How to improve hybrid cloud security — challenges & best practices

The hybrid cloud model is gaining in popularity. And for good reason — it allows businesses to store their sensitive data in a secure private cloud while at the same time enjoying the scalability of the public cloud. However, with these benefits come security concerns. When you combine different cloud environments, you increase complexity and potentially create more attack vectors.

That’s why we will take a look at hybrid cloud security in this article. Learn about common challenges like access or provider management, as well as best practices to overcome these challenges.

What is hybrid cloud security?

Hybrid cloud security aims to protect data hosted in a hybrid cloud environment. These environments typically combine private and public clouds. If they include more than one public cloud, this is referred to as a hybrid multi-cloud. Also, many organizations integrate their existing on-premises data centers into their hybrid cloud setup.

Hybrid clouds increase flexibility. You can place sensitive data in the private cloud while using the cost savings and the scalability of the public cloud. In a well setup hybrid cloud, you can also freely move workloads around to adjust for different use cases.

However, this multi-layered approach creates new security challenges. Each of the cloud environments has to be addressed differently. You also need to connect these different environments seamlessly. If these connections are not well-planned and maintained, they might result in new attack vectors. For hybrid cloud security, orchestration is key.

What are typical challenges?

If you are in charge of your organization’s hybrid cloud security, these are some of the challenges that you might encounter.

Partial access

With hybrid cloud solutions, businesses no longer manage every part of their infrastructure. At least the public cloud portion of your setup will be managed by an external provider. Thus, many security parameters can only be set by this provider.

With the private cloud component of your hybrid cloud, it depends on where it is located. If you manage your private cloud on-premises, you have a large degree of control. If your private cloud is hosted externally, e.g., with an external managed services provider, you must rely on the provider.

Relying on a provider might complicate your response if there is an incident. Instead of reacting directly, you first have to coordinate with the provider. It’s even possible that you and your provider will differ on what exactly constitutes an incident. You might be inclined to take action while your provider doesn’t see an urgent need yet.

However, in practice, working with a provider often significantly improves hybrid cloud security. Many in-house IT teams are so busy with everyday tasks they hardly have time to think about new security threats. With a professional provider, these threats are usually addressed instantly.

False alarms

Combining different clouds might lead to false alarms. Your monitoring tools might not categorize the data traffic between clouds correctly and view it as an unknown threat. Such false alarms can desensitize your IT team to real threats when they arise.

Multiple vendors

Many businesses integrate multiple public clouds from different vendors into their hybrid cloud setup. This is known as a hybrid multi-cloud.

However, the more vendors you use, the more you will have to deal with different interfaces, parameters, and APIs. This will make it more difficult to apply a coherent security policy across all your cloud platforms.

For example, to set up a virtual private cloud, you will have to employ a different solution for each provider. With Amazon, you will have to use the “Amazon Virtual Private Cloud,” with Azure, the “Azure Virtual Network,” and with Google, the “Google Virtual Private Cloud.” By combining all these different solutions, there is a greater chance for configuration mistakes and security breaches.

Traffic between clouds

When you run different applications in different cloud environments, these applications need to communicate with each other, i.e., exchange data. With different networking models, ensuring a secure end-to-end connection can be a challenge.

Password management

Most public clouds offer a password management system. These password managers usually only work for that specific environment. If you want to manage all of your passwords through one central interface, you will have to resort to a third-party solution.

Data distribution

If you are operating within multiple cloud environments, distributing data can get messy, as keeping track of it presents a greater challenge.

The first common scenario is misplaced data — data that belongs together gets separated and saved to different clouds. The second scenario is separate sets of data getting comingled.

In either scenario, sensitive data can end up in the wrong “neighborhood.” This can result in incomplete data or even data loss.

Data distribution issues can also complicate log analysis. If data is spread out among multiple clouds, it can become difficult to predict how a bug or security threat might impact data sets that are even further removed.

Competing IAM solutions

Identity and access management tools (IAM) are a great way to manage your user’s digital identities. Most cloud platforms will provide you with an IAM. However, these tools don’t transfer. For example, the AWS solution won’t work for Azure, and vice versa. So, if you have multiple clouds in use, this can get convoluted quickly.

Human failures

Often, the biggest threats to your hybrid cloud security are not due to technical shortcomings but to human error. Examples include the use of unsecured public WiFi, problematic BYOD policies, or insecure apps on mobile devices.

Best practices

To increase your hybrid cloud security, you should pay attention to the following best practices.

1. Practice a zero trust model

The basic premise of a zero trust model is “never trust, always verify.” This means users and devices should not be automatically trusted, even if they were previously verified. This approach is especially relevant to a complex hybrid cloud environment with its multiple ports of entry.

Measures include:

• Implementing a coherent system for identity verification
• Validating device compliance before you grant access
• Only granting least privileged access

2. Have well-definded SLAs

A service level agreement (SLA) defines how your public or private cloud provider will deliver their cloud services to you.

Make sure the SLA answers the following questions:

• What exact obligations does the provider have?
• What tasks must be taken care of by your IT team?
• How are compliance needs addressed?
• What measures are in place for business continuity?
• What is the guaranteed uptime?
• What does the provider’s disaster recovery plan entail?

3. Choose your connections

Connectors merge different cloud environments into one unified hybrid cloud. These connections are, therefore, an integral part of your hybrid cloud and must be well-secured. For example, you might consider a mix of direct network connections and VPN tunnels, with the direct network connection as the default and the VPN as the standby.

4. Choose unified tools

Managing multiple clouds with separate tools for each cloud gets confusing quickly. Hence, you should prefer solutions that work across multiple environments, particularly when it comes to tools for authentication, compliance, app monitoring, and risk management. The more you can unify tasks in one place, the less likely security threats are going to fall through the cracks.

A great option is ONTAP by NetApp. This central data-management interface is consistent across all major public clouds and also integrates with your on-premises data center. This allows you to use the same playbook, even with a multi-layered hybrid cloud setup.

5. Pay attention to network layers

To create a holistic security approach, you should examine each level of your hybrid cloud individually, including:

• The hypervisor
• The operating system
• The webservers
• The databases
• The application layers

For each of these layers, ask yourself what the most likely vector of attack is and how to best defend against it. Also, make sure to implement a monitoring solution for each of these layers.

6. Revisit your configurations

When a cyberattack succeeds, it is often not due to the sophisticated nature of the attack but because of basic configuration errors. To prevent this, you must stay on top of your configuration management. You should have a standardized procedure for identifying, documenting, and fixing misconfigurations. It can be a good idea to automate these processes, as manual configuration management is more prone to failure.

7. Encrypt your data

If you move a lot of data around among different clouds, it is important to encrypt that data. This should happen at every level of the service mesh, including the OS and code at the bare metal level, as well as data archives, backups, and data in transmission.

Generally speaking, asymmetric methods are safer than symmetric methods. Also, keep in mind that quantum computing might make even relatively safe encryption methods ineffective in the next couple of years. So, keep an eye out for quantum-safe methods.

8. Practice micro-segmentation

By using micro-segmentation tools in a cloud environment, you can stop a successful attack from spreading. This is done by isolating virtual machines from each other. Should an attacker get access to a node, their lateral movement is limited — they can do comparatively little damage. In this way, micro-segmentation solves the problem of privilege escalation, one of the prime security concerns when you run containers in a hybrid cloud environment.

9. Use authentication

With a hybrid cloud setup, you will have applications that live in Cloud A but use services from Cloud B — and vice versa. To make these cross-cloud exchanges secure, you must authenticate them. There are several software solutions available to make this easier. A specialized hybrid cloud provider can help you choose.

10. Do vulnerability scans

Do regular, automated vulnerability scans to make sure your systems are working as they should. Many of these tools have recently become even more powerful with AI integration. Anomalies that might have gone undetected in the past are now detected reliably. Make sure to train these AI tools on the traffic that comes from and goes to your cloud. It is here where attackers are most likely to stand out and be noticed.

11. Use firewalls

You should install multiple firewalls to protect the different layers of your network, including the hypervisor, the OS, databases, and applications. These firewalls enable real-time data packet analysis. They can be easily implemented as SaaS modules.

12. Practice code testing

When bugs in your software code go unnoticed, they can create security breaches. That’s why you should deploy code testing tools that check your developers’ work before the program goes live. These tools integrate flawlessly into your software development lifecycle. They put new code in isolated sandboxes and run automated tests.

13. Manage your backups

Always have several versions of the same backup available in case one or several of the versions turn out to be corrupted. At the same time, you should apply a zero trust approach to your backups, especially since you are likely deploying multiple backup solutions and processes simultaneously. Encryption is a must. Finally, distribute backups over multiple data centers, third-party sites, and various forms of media. If one backup site is compromised, you have others to fall back on.

14. Have a disaster recovery plan

You need to make sure that your data is safe even in the case of unforeseen events like a natural catastrophe. Create an action plan that addresses such scenarios. Also, do disaster recovery tests (DR tests). Many businesses, in theory, have a disaster recovery plan but never try it out. DR tests will show you holes in your current strategy and prepare you for an emergency.

There are a variety of tools that can make this process easier. For example, ONTAP and Cloud Manager by NetApp allow you to quickly build disaster recovery environments in one or more public cloud locations. With little or no architectural change, you can add additional resources to handle scale or guarantee geo-redundancy.

15. Perform regular audits

To keep your hybrid cloud security up to date, you should schedule regular audits. In the quickly evolving cloud space, threats that might not have existed three months ago might now be a real danger to your organization. Thorough audits will address that.

16. Get additional input

If you have the same few people looking at your hybrid cloud security, it is easy to fall into tunnel vision. Your team members might not recognize certain holes in your strategy because they are too close to it.

To prevent that, get outside experts involved. A great option is to work with an external hybrid cloud provider. Here, you have dozens, if not hundreds, of experts at your disposal who all bring a unique perspective to hybrid cloud security. This way, it is unlikely you will miss anything.