While AI is taking the world by storm, the gold at the end of the rainbow for many CIOs follows digital transformation initiatives that lower operational costs and transition legacy systems to virtual environments on private and public clouds.
Consumer websites and development environments run applications in privately controlled data centers and take advantage of the compute, network and storage resources of public cloud service providers (CSPs), better known as infrastructure as a service (IaaS) providers. Attracted by the flexibility and cost savings, businesses use this "cloud burst" pay-as-you-go model for high-volume data processing, load balancing and redundancy, avoiding downtime during peak demand, such as a holiday selling period.
But, for many organizations, connecting private and public clouds over the internet using a dedicated network connection isn't that simple. Business transitions, incompatible technology environments and rapid changes in dynamic public cloud services can cause hybrid cloud security challenges.
Single hybrid cloud is now multiple clouds, said Mark Buckwell, executive cloud security architect at IBM, during last April's RSA Conference. It's not unusual for organizations to run Microsoft Active Directory as a managed service on AWS and connect to on-premises workloads, he told the audience during a session called "Architecting Security for Regulated Workloads in Hybrid Cloud."
"They still don't want to move the crown jewels of the organization off premise into cloud," Buckwell said, "so we end up integrating different parts of an application with different components, sitting on different technologies ... and this seems to be the way the world is going. And that just makes the whole solution a lot more complex because now we have data flowing in all sorts of different places." The result, he added, is different policies, depending on the technology and cloud provider, as well as a potential "split of responsibilities" among the cloud provider, other third parties and the organization.
Legacy systems might work with some public cloud services and not others. Security teams need to ensure on-premises security controls and processes coexist with native-cloud technologies to meet business and compliance requirements.
The "SANS 2022 Multicloud Survey" of IT professionals reported that 86% of respondents said their organizations used services from multiple cloud providers and 28% used private cloud for at least one-fourth of their compute workloads. "You're juggling clouds, each from a different vendor, wanting flexibility and the best tools," said the survey's co-author, Kenneth Hartman, owner of Lucid Truth Technologies, a digital private investigation agency and forensic consulting firm. "Sounds cool, right? But there's a catch, like a security gremlin hiding in each cloud. That gremlin is complexity."
Organizations need a centralized security architecture and governance to keep those "gremlins" in check, Hartman advised, without blowing the budget on fancy systems that just add to the complexity. It's critical to choose the right cloud providers and individual services, he added, "like picking trustworthy housemates who won't let just anyone in."
Companies focused on solving a business problem might lift and shift existing systems and controls to a CSP. And IT teams might be tasked with addressing tricky integration issues involving technology, protocols and standards after the hybrid cloud environment is up and running. Fixing these issues can cost more than addressing security and compliance upfront. "A weak spot for the cloud, [but] network security is improving," said Dave Shackleford, founder and principal consultant at Voodoo Security.
Fortune 1000 organizations used to bring their existing network security stack with them to meet regulatory requirements. Now, many of these companies use native firewall services and native logging and management tools. "We've done a good job of moving from A to B," noted Shackleford, a SANS instructor and analyst who serves on the institute's board of directors. Still, it's a struggle to find skilled personnel for even basic network security, like firewall administration. "Every tiny bit of processing costs money," he explained. "The expectation of security management is that [IT administrators] are comfortable doing cost optimization around these firewalls."
In theory, API tools and protocols enable web apps, containers and microservices to securely communicate with each other over the internet. But securing APIs remains a major problem. In the SANS survey on multi-cloud, 58.9% of respondents said "poorly configured or insecure APIs or interfaces" was their top concern. APIs can expose the application's back-end logic, as well as sensitive data, making APIs prime targets for attackers. It's almost impossible to have visibility into which APIs are exposed. A critical resource on API vulnerabilities is the Open Web Application Security Project's Top 10 API Security Risks -- 2023.
For most companies, security is ultimately about protection of sensitive data -- where it is, who has access to it and how it's used. Hybrid cloud deployments enable organizations to house sensitive data and applications on private clouds or on premises and take advantage of wider network infrastructure provided by public clouds for managed services, workload distribution and storage. Mapping data flows through these systems, ensuring traceability and understanding how the data is protected in transit and at rest are necessary for legal and regulatory compliance in financial services, healthcare and other industries. Encryption protects data privacy in communication and storage. With IaaS, organizations can specify the physical or geographic storage location, also known as data residency, where their digital data is stored and processed.
Security managers need to have visibility into all resources, systems and data in motion in their organization's hybrid cloud environment. Their number one concern is: "We don't know what is going on," Shackleford said. Better visibility can improve security and compliance. In addition to taking inventory, security teams should monitor all access attempts and configuration changes.
Security teams rely on logs and syslog to monitor application files and network devices for anomalies and potential security events. IaaS providers are starting to offer native security information and event management (SIEM) as a service through tools such as Amazon Detective, Azure Sentinel and Google Chronicle. How do security teams figure out which data to collect for SIEM and which data to leave behind?
"Let's say you get your security logs from a service within four hours of an event of interest. But something changes at the cloud service provider, and now, you're not getting the logs until 12 hours later," Hartman theorized. "Or what if the event never shows up at all?" Threat modeling in the cloud, which has more trust boundaries, can help, he said, adding, "Just make sure that your list of possible threats includes lack of visibility."
The chief information security officer (CISO) protects the company's information assets by setting up a security strategy, policies supporting that strategy and incident response. Mixed environments such as hybrid cloud architecture have a shared security model. Security responsibilities should be documented in contractual agreements with the service provider before a security incident like a data leakage occurs. Supply chains, notorious for security risks, must be compliant with the service provider and the enterprise customer.
Companies focus on the resilience hybrid cloud offers, but "they don't have a cloud strategy," said Lisa McKee, co-founder of consultancy American Security and Privacy. "Where is the data going to go? Who is responsible for patching across these environments? Are access controls going to be outsourced?"
Responsibility for application security is shared with the SaaS provider, but organizations might have limited control over service configuration settings. At the same time, organizations are accountable for platform and application security in IaaS deployments, but the responsibility for configuring and securing the infrastructure is shared. CSPs are responsible for securing their locations and physical assets.
The responsibility for governance, risk and compliance is cross-functional at most organizations, ensuring that business activities align with the company's goals and industry regulations. Guidance is available in frameworks such as HIPAA, Payment Card Industry Data Security Standard, Federal Risk and Authorization Management Program, ISO and NIST 800-83.
CISOs need to align standards and frameworks to overall business and cybersecurity strategies. These efforts will come under the spotlight with the new Securities and Exchange Commission's (SEC) cybersecurity rules. Public companies must report "material cybersecurity incidents" within four days of discovery and provide information on board oversight, cybersecurity policies and procedures in annual reports (10-K and others). In an unprecedented move, the SEC sued SolarWinds, makers of Orion IT management software used by government agencies, alleging the company and its CISO, who is named in the lawsuit, misled and defrauded investors by failing to disclose system vulnerabilities that led to cyberespionage by Russia-backed hackers in 2019.
With the SEC reporting kicking in, Amazon in November offered AWS Cyber Insurance Competency Partners to quantify risk using customer data that's in AWS Security Hub. "This may be a tipping point of an ecosystem of cloud that we never saw coming," Shackleford said.
As hybrid cloud security challenges increase network complexity, CISOs and CIOs face resource cuts. Of the nearly 15,000 IT professionals surveyed in the global 2023 "ISC2 Cybersecurity Workforce Study," 47% said their organizations faced budget constraints. Respondents ranked cloud computing (35%) as the number one skills gap in their security teams, followed by AI and machine learning (32%) and zero-trust implementation (29%).
"The cloud security and operations professionals of today must be able to do so much more than plug in and configure a hardware device," Hartman said. "They need to be very comfortable with infrastructure code up to and including being able to read and write it. They must also have a good grasp of the principles of cloud security architecture and identity and access management systems -- someone who can roll up their sleeves and dive into the details yet keep the big picture in mind."
Organizations need to update their security strategies and design models to better manage their cloud infrastructures, including the following:
Kathleen Richards is a freelance journalist and industry veteran. She's a former features editor for TechTarget's Information Security magazine.
Go here to read the rest:
8 Hybrid Cloud Security Challenges and How to Manage Them - TechTarget
Read More..