Hybrid Clouds pose new security challenges

The bad news is that there is no silver bullet on how to fully accomplish security in a hybrid Cloud

If 2013 is the year enterprises begin implementing their hybrid cloud strategies, as the experts are predicting, then it follows that this will also be the year when hybrid Cloud security takes center stage.

According to analysts, industry watchers and security practitioners the bad news is that there is no silver bullet on how to fully accomplish security in a hybrid Cloud.

That's because there are so many facets to hybrid cloud security; there's the issue of how to secure on-premise data center resources, how to secure applications that burst to the public cloud, how to secure data stored with multiple cloud service providers, how to protect the virtualized underpinnings of your public and private clouds, and finally how to secure mobile devices that connect to your cloud infrastructure.

If that's not daunting enough, another reason why there isn't a one-size-fits-all solution is that the definition of hybrid cloud is open to interpretation.

[CLOUD: Cloud security to be most disruptive technology in 2013

12 hybrid security products to watch]

And every company has a different comfort level when it comes to security in general and cloud security in particular. One company's game plan for keeping a minimum set of operations under lock and key inside the on-premise data center or a virtual private cloud, while pushing batch processing or user front-end processes to the public cloud might be another IT department's worst nightmare.

"Every hybrid cloud implementation is unique and that makes securing them a moving target," says Dave Asprey, vice president of cloud security at security management vendor TrendMicro. Asprey subscribes to the notion of ambient clouds, essentially the idea that enterprise customers are going to move toward a distributed cloud model where they employ multiple cloud providers - each replaceable based on use case, price and availability.

"I don't necessarily think the types of threats against the ambient cloud is up from those used against traditional data center or private cloud schemes, but the potential risks against the data running across these distributed cloud certainly is," Asprey says.

Security strategies that work

The good news is that enterprises already employing defense-in-depth practices across their existing networks can apply those same tenets within a hybrid cloud security management strategy.

The caveat here, though, is that IT management must commit to a whole lot of advanced planning and prepare their staffs for a bit of technological tweaking of its security policy and gear before the hybrid cloud goes live (see story on hybrid cloud implementer tips and tricks).

"Typically in this industry the adoption of any technology happens well before security considerations surrounding it are fully addressed," says Gary Loveland, a principal in PricewaterhouseCooper's advisory practice and head of the firm's global security practice.

With hybrid cloud, Loveland says, clients are being clearer about the security requirements up front and are forcing cloud service providers to be more prepared to have solid answers on topics ranging from defining and ensuring multi-tenant boundaries, PCI and FISMA compliance, and auditing capabilities.

Industry guidelines can help

The Cloud Security Alliance in 2011 established the CSA Security, Trust & Assurance Registry, a free, publicly accessible registry that documents the security controls provided by various cloud service providers. The registry, which vendors supply the information for about their own products, is designed to help users assess the security of cloud providers they currently use or are considering contracting with in the future. To date, the registry contains information about 20 providers.

The underlying problem, Loveland says, is that enterprises have to mature enough in their use of virtual technology and cloud services management to take advantage of the higher security offerings.

Jeff Spivey, international vice president of ISACA, an association of IS professionals dedicated to the audit, control, and security of information systems, and vice president of mobile security vendor RiskIQ, concurs. He sees all too often that enterprise IT assumes that once they hand off their operations to a cloud provider, that the latter then assumes sole responsibility for security.

"Not true, it's at that point that IT needs to become even more diligent about implementing sound security across their clouds," Spivey says.

He pointed to COBIT 5.0, the newest version of ISACA's framework for governance and management of enterprise IT which outlines IT control objectives for cloud computing in general, as a strong guideline for how to implement hybrid security.

As hype surrounding cloud computing continues to grow, IT departments are being pressured by management to seize some of the cloud's promised economical benefits. But it's IT's job to make sure they are not risking the farm in order to go into the cloud to see those benefits.

In fact, computer scientists at the University of Texas in Dallas have devised an algorithm that can help companies develop a risk-aware hybrid cloud strategy.

According to one of the researchers, Dr. Murat Kantarcioglu, the scheme is an efficient and secure mechanism to partition computations across public and private machines in a hybrid cloud setting (see the paper).

Kantarcioglu and his colleagues have set up a framework for distributing data and processing in a hybrid cloud that meets the conflicting goals of performance, sensitive data disclosure risk and resource allocation costs getting weighed and balanced.

The technology is implemented as an add-on tool for a Hadoop and Hive based cloud computing infrastructure and the team's experiments demonstrate that using it can lead to a major performance gain by exploiting hybrid cloud components without violating any pre-determined public cloud usage constraints.

Having to think about how hybrid cloud operations fit into a company's overall information security management scheme could help IT departments reset the appropriate level of security for the processes across the entire enterprise, argues Pat O'Day, CTO at Bluelock, a VMware based cloud service provider in Minneapolis.

"We now get to think about how to set the right level of security on a application-specific, a process-specific or even a data-specific basis," says O'Day, a condition that gives enterprises a lot of leeway in terms of where they want to spend resources on security.

Rand Wacker, vice-president of products for CloudPassage, a cloud server security vendor, suggests customers take the strictest security scenario - most likely pertaining to hybrid cloud usage because there are direct links between the public cloud and on-premise resources -- and set the most stringent security policy for that level of risk.

ISACA's Spivey advises clients that whatever security policy they establish, they must be sure that it is portable. "Don't lock your policy to your cloud provider," Spivey says. There will be a time down the road where you will want to migrate away from them for either price or performance reasons and you don't want to have to rethink your whole security policy to make the switch, he says.

Burns is a freelance writer. She can be reached at cburns1227@gmail.com.

Join the CSO newsletter!

Error: Please check your email address.

Tags Configuration / maintenancesecurityCloudhardware systemsData Centercloud computinginternet

More about CSAISACARandVMware Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Christine Burns Rudalevige

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place