – to ensure that no cracks appear in enterprise management and security policies across cloud borders. It often requires bringing in their technology and automation tools to help with monitoring.

Collaborate on Strategy

This type of collaboration could be especially important, given that 58% of CIOs surveyed by McKinsey Digital for an August 2019 hybrid cloud report said that IT talent gaps have caused them to fail to meet agility objectives associated with cloud migration.

Bell, too, stressed the importance of working with a trusted advisor or technology partner to help plan effective internal security strategies over time. 

“Make sure you’re staying up to date on security trends: cloud security, access management, logging and auditing,” he said.

“You can’t just purchase a tool and expect that your security posture [is set],” said Bell. “You have to have rules and procedures in place to account for human error. If you leave too much room for human error, [security] will erode.”

Indeed, according to Nutanix’s recent eBook, Top 10 Cloud Security Trends, human error is the weakest link in cloud security. The Capital One breach, for example, was ultimately traced back to a misconfigured firewall.

“The human element could be innocent or malicious,” said Bell. “Innocent, for example, could mean engineers or cloud architects forgetting about workloads they generated for testing and unwittingly leaving certain access points open.”

Policies and onboarding plans are needed, he said. Also, it's necessary to have a strategy for handling seasonal or exiting employees and remote workers, especially as you scale.

“Make sure they no longer have access to your internal systems,” said Bell. “Something is overlooked more often than you think.” When it comes to the hybrid cloud, think of compliance as an always-on proposition, he advised.

Control versus Innovation

As cloud computing accelerates, expect the multilayered hybrid cloud jigsaw puzzle to get more complicated, say experts. “It will take a very long time for innovation to slow down in cloud offerings, and until it does, it’s not realistic that management standards will become uniform and mature,” said Lloyd. “Control and innovation are not friends. Each one tends to break the other unless applied with care and a light touch.”

Piecing hybrid cloud security together isn’t going to be easy. But according to Bell, multicloud governance will improve as tools evolve to span all cloud vendor environments and eventually render cross-cloud management and security seamless.

Nutanix’s Xi Beam already provides unified visibility and management across both private and public cloud environments, for example. Policies automatically follow workloads across private and public cloud borders to help ensure compliance with internal security policies and external regulatory mandates, said Bell, such as HIPAA in healthcare, PCI DSS in retail, Gramm-Leach-Bliley Act (GLB) in financial services and others.

Ultimately, cloud structures will be so complex that people cannot understand them anymore.

When that time comes, machine reasoning will be in order, according to Lloyd.

“It’s the only viable response,” Lloyd said. “Computers [will] uncover all the mistakes we make as we pile up all this technology, one small step at a time.”

Charlotte Jensen is a contributing writer who specializes in business topics. She is the former executive editor of award-winning Entrepreneur magazine. Find her on Twitter @JensenChar.

© 2020 Nutanix, Inc. All rights reserved.  For additional legal information, please go here.