Hybrid cloud model benefits and risks

Modern infrastructures need a different and broad approach to cloud computing: private cloud offers a higher level of security and privacy but it requires the same staffing and operations of a traditional datacenter; public cloud, on the other hand, is convenient, scales quickly and has a wider portfolio of services ready-to-go, but it doesn’t offer the same control over sensitive data.  

With the use of hybrid cloud models, organisations are able to use and leverage on a combination of on-premises infrastructure, private cloud and public cloud services.  This model can provide greater flexibility, highly scalability and more control over sensitive data.  But due to its intrinsic complexity and the lack of real industry standards, it also introduces some potential new risks in terms of cyber security, for example:

  • data security: data may be stored and processed in multiple locations: this can make it more challenging to ensure that data is always secure at rest and in transit and to prevent unauthorised access;
  • compliance: as data may be subject to legal and regulatory requirements depending on where it is stored and processed, it can be more difficult to ensure a full compliance and to monitor it over the time;
  • integration: the integration process of different environments, based on different technologies and standards, can be complex and can introduces security vulnerabilities in the design or in the implementation phases;
  • visibility and monitoring: in a highly distributed and heterogeneous environment it can be challenging to monitor and detect security threats.

Cyber Security as design pattern and shared responsibility with the Cloud Service Provider

In order to mitigate all these new categories of risks, it is key for an organisation to implement strong security measures and to adopt cybersecurity standards starting from the planning and design phase, including for example in every component robust access controls, data encryption, continuous monitoring and alerting systems.

Adopting hybrid cloud models requires not only new technical capabilities but also a significant change of mindset in terms of responsibilities and procedures.

WIth the use of hybrid cloud environments, as we discussed, organisations can effectively have more control over processes and data but it becomes important for them to fully understand the shared responsibility model between the organisation itself and the Cloud Service Provider: despite what some organisations believes, the security is not fully handled only by the Cloud Provider.

This can often lead to misunderstandings about configuration management and expose data and applications to unexpected security risks.

What we’ve observed during our investigations is also a lot of misconfiguration in the cloud, and it’s coming back to the lack of skills, and ability for the people to really understand what they are doing. They are just clicking ‘next’, and they are not really looking at what they’re doing. At the end of the day, they might expose interesting information for the attacker” says David Grout, EMEA CTO at Mandiant, recognized leader in dynamic cyber defence, threat intelligence and incident response services, now part of Google Cloud.

According to Gartner:

  • through 2025, 90% of the organisations that fail to extensively control their public cloud use will inappropriately share sensitive information and data;
  • through 2024, the majority of enterprises will continue to struggle with appropriately measuring cloud security risks;
  • through 2025, 99% of cloud security failures will be the customer’s fault.

That cyber risks are growing and organisations are finally taking measures to secure and protect their infrastructure is also recognizable by the momentum that the cloud security market is having, with an estimated growth at a CAGR of 15.7% during 2022-2028, moving from US$ 48.57 billion in 2022 to US$ 116.25 billion by 2028

Which solutions are available

As we have discussed, securing hybrid cloud environments is challenging due to multiple reasons, first of all their distributed and heterogeneous nature, together with the absence of technological standards.  

There are anyway commonly accepted best practices in the industry that organisations can embrace when planning to adopt a hybrid cloud model:

  • network: carefully plan the network topologies and the connections between the different environments.  The security team should be an active part of the design phase and particular focus should be put in preventing  lateral movement (the process by which attackers try to gain access from an entry point to the rest of the network);
  • secrets: implement specific solutions for the management of secrets (credentials, certificates, keys, password, etc) and set up procedures rotate certificates and secrets regularly;
  • vulnerability assessment: continuously perform automatic vulnerability assessment of the environments, scan containers and server images for vulnerabilities and introduce DevSecOps principles in the CI/CD pipelines;
  • Zero-Trust: implement a Zero-Trust approach for applications, environments and tools;
  • automation: leverage on automation and introduces IaC principles for the deploy and the change management of all the environments;
  • IAM: centralise identity and access management and implement policies on roles and groups to allow your user base to grow with low impact on the operations;
  • SIEM/SOAR: implement a centralised logging system to avoid micromanagement on the different components of the environment, audit logs and evaluate the usage of tools or services to implement a SOAR model.

Conclusions

We briefly analysed the advantages of the hybrid cloud model in modernising infrastructures and processes; as in every disruptive transformation of well consolidated models, the new hybrid model brings new challenges in the integration processes and in the management of the operations, with a specific focus on cyber security.

The cyber risk management for hybrid infrastructures requires a new approach compared to what organisations were well used to adopting in traditional infrastructures and on the public cloud.

Therefore, a new fluid and agile management model becomes essential: based on Zero-Trust approach and automation, it has to be as open as possible to embrace all the different technologies available and the related formats.

However, it is important to note that none of these best practices is a silver bullet or is a substitute for other cybersecurity measures. While Zero-Trust and automation can be great tools for managing cyber risk in a hybrid cloud environment, they should be implemented as part of a more comprehensive and proactive cybersecurity strategy that should be extended also outside of the traditional IT department by spreading a security culture and awareness in the whole organisation.


Riccardo Fabbri, co-founder and CTO @ Nohup

Recommended Posts