The benefits of doing business in the cloud are well-documented and widely accepted; indeed, it is no longer a question of whether organizations should leverage the cloud, but rather to what extent and degree the cloud must be part of the operational plan. Today most organizations adopt a hybrid-cloud model, which allows them to have more flexibility and at the same time avoids being locked-in with one vendor. Other benefits of a hybrid-cloud environment include speed, cost savings and business continuity.
According to the RightScale 2018 State of the Cloud Report published last week, security is the biggest issue among cloud beginners, and indeed for many organizations, the journey upwards into the virtual ether has not been smooth and streamlined. Instead, it has been unexpectedly challenging due to difficulties extending on-premise security policies to a cloud (public and hybrid) environment.
Obviously, the cloud is here to stay, and its impact on everything from back-end data centers to front-facing customer communications will only grow bigger in the years ahead.
Don’t Support Tomorrow’s Infrastructure with Yesterday’s Technology
As such, organizations must rapidly — but thoughtfully and strategically — fill the gaps in their policies, so that they are both robust and enforceable. To that end, here are three best practices that help ensure the hybrid-cloud’s profitable benefits are not undermined by costly security vulnerabilities:
Choose an Advanced Security Platform
To avoid trying (and failing) to support tomorrow’s infrastructure with yesterday’s technology, organizations need to adopt an advanced security platform that:
- Is designed for today’s complex multi-cloud, multi-account, multi-data center environment.
- Integrates with all combinations of legacy and emerging compute systems like containers, hypervisors and serverless.
- Uses automation to rapidly and accurately manage ongoing security changes.
Manage Security Policies in Your Own Comfort Zone
Instead of having SecOps, DevOps, engineers and security fight for policy dominance, organizations should adopt a Bring Your Own Security Policies (BYOSP) notion. A ‘mega’ dashboard that gathers, monitors and manages all policies will allow all relevant stakeholders to contribute their “must-have” requirements, which are then streamlined and standardized across the organization and can be easily implemented by the security team.
Enable Multi-Level Visibility
As the adage goes, “it is impossible to manage what cannot be measured”. In a similar sense, organizations cannot effectively enforce security policies that they cannot clearly and constantly see. As such, they need multi-level visibility that provides both an aerial view of operations (big picture), and isolation on the lower levels (granular details). In other words, they need both clarity and control.
The Bottom Line
As observed by Enterprise Security Group’s senior principal analyst Jon Oltski: “A few years ago, CISOs were concerned about the conceptual security of the cloud. Now, they are anxious about the practical realities around how they can extend their existing cyber security skills, processes, and controls to enforce security policies and monitor activities in the cloud”.
Indeed, CISOs are not the only ones who are concerned about security in the cloud. Given the massive costs and lingering consequences of data breaches — triggered by either external cyber criminals or internal rogue users — achieving a strong, stable and enforceable hybrid-cloud environment is everyone’s responsibility; regardless of team designation or job title.
Following the best practices described above will go a long way to helping organizations ensure that their journey through the cloud is safe and profitable.