Cloud security tips and tricks

Securing hybrid clouds one step at a time

Users and security consultants familiar with the process of securing hybrid clouds have one steady piece of advice to offer: the only way to go is one step at a time.

"Managing hybrid security is a matter of setting policy across all of the security touch points IT is already used to managing. It's about being consistently diligent at every turn," says Joe Coyle, CTO of IT consultancy giant Capgemini North America.


Hybrid clouds pose new security challenges

Cloud security tips and tricks

12 hybrid security products to watch

Enterprise Cloud Services archive

Coyle advises clients to regard their hybrid cloud usage as an extension of their network perimeter. "You have to tweak firewall policy, watch IDS traffic more carefully, employ encryption, set up multiple levels of authentication for management access and demand high levels of physical security at providers' sites," Coyle says.

[CLOUD SECURITY: Hybrid clouds pose new security challenges

12 hybrid security products to watch]

In terms of securing the link between your data center - virtualized as a private cloud or not - you can go with a direct route or establish a tunnel. Garrett Leap, CTO at Direct Insite, a company that delivers on-demand accounts payable and accounts receivable solutions to more than 100,000 corporations across 100 countries, says his company went for a 100MB direct fiber connection for both the increased security it offers and the fact that one of the company's data centers was already collocated at Terremark's Miami facility.

Direct Insite now hosts its customer facing front end in the cloud and all of the client data is hosted and processed in the company's collocated data center. Direct Insite's Leap says knowing that Terremark's virtualized data centers were already rated as Tier IV meant there was a very high comfort level in terms of who has physical access to the servers there.

To secure the direct link, Direct Insite uses a Cisco ASA box. "We only let what we want to come in and we don't let any data out that should not be allowed out," Leap says.

On top of the physical layer security defined by locked server cages and things of that nature, security consultant Joel Snyder of Opus One in Tucson, Ariz., says it's also crucial for customers to understand the provider's access control mechanism for management of those servers.

"These carriers have all the tools to make sure the ankle biters out on the Internet keep away from your data but have they guarded against having one of their guys being bribed by your competitor to pull down all of your sales data?" asks Snyder.

Snyder says companies looking to build hybrid clouds should demand from their service providers proof of two-factor authentication for all server management purposes.

And they should be demanding that all of the security parameters of the hybrid deployment should be manageable from the same pane of glass, says Kevin Jackson, vice president and general manager of NJVC, an IT consultancy catering to highly secure government clients. Jackson contends that unified management is going to be even more necessary as customers evolve to use multiple cloud services providers in the future. He suggests that customers look to cloud service brokerages to provide those management links.

Every practitioner interviewed for this story said that employing encryption in a hybrid cloud is a no-brainer decision both for data at rest and in motion. But one of the major issues with encryption in a hybrid situation is where to hold the key as data and access to data can be spread across both places and routine security practice dictates that you don't store the keys where the data resides.

Segal McCambridge, a Chicago-based law firm, opted to go with maintaining its own keys and storing the data for its hybrid applications on Nasuni's cloud-based storage offering.

[ALSO: 2013: The year of the hybrid cloud]

The firm's CTO, Matt Donehoo, explains that all of his firm's litigation files stored electronically must be managed in a way that guarantees absolute defensibility in a court of law - anything else would render it inadmissible. By design, the Nasuni storage controller installed at Segal McCambridge's site fully encrypts any data or metadata that leaves a customer's office and keeps that data encrypted both on the wire and at rest in the Nasuni cloud.

The customer controls the keys to the encrypted data, by design. From there it's up to the enterprise to pick whether to employ a key management product on premise or use a third-party key management service.

The two depths of security that come into play for virtualized networks - whether private, public and private - address virtual machine security.

"Sometimes the enterprise security team doesn't have a say in how virtual machines get spun up within a provider's cloud. But they should, because that is a fundamental point of security in the cloud. You want to push to make sure your security policy travels with your virtual image no matter where it is running," says Rand Wacker, vice president of products for CloudPassage, a cloud server security vendor.

NJVC's Jackson says Intel's Trusted Execution Technology (TXT) could help IT departments in the near future with the basic issue of being able to trust the servers running your applications in the cloud. TXT is a hardware-based security measure built into all Intel Xeon servers which is designed to detect and prevent BIOS attacks and evolving forms of stealthy malware, such as rootkits.

The main benefit, Jackson says, is an understanding that your virtual instances will be spinning up on a trusted machine.

Join the CSO newsletter!

Error: Please check your email address.

Tags ecshybrid cloud computingenterprise cloud servicessecurityCloudcloud computinginternetCapgemini

More about ASACiscoDirect InsiteIntelOpus OneRandTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Christine Burns

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts