Thales eSecurity Blog

The rise of hybrid cloud poses new security challenges – are you prepared?

Gary Marsden | Cloud Services Director More About This Author >

There aren’t many sure bets in technology today, but it’s hard to see an enterprise world without the use of hybrid cloud environments. Hybrid cloud deals have dominated the market so far this year, and the uptake is only accelerating; according to Gartner around 90% of organizations will adopt hybrid infrastructure management capabilities by 2020. Many of the dominant cloud providers have made moves in the past year to ramp up their hybrid and multi-cloud offerings – another clear sign that the days of cloud computing being simply ‘the cloud’ are long gone.

Let’s take a quick step back and provide some clarity, before we proceed. These hybrid environments are created as companies move away from purely on-premise solutions, to multi-cloud provided environments – often complicated further by the need to retain some on-premise applications or capabilities. A multi-cloud strategy ultimately stems from the idea of combining the best technologies, from multiple cloud providers, in order to achieve the best possible business results.

The rise of hybrid cloud poses new security challenges

Yet, enterprises shouldn’t feel obliged to only use cloud, just because it is en vogue. Not all data can, or will, move to the cloud for good reasons – in order to retain sovereignty for regulatory compliance, for example, or due to corporate policy. It can also still come down to performance, with high-transaction applications in mind; or perhaps even an emotional one, with a business preferring ownership of data – the ‘I don’t trust the cloud’ factor.

Cloud computing offers a highly-flexible model for organizations to adopt IT services, often without much up-front investment. Despite these – and a number of other – huge gains achieved from migrating to a cloud environment, many organizations are still slow in embracing the positives due to the legacy factors outlined above – thus fuelling the rise of hybrid cloud environments.

These perceived issues – and the security challenges many organizations face when moving to the cloud – will continue to hamper the growth of cloud adoption until it is truly understood and addressed by the market as a whole. The idea of handing over critical business data to another company is undeniably daunting – and cloud customers need to be vigilant in understanding the risks of data breaches in this new evolution of cloud.

We must remember that cloud security is based on a shared responsibility model – where the provider is responsible for a secure and robust infrastructure and the enterprise is responsible for the security of its assets within the cloud. While the security of most cloud platforms is strong, deploying consistent and effective security controls for data flowing between different cloud and on-premise systems can be quite challenging due to proprietary APIs and tools. This can lead to profound gaps around visibility, control and auditability.

So where do we stand with some of these hybrid cloud security challenges, and what are the considerations and strategies businesses should be thinking about?

The lay of the land

With some exceptions, consumers of cloud services have accepted this shared responsibility model and moved beyond asking the basic question of whether cloud services are safe, or if they can implement governance and regulatory controls over systems. Now the bigger question of how to secure systems and data, is what organizations are trying to decipher.

Given the scale and complexity of corporate IT provisions and policies, the variety of application services they must now integrate with, and the lack of unified tools to securely share or migrate data in hybrid environments, developing a security strategy for cloud services is a complex task. Effective data security and compliance in a hybrid world requires you to take a systematic and holistic approach to security

Encryption is key

Beyond managing risk through data governance, firms should ultimately strive to exercise control over all data stored within cloud resources. That is why we typically advise businesses to use a combination of Bring Your Own Encryption (BYOE) and centralized key management, to secure data with maximum control, visibility and portability. This gives you the flexibility to deploy the right solutions to protect data where it matters the most, without giving up control of your keys to your cloud providers.

In order to leverage the benefits of a hybrid cloud environment, organizations must also ensure that they have the ability to not only secure the data but also independently audit and prove compliance to a range of regulatory mandates. This means it’s important to plan for agility and portability – so that if the business priorities change, you can securely share or migrate your data between on-premise and public cloud environments with minimal additional effort.

And of course, it is critical to ensure that the correct people have access to the right data, with tools such as access management and two factor authentication (2FA) implemented to manage it all securely. As we approach near-ubiquity of hybrid cloud, having the right access controls in place – underpinned by first-class encryption and key management – will help enterprises make the most of this new IT reality, without compromising on data security.

To find out more about these capabilities, please download our Hybrid Cloud Data Security Control solution brief.