Rest of Asia
Rest of Asia
Rest of Asia
Rest of Asia

Top Security Best Practices for Hybrid and Multi-Cloud Models

Multi-cloud and hybrid-cloud models are the rage. About 94% of enterprises today deploy a mix of public and private clouds and run a host of SaaS applications.

Multi-cloud and hybrid-cloud environments distribute workloads to improve enterprise agility and flexibility. But these deployments are also complex and raise fresh security challenges. For instance, common east-west traffic, routine in on-premises data centres, could very well be lateral movement by an intruder, in a public cloud.

CIOs managing multi-cloud and hybrid-cloud deployments struggle to ensure secure access to cloud-based workloads, meet statutory compliance, and store critical data across services. This IT blog for technology professionals deals with effective strategies to overcome the security challenges of hybrid and multi-cloud deployments.

1. Standardise the Cloud Architecture and Controls

Multi-cloud and hybrid cloud deployments work best with standardised architecture and controls across the environment. Standardisation supports automation, allows implementing effective controls, enables scale, and facilitates reuse across deployments.

Identify an optimal standard configuration, to apply across all cloud configurations.

Determine the parts of the standard stack that need to differ for specific configurations, based on the capabilities inherent in each cloud deployment model.

Apply tactical security protections optimal for each cloud configuration, as a second layer on top of the standard stack.

Correlate on-premises and cloud environments through instrumentation. Ensure commonality in the tool stacks across various deployments. Standardized instrumentation across the hybrid IT environment minimise complexity and maximise visibility.

2. Enforce Access Control

Physical controls such as locks, security cameras and guards secure hardware in data centres and offices. But the spread-out nature of the hybrid cloud and multi-cloud environment make physical security unviable. Enterprises rather need to enforce role-based access control.

Develop and enforce identity management protocols. Minimise identity sources. Multiple sources of identity and access control, a common feature across enterprises, weaken security.

Clarify the access privileges for each employee or user in the IT environment. Apply the principle of least privilege, restricting access only to the data and resources needed by the user.

Streamline permissions into role-based categories, to reduce power users. Use centralisation and standardisation to enforce role-based access control (RBAC). Separate identity and access models in different environments add complexity and increase errors.

Restrict access using access management tools. 

Monitor the code repositories used to manage privilege access, to pre-empt unauthorized changes.

3. Encrypt Data at Rest and Data in Transition

Encryption is the Holy Grail of cloud security. But many enterprises apply encryption inconsistently, diluting effectiveness.

Use cryptographic protocols (SSL/TSL) for secure data transmission over the network. Use SSH network protocols for data communication between unsecured network connections.

Categorise and classify data. Decide on the encryption and key management based on the business importance of the data. For instance, it is overkill to apply military-grade encryption for instruction manuals.

Determine standards for decryption/re-encryption for data transfers between different environments. The egress costs may put a spoke in the encryption wheel. If so, consider alternatives such as abstracting the key management strategy, leveraging a hardware security module, or using the cloud provider’s key management system (KMS) as the master key provider.

4. Automate Basic Processes

Automating security protocols allows enforcing policies using minimal resources. It frees up valuable human resources for higher-value tasks. Reducing resource requirements is invaluable in today’s challenging business environment.

Prioritise automation of common security processes such as log aggregation, security tool deployments, analysis, alerting, and compliance monitoring.

Develop SOAR (Security Orchestration, Automation and Response) capabilities, to capture forensic data for discovery and remediation of breaches. For instance, SOAR isolates to a sandbox a Linux host deployed without the proper CIS benchmarks. Use SOAR to automate remediation for straightforward tasks such as malware protection.

Adopt a containers strategy for secure workload portability across different deployment models. Container tools such as Kubernetes and OpenShift support robust automation, along with standardization.

Apply cloud orchestration to manage cloud resources and their software components as a unit. Use templates for automated, repeatable deployment mode.

5. Risk assessment and monitoring

Today’s cyber threats are complex. Conventional perimeter protection approaches no longer capture advanced threats. Real-time risk assessment becomes critical in an age where the cloud network behaviour changes by the moment. Network visibility through logging and monitoring identifies threats and paves the way for effective countermeasures.

Develop a risk profile. Cloud infrastructure remains vulnerable to infringements, data leak, and man-in-the-middle attacks. The enterprise profile may attract several other risks.

Identify the resources required to tackle the security challenges based on the risk profile.

Monitor network traffic for suspicious activities. Aggregate the activity pool from different cloud networks. Cloud providers such as AWS, Azure and GCP, offer robust logging and monitoring capabilities. Most database environments feature security information and event management (SIEM ) systems. Centralize and aggregate these monitoring activities.

Identify the “normal” across the hybrid cloud landscape. Improve the “normal” benchmark at regular intervals. Determine the signals that require a response or remediation.

Use AI-based network monitoring technologies to correlate network behaviour with potential risks.

Conduct periodic network audits to unearth inadvertent changes to misconfigurations and settings. Audits identify and correct bottlenecks, and resolve provisioning issues.

Ensure the best visibility into the network, to minimise dwell time in the cloud environment.

Keep software and network end-points up to date with security patches.

6. Threat Response

A hybrid cloud invariably ends up with a large number of endpoints. Smart devices, workstations, web portals, routers, smartphones, IoT sensors and other devices add to the endpoint. The attack surface area increases with every endpoint. The best security protocols co-opt effective threat response mechanisms that cover all endpoints.

Deploy firewalls, antivirus suites and endpoint detection solutions at all ingress and egress points across the hybrid cloud environment. Configure the firewalls set up between environments for threat hunting.

Invest in AI-powered security analytics, to deliver security intelligence. Effective security depends on the ability to predict and preempt threats.

Deploy incident response orchestration to orchestrate severe security threats with speed and agility.

Train the IT workforce to investigate and remediate threats. Make them understand how different environments interoperate.

Human error causes 95% of cloud breaches. Some human errors lead to major design flaws. But most of the human errors which lead to big breaches are basic configuration issues and unauthorized access.

A robust and secure cloud allows the business to respond fast and flexible to opportunities and challenges. Enterprises that do not adopt a strategic approach to cloud security, in addition to these basic precautions, miss the real value offered by cloud deployment.

Tags:
Email
Twitter
LinkedIn
Skype
XING
Picture of Andre Rodrigues

Andre Rodrigues

As a software and IT solutions advisor, Andre leads a team of technology consultants for implementing Account-based Marketing strategies to IT customers. In his 30 years of working experience, across the region, Andre has helped numerous clients improve existing business systems and IT infrastructure. This experience has helped Andre secure a unique knowledge and understanding of the challenges faced by these sectors.
Picture of Andre Rodrigues

Andre Rodrigues

As a software and IT solutions advisor, Andre leads a team of technology consultants for implementing Account-based Marketing strategies to IT customers. In his 30 years of working experience, across the region, Andre has helped numerous clients improve existing business systems and IT infrastructure. This experience has helped Andre secure a unique knowledge and understanding of the challenges faced by these sectors.
Blog or Generic
Ask Chloe
Proofpoint
Tricentis
Proofpoint
Tricentis

Recommended For You

View More
IT Knowledge Zone is the leading source for transformative tech blogs, events, and use cases in the APAC region that provide deep contexts to help business leaders make smart decisions and stay on top of innovative tech solutions.
  • Follow Us On
ITKZ Follow Us On LinkedIn
  • Office Address

9, North Buona Vista Drive, # 02-01
The Metropolis Tower One
Singapore 138588

IT Knowledge Zone is the leading source for transformative tech blogs, events, and use cases in the APAC region that provide deep contexts to help business leaders make smart decisions and stay on top of innovative tech solutions.
  • Office Address

9, North Buona Vista Drive, # 02-01
The Metropolis Tower One
Singapore 138588

  • Follow Us On
ITKZ Follow Us On LinkedIn

2024 © IT Knowledge Zone.

Ask Chloe

Submit your request here, my team and I will be in touch with you shortly.

Share contact info for us to reach you.
Ask Chloe

Submit your request here, my team and I will be in touch with you shortly.

Share contact info for us to reach you.