Getting hybrid cloud security right is hard

By definition, a hybrid cloud is an IT architecture comprising legacy IT systems integrated with public, private, and community-based cloud platforms and services. Gartner defines hybrid cloud computing as policy-based and coordinated service provisioning, use, and management across a mixture of internal and external cloud services. Hybrid clouds’ simple definition conflicts with the complexity of making them work securely and at scale.

What makes hybrid multicloud so challenging to get right from a security standpoint is how dependent it is on training people and keeping them current on new integration and security techniques. The more manual the hybrid cloud integration process, the easier it is to make an error and expose applications, network segments, storage, and applications.

How pervasive are human-based errors in configuring multiclouds? Research group Gartner predicts this year that 50 percent of enterprises will unknowingly and mistakenly expose some applications, network segments, storage, and APIs directly to the public, up from 25% in 2018. By 2023, nearly all (99%) of cloud security failureswill be tracked back to manual controls not being set correctly.

What defines the dark side of hybrid multiclouds?

The promises of hybrid multiclouds need to come with a disclaimer: Your results may vary depending on how deep your team’s expertise is on multiple platforms extending into compliance and governance. Hybrid multiclouds promise to provide the following under ideal conditions that are rarely achieved in organizations today:

  • Integrate diverse cloud platforms and infrastructure across multiple vendors with little to no degradation in data latency, vendor lock-in, or security lapses.
  • Autonomously move workloads and data at scale between legacy, third-party legacy on-premises systems, and the public cloud.
  • Support and securely scale for edge computing environments as enterprise spending is surging in this area today. Bain’s analysis of IDC data anticipates spending on edge computing infrastructure and environments will grow at a 35% CAGR between 2019 and 2024, compared with approximately 2.5% growth of nonpublic cloud spending.

Enterprises need to work their way through the dark side of hybrid multiclouds to see any benefits. While the challenges are unique to the specific enterprise’s legacy systems, previous results in public, private, and hybrid cloud pilots and proofs-of-concept are a reliable predictor of future results.

The roots of risk

In reality, hybrid multicloud platforms are among the riskiest and most challenging to get right of any IT infrastructure. According to Bain’s Technology Report 2020:Taming the Flux, the average organization relies on 53 different cloud platform services that go beyond basic computing and storage.

Bain’s study found that CIOs say the greater the complexity of multicloud configurations, the greater the security and downtime risks their entire IT infrastructures are exposed to. CIOs also told Bain their organizations are struggling to develop, hire, and retain the talent needed to securely operate one cloud infrastructure at scale, let alone several.

    That heads a list of indicators that innovative enterprises are seeing as they work to improve their hybrid multicloud security. The indicators include:

    • Lack of ongoing training and recertification. Such training helps to reduce the number and severity of hybrid cloud misconfigurations. As the leading cause of hybrid cloud breaches today, it’s surprising more CIOs aren’t defending against misconfigurations by paying for their teams to all get certified. Each public cloud platform provider has a thriving sub-industry of partners that automate configuration options and audits. Many can catch incorrect configurations by constantly scanning hybrid cloud configurations for errors and inconsistencies. Automating configuration checking is a start, but a CIO needs a team to keep these optimized scanning and audit tools current while overseeing them for accuracy. Automated checkers aren’t strong at validating unprotected endpoints, for example.
    • Automation efforts often overlook key factors. It is necessary to address inconsistent, often incomplete controls and monitoring across legacy IT systems. That is accompanied by inconsistency in monitoring and securing public, private, and community cloud platforms.
    • Lack of clarity on who owns what part of a multicloud configuration continues because IT and the line of the business debate who will pay for it. Addressing the lack of clarity regarding each cloud instance is the responsibility of a business IT leader or the core IT team. Line of business leaders’ budgets are charged for hybrid multicloud integration projects that digitally transform a business model. But data and IT governance, security, and reliability can fall on the line between the business and IT, creating confusion — and opening the door for bad actors searching for gaps in hybrid cloud configurations.
    • Accountability lines between cloud providers and customers get blurred as well. With cloud providers taking on more responsibility for managing all aspects of hardware and software co-hosted in their datacenters, there’s more confusion than ever on who covers the gaps in system and cybersecurity configurations.
    • The overhyped benefits of cloud elasticity and paying-as-you-go for computing resources can obscure the overall picture. Important details too often get buried in complex, intricate cloud usage reporting invoices from public cloud providers. It’s easy to get lost in these lengthy reports and overlook essential cloud security options. Later in this series of articles, I’ll address the limitations and misconceptions of the Shared Responsibility Model.

    Mind the multicloud gaps

    Lack of compliance and governance are the most costly errors enterprises are making today when it comes to hybrid multicloud deployments. Not only are they paying the fines for lack of compliance, but they’re also losing customers forever when their data is compromised in a breach. Gaps between legacy systems and public, private, and community clouds that provide bad actors an open door to exfiltrate customer data violate the California CCPA laws and the EU’s GDPR laws

    Enterprises can achieve more real-time visibility and control across all cloud instances by standardizing on a small series of monitoring tools. That means trimming back, to better ensure assorted tools don’t conflict with each other. 

    How quickly any given business can keep reinventing itself and digitally transform how it serves customers depends on how quickly IT can adapt. Leaders must understand that hybrid multicloud is an important strategy, but the hype doesn’t match the reality. Too many organizations are leaving wide gaps between cloud platforms. 

    The recent high-profile SolarWinds breach exposed hybrid multicloud’s weaknesses and showed the need for Zero Trust frameworks. In the next article in this series, I’ll look at the lessons learned from the SolarWinds hack and how greater understanding can help strengthen compliance and governance of any hybrid cloud initiative. Machine learning and terrain analytics show promising potential to identify and troubleshoot hybrid multicloud security gaps as well, and this too will be explored in the upcoming series.

    The original version in English appeared on VentureBeat.com on May 13, 2021.

    With the kind permission of the author, we were allowed to publish the post on this blog.

    Write comment

    * These fields are required

    Comments

    No Comments