Deploying your workloads in the cloud securely

Teamwork and transparency can help enterprises overcome the challenges associated with securing hybrid clouds.

Think of the cloud and words like “dynamic”, “scalable” and “agile” come readily to mind. Today, cloud adoption is on the rise as enterprises take advantage of these characteristics to respond quickly and effectively to rapidly-changing business computing needs.

And yet, the cloud can be “immutable” in some respects, and one of these is the fact that once a service starts running in the cloud environment, it is never modified in mid-stride. If changes are required, the workload is swopped out in its entirety and replaced with a new configuration.

This is the “paradox of cloud computing”, and it is something that enterprises will have to grapple with as they seek to secure their hybrid cloud environments.

The unchangeable aspect of a cloud workload means that the traditional approach to security - whereby applications undergo a continuous cycle of patching, configuration, modification and optimisation – will no longer work. According to a study by the Enterprise Strategy Group (ESG), 74 percent of enterprises polled said they had to abandon the use of existing processes and technologies to secure their cloud infrastructure, while another 13 percent faced “sufficient problems” that may lead them to do the same.

The only way to address vulnerability gaps in the hybrid cloud is to replace existing workloads with newly configured ones that have been patched, tested and optimised. As they do this, however, enterprises have to be aware of the different set of challenges that this entails.

One of the risks that arises with the replace-instead-of-repair approach is that different parts of the hybrid cloud and on-premise infrastructure are secured by different people pushing out updated services using different tools. There is thus a high likelihood of inconsistency in configurations and policies, and this creates vulnerabilities that can be exploited by threat actors.

The automation capabilities of the cloud is also a double-edged sword. While it enables auto-scaling to help enterprises keep up with the rapid and temporal nature of cloud computing, it also means that workloads containing vulnerable software and configurations can be easily replicated. The unintended consequence of this is that the attack surface is now greatly expanded.

Unsurprisingly, the top challenges in securing a hybrid cloud environment are: to maintain strong and consistent security across disparate cloud computing technologies and services; and to support cloud computing and on-premise IT infrastructure and applications with consistent policies, controls and oversight.

The emphasis on consistency makes it important for enterprises to embrace cloud security as a “team sport”. In planning, procuring and securing hybrid clouds, it is important to have security professionals working hand in hand with their counterparts in agile software development, shadow IT and development operations (DevOps), and application development (AppDev) personnel representing the lines of business.

This may involve a bridging of different personalities – the cautious and methodical (security professionals) and the seemingly cavalier (AppDev and DevOps personnel) – and the onus is on the IT leadership to bring these different players together, meld them as a team and engage them in the security conversation.

Equally important in hybrid cloud security is the need to communicate transparently with the expanded group of security stakeholders, which will also include external parties such as suppliers, channels and contractors.

Team members responsible for securing the hybrid cloud environment will have to agree on a set of goals and objectives, and ensure that the success criteria are clear. Cross-functional teams will have to communicate how the migration of assets such as applications, data sets, and security controls to the cloud will affect business units. The asset inventory itself should include a risk assessment to identify the most mission-critical applications and sensitive data sets.

As enterprises start to adopt a “cloud-first” imperative for many of their new IT projects, hybrid clouds look set to become the new normal. Securing this complex environment with its disparate infrastructure pieces requires security stakeholders to understand the fundamental differences between the cloud and a traditional IT environment and to take a more proactive stance towards security – one that cuts across the technical, business and organisational aspects of a hybrid cloud environment. Only through strong teamwork can enterprises take full advantage of the agility of the cloud to achieve their business goals, whilst ensuring that security is not compromised.

Source: Securing Agility: Best Practices for Harnessing and Securing Hybrid Clouds