8 hybrid cloud security challenges and how to manage them
Hybrid cloud's benefits are many and varied but so are the security issues surrounding integration, compatibility, governance, compliance, APIs, visibility and responsibility.
While AI is taking the world by storm, the gold at the end of the rainbow for many CIOs follows digital transformation initiatives that lower operational costs and transition legacy systems to virtual environments on private and public clouds.
Consumer websites and development environments run applications in privately controlled data centers and take advantage of the compute, network and storage resources of public cloud service providers (CSPs), better known as infrastructure as a service (IaaS) providers. Attracted by the flexibility and cost savings, businesses use this "cloud burst" pay-as-you-go model for high-volume data processing, load balancing and redundancy, avoiding downtime during peak demand, such as a holiday selling period.
But, for many organizations, connecting private and public clouds over the internet using a dedicated network connection isn't that simple. Business transitions, incompatible technology environments and rapid changes in dynamic public cloud services can cause hybrid cloud security challenges.
Single hybrid cloud is now multiple clouds, said Mark Buckwell, executive cloud security architect at IBM, during last April's RSA Conference. It's not unusual for organizations to run Microsoft Active Directory as a managed service on AWS and connect to on-premises workloads, he told the audience during a session called "Architecting Security for Regulated Workloads in Hybrid Cloud."
"They still don't want to move the crown jewels of the organization off premise into cloud," Buckwell said, "so we end up integrating different parts of an application with different components, sitting on different technologies ... and this seems to be the way the world is going. And that just makes the whole solution a lot more complex because now we have data flowing in all sorts of different places." The result, he added, is different policies, depending on the technology and cloud provider, as well as a potential "split of responsibilities" among the cloud provider, other third parties and the organization.
Hybrid cloud security challenges
Legacy systems might work with some public cloud services and not others. Security teams need to ensure on-premises security controls and processes coexist with native-cloud technologies to meet business and compliance requirements.
1. Vendor compatibility
The "SANS 2022 Multicloud Survey" of IT professionals reported that 86% of respondents said their organizations used services from multiple cloud providers and 28% used private cloud for at least one-fourth of their compute workloads. "You're juggling clouds, each from a different vendor, wanting flexibility and the best tools," said the survey's co-author, Kenneth Hartman, owner of Lucid Truth Technologies, a digital private investigation agency and forensic consulting firm. "Sounds cool, right? But there's a catch, like a security gremlin hiding in each cloud. That gremlin is complexity."
Organizations need a centralized security architecture and governance to keep those "gremlins" in check, Hartman advised, without blowing the budget on fancy systems that just add to the complexity. It's critical to choose the right cloud providers and individual services, he added, "like picking trustworthy housemates who won't let just anyone in."
2. Network integration
Companies focused on solving a business problem might lift and shift existing systems and controls to a CSP. And IT teams might be tasked with addressing tricky integration issues involving technology, protocols and standards after the hybrid cloud environment is up and running. Fixing these issues can cost more than addressing security and compliance upfront. "A weak spot for the cloud, [but] network security is improving," said Dave Shackleford, founder and principal consultant at Voodoo Security.
Fortune 1000 organizations used to bring their existing network security stack with them to meet regulatory requirements. Now, many of these companies use native firewall services and native logging and management tools. "We've done a good job of moving from A to B," noted Shackleford, a SANS instructor and analyst who serves on the institute's board of directors. Still, it's a struggle to find skilled personnel for even basic network security, like firewall administration. "Every tiny bit of processing costs money," he explained. "The expectation of security management is that [IT administrators] are comfortable doing cost optimization around these firewalls."
3. API security
In theory, API tools and protocols enable web apps, containers and microservices to securely communicate with each other over the internet. But securing APIs remains a major problem. In the SANS survey on multi-cloud, 58.9% of respondents said "poorly configured or insecure APIs or interfaces" was their top concern. APIs can expose the application's back-end logic, as well as sensitive data, making APIs prime targets for attackers. It's almost impossible to have visibility into which APIs are exposed. A critical resource on API vulnerabilities is the Open Web Application Security Project's Top 10 API Security Risks -- 2023.
4. Data protection
For most companies, security is ultimately about protection of sensitive data -- where it is, who has access to it and how it's used. Hybrid cloud deployments enable organizations to house sensitive data and applications on private clouds or on premises and take advantage of wider network infrastructure provided by public clouds for managed services, workload distribution and storage. Mapping data flows through these systems, ensuring traceability and understanding how the data is protected in transit and at rest are necessary for legal and regulatory compliance in financial services, healthcare and other industries. Encryption protects data privacy in communication and storage. With IaaS, organizations can specify the physical or geographic storage location, also known as data residency, where their digital data is stored and processed.
5. Visibility and monitoring
Security managers need to have visibility into all resources, systems and data in motion in their organization's hybrid cloud environment. Their number one concern is: "We don't know what is going on," Shackleford said. Better visibility can improve security and compliance. In addition to taking inventory, security teams should monitor all access attempts and configuration changes.
Security teams rely on logs and syslog to monitor application files and network devices for anomalies and potential security events. IaaS providers are starting to offer native security information and event management (SIEM) as a service through tools such as Amazon Detective, Azure Sentinel and Google Chronicle. How do security teams figure out which data to collect for SIEM and which data to leave behind?
"Let's say you get your security logs from a service within four hours of an event of interest. But something changes at the cloud service provider, and now, you're not getting the logs until 12 hours later," Hartman theorized. "Or what if the event never shows up at all?" Threat modeling in the cloud, which has more trust boundaries, can help, he said, adding, "Just make sure that your list of possible threats includes lack of visibility."
6. Security responsibilities
The chief information security officer (CISO) protects the company's information assets by setting up a security strategy, policies supporting that strategy and incident response. Mixed environments such as hybrid cloud architecture have a shared security model. Security responsibilities should be documented in contractual agreements with the service provider before a security incident like a data leakage occurs. Supply chains, notorious for security risks, must be compliant with the service provider and the enterprise customer.
Companies focus on the resilience hybrid cloud offers, but "they don't have a cloud strategy," said Lisa McKee, co-founder of consultancy American Security and Privacy. "Where is the data going to go? Who is responsible for patching across these environments? Are access controls going to be outsourced?"
Responsibility for application security is shared with the SaaS provider, but organizations might have limited control over service configuration settings. At the same time, organizations are accountable for platform and application security in IaaS deployments, but the responsibility for configuring and securing the infrastructure is shared. CSPs are responsible for securing their locations and physical assets.
7. Compliance, risk and governance
The responsibility for governance, risk and compliance is cross-functional at most organizations, ensuring that business activities align with the company's goals and industry regulations. Guidance is available in frameworks such as HIPAA, Payment Card Industry Data Security Standard, Federal Risk and Authorization Management Program, ISO and NIST 800-83.
CISOs need to align standards and frameworks to overall business and cybersecurity strategies. These efforts will come under the spotlight with the new Securities and Exchange Commission's (SEC) cybersecurity rules. Public companies must report "material cybersecurity incidents" within four days of discovery and provide information on board oversight, cybersecurity policies and procedures in annual reports (10-K and others). In an unprecedented move, the SEC sued SolarWinds, makers of Orion IT management software used by government agencies, alleging the company and its CISO, who is named in the lawsuit, misled and defrauded investors by failing to disclose system vulnerabilities that led to cyberespionage by Russia-backed hackers in 2019.
With the SEC reporting kicking in, Amazon in November offered AWS Cyber Insurance Competency Partners to quantify risk using customer data that's in AWS Security Hub. "This may be a tipping point of an ecosystem of cloud that we never saw coming," Shackleford said.
8. Skills gap
As hybrid cloud security challenges increase network complexity, CISOs and CIOs face resource cuts. Of the nearly 15,000 IT professionals surveyed in the global 2023 "ISC2 Cybersecurity Workforce Study," 47% said their organizations faced budget constraints. Respondents ranked cloud computing (35%) as the number one skills gap in their security teams, followed by AI and machine learning (32%) and zero-trust implementation (29%).
"The cloud security and operations professionals of today must be able to do so much more than plug in and configure a hardware device," Hartman said. "They need to be very comfortable with infrastructure code up to and including being able to read and write it. They must also have a good grasp of the principles of cloud security architecture and identity and access management systems -- someone who can roll up their sleeves and dive into the details yet keep the big picture in mind."
How to manage hybrid cloud security challenges
Organizations need to update their security strategies and design models to better manage their cloud infrastructures, including the following:
- Dedicated cloud skills. Dedicate one person on staff to each of the major public cloud providers: AWS, Microsoft and Google. "That's what I have found works," Shackleford advised.
- Cloud security posture management (CSPM). Microsoft, Palo Alto Networks and others offer CSPM tools that automate risk management and compliance requirements with features such as continuous monitoring of cloud-based systems for vulnerabilities and misconfigurations. The cloud attack surface notwithstanding, human error remains one of the biggest threats to enterprise cloud deployments.
- Agnostic cloud. Companies avoid vendor lock-in by using multiple public cloud providers in hybrid cloud deployments. Cloud-agnostic architectures enable enterprises to run systems, applications and other components across cloud platforms without rewriting code. This model can improve security and risk management by lessening dependence on a cloud that might have been compromised. Limited tooling from CSPs can be a drawback. Hybrid Kubernetes and Terraform enable security teams to work with containerized applications on any cloud.
- Hybrid identity. Companies can use secure access service edge architectures or cloud access security brokers to monitor access and enforce security policies. Single sign-on (SSO) authentication lets users log in to a hybrid cloud network using one set of login credentials. More than half of the SANS survey's respondents said they're using multiple SSO service providers. "What's remarkable about this last finding," Hartman reported, "is the whole idea of a single sign-on service provider is … you only use one system to authenticate."
- Zero-trust policies. The U.S. Department of Defense (DOD) mandated migration of all its systems, policies and procedures to a cybersecurity zero-trust framework by 2027 with a roadmap in November 2022. The DOD mandate may encourage private sector companies to revisit zero-trust policies for hybrid environments. Zero trust means that everything is considered a risk. These environments, which rely on strict user and device verification, are managed by implementing least privileges and assuming that the network has already been breached. Microsegmentation enables security teams to isolate environments and apply zero-trust policies at a granular level. "Zero trust is a strategy," McKee said. "It is not a product."
- AI and machine learning tools. Technology providers are offering AI-powered tools with more in the pipeline. "Personally, I'm excited by the great strides that are being made to make the SIEM software smarter," Hartman said. "Using machine learning and other AI techniques to identify the highest-priority threats from all the noise present in our security logs. As we say in cybersecurity, 'The offense informs the defense.' I appreciate it when our tools identify the attack patterns and map it to the Mitre ATT&CK framework. There's so much noise, so we must be able to focus on what needs action."
Kathleen Richards is a freelance journalist and industry veteran. She's a former features editor for TechTarget's Information Security magazine.