Companies are slowly joining the bandwaggon with hybrid cloud adoption, but Gartner still estimates that it’s still three to five years from going mainstream. Only 15 percent of enterprises have currently adopted it so far, although the demand for hybrid cloud is estimated to be growing at a compound rate of 27% a year, outpacing the overall IT market growth.
With all this in mind, organizations that have, or plan to adopt, a hybrid cloud should consider setting in place a couple of security practices to make sure their data and their customers’ data is always secure. The following should be regarded more as security and implementation guidelines, with CIOs and CSOs having the flexibility to expand on the tips.
- Define the criteria on which you store on-premise or in-the-cloud data. Perform risk management.
When opting for a hybrid cloud solution, the first thing an organization needs to do is perform an analysis of the type of data it’s handling and evaluate it based on how sensitive it is – both for the compay and its clients. Critical, personal and private, data related to intellectual property must be stored on premise, with access to it restricted and available only to authorized personnel.
“Business people need to understand the psychology of risk more than the mathematics of risk.” - Paul Gibbons
- Keep your cloud private.
Organizations that handle sensitive or confidential data, or data related to intellectual property, need to make sure their private cloud infrastructure remains private. Particularly, no one outside the local network should be able to access that data and only authorized personnel should be vetted for handling it. The private cloud needs to be completely isolated from public internet access to prevent attackers from remotely accessing the data due to security vulnerabilities.
„Cloud computing is a challenge to security, but one that can be overcome.” - Whitfield Diffie
- Be mindful of geographical jurisdiction and data handling storing laws
When chosing a cloud service provider, it’s vital that the datacenter physically resides in a region or country in which data handling and storing legislation is favorable to your company’s business interests. Any datacenter, regardless of the data it stores, falls under the local data privacy and protection laws of the country it’s built in. Concequently, it’s vital that any company that plans to use a cloud service provider that has datacenters outsider its borders, should read and abide by the data protection laws governing that country or region. Otherwise, the organization may risk judicial repercusions that could involve both financial and preputation damages.
„In law, nothing is certain but the expense.” – Samuel Butler
- Perform a due dilligence report of the cloud service provider and stipulate damages.
When chosing a cloud service provder, it’s imperative that a due dilligence report be executed to asses both the provider’s capacity to serve the client’s needs and his ability to recover in case of technical accidents (e.g. power outages, data corruptions, hardware failures) and natural causes (e.g. earhquakes, fire hazards). This guarantees business continuity for your organzation, and helps draft and enforce emergency procedures that need to be set in place as soon as such accidents occur.
“Expect the best, plan for the worst, and prepare to be surprised,” Denis Waitley
- Encrypt data both locally and in transit
Any data transfer between the client and the cloud service provider needs to be encrypted to avoid man-in-the-middle attacks that could intercept and decypher all broadcasted data. More than that, any data stored locally or in the cloud should also be encrypted to make sure cybercriminals cannot read it, in case of data breaches or unauthorized access.
„Security is always excessive until it's not enough. — Robbie Sinclair, Head of Security, Country Energy, NSW Australia”
- Backup cloud data
To guarantee business continuity, organizations should have a backup and recovery mechanisms – preferably in remote physical or virtual locations, different from your current cloud service provider – to minimize damages from errors or natural disasters.
"Information is eternal, computers are ephemeral, backup is the savior." - William R. Stanek
- Use secure and multiple authentication mechanisms
Acccessing any type of data, whether it’s stored in the private or public cloud, needs to be done via multiple authentication mechanisms. These should involve a lot more than just user names and passwords. For access to critical data, two-factor or even biometric data could be set in place for additional control and authorization of qualified and accepted personnel.
„Authentication is something you have, something you know, and something you are when you add biometrics. I think right now users see [authentication methods] as separate items. The technology is there, but the idea is not.” - Charles Kolodgy
- Limited number of employees that can access sensitive data
Only authorized personel needs to be able to access critical and sensitive data, only by adhering to strict security protocols and advanced authentication mechanisms. Besides two-factor authentication, even two-man authentication could be set in place for critical systems, similar to financial insitutions where large transactions need to be authorized by two or more individuals.
„No matter how secure a target the user is always the weakest link.” - Jim Guckin
- Prevent DDoS attacks
Distributed Denial of Service (DDoS) attacks can limit or sometimes even completely disrupt cloud services. Concequently, organizations need to implement systems that can automatically manage and handle DDoS attacks to ensure business continuity even when under fire from such attacks. Constantly monitoring network traffic to identify anomalies and inconsistencies is also considered good practice.
„We’ve seen over time [street] protests in cities that shut down traffic, and this is not dissimilar in the online world.” - Howard Schmidt
10. Create, define, and implmement fast security response procedures
Companies need to define a set of procedures and rules to handle security incidents, which all stakeholders must abide by. These must cover techniques and methods for identifying, isolating and remedying security breaches. After any security incident, it’s mandatory to evaluate the impact it had on both the company and its infrastructure, as as well as apply the new and neccesary security mechanisms for preventing those types of breaches or vulnerabilities.
„Have your incident response plan reviewed regularly and have it updated frequently.” - Koen Van Impe