Hybrid cloud adoption is expected to gain massive traction by 2020, as organisations realise the financial and operational benefits, to a Gartner report. The report estimates that over 30 percent of new software investments of the 100 largest vendors will focus on cloud-only, shifting from cloud-first.
Hybrid infrastructures are not without security challenges, as 50 percent of CIOs and IT decision makers are “concerned” or “deeply concerned” about managing security of hybrid infrastructures, according to a. While the security of back-ups and snapshots account for 57 percent of the reticence associated with implementing hybrid infrastructures, the security of in-transit data and the increased attack surface also rank among top concerns, at 54 percent, and 52 percent, respectively.
Targeted Threats and Concerns
With the security paradigm shifting towards advanced persistent threats (APTs) and zero-day exploits designed to compromise and infiltrate organisations, information security teams need to start supporting the requirements of digital business and engage in new technologies to maintain viable security and risk management programs. With virtualisation playing a vital role in hybrid infrastructures, virtualised endpoints require new security mechanisms designed to enforce protection from the hypervisor level to fend off sophisticated attacks.
Cybercrime’s cost to businesses is estimated to reach a whopping 6 trillion dollars by 2021, meaning that intelligence-gathering APTs and cyber-espionage malware will not only become more prevalent, but will also be VM-aware. As it takes an estimated average of 201 days to detect a breach, the security of hybrid infrastructures and environments will become more than just a top priority, but also a major component in risk management programs.
One of the greatest fears of IT decision makers doesn’t seem to have anything to do with managing hybrid infrastructure security, but with losing their jobs following a security breach. With 69 percent of them expressing such concerns, hybrid cloud infrastructure adoption might have to overcome more than just networking and security challenges, but also some personal ones.
Implementing hybrid infrastructures often causes decision makers to consider worst case scenarios that usually culminate with cash payments in the event of a security breach. Since three quarters of CIOs and IT decision makers seem to share this concern, it could be that costs, tools, and skills are below the decision threshold in terms of fears for not implementing hybrid infrastructures.
Flexible environments require flexible security mechanisms tailored to each organisation’s needs, mature and scalable security solutions are often key to delivering adequate, compliant, and insightful red flags in terms of threats targeting organisations. Some 37 percent of IT decision makers cite outsider attacks and BYOD (35 percent) as the two main challenges they’re not prepared to face, while only 35 percent and 30 percent, respectively, are worried about insider sabotage and data vulnerability.
Some 29 percent of companies also seem unprepared for malware, viruses, and other intrusions. While that might seem like a relatively small percentage, it is worth noting that ransomware alone has shifted from consumer to business, potentially causing total financial losses up to $1 billion by the end of 2016. A great deal of that amount is likely from organisations becoming infected with ransomware, and giving in to a cybercriminal’s demands.
Challenges and Opportunities
Security challenges arising from widespread adoption of hybrid infrastructures are not without rewards. Besides obvious financial benefits directly associated with operational costs of not actually owning, maintaining and upgrading the hardware components of an on-premise cloud, compliance costs can also be reduced. Infrastructure-as-a-service has become a standard model for public cloud providers, allowing organisations to quickly scale their services in real time based on requirements, without worrying about down-times and traffic spikes.
The hybrid approach also enables large organisations to embrace services digitalisation, while maintaining operational costs within acceptable margins. However, the security aspects of operating a hybrid infrastructure should also be met with the utmost scrutiny – not skepticism – as they can be successfully addressed with know-how, skills, and tools.
With that in mind, when adopting a hybrid infrastructure organisations should start by defining the criteria for storing on-premise and in-the-cloud data, so as to assess all risks associated with a potential breach and estimate the impact that data loss might have on the organisation, both financially and in terms of brand image. Critical company data, customer data or data related to intellectual property must be stored on premise and only accessed by authorised personnel.
Secondly, such information needs to only be accessible from within the organisation. Since the private cloud contains mission-critical data, it should not be visible or accessible from outside the company network, perhaps even keeping it completely isolated from public internet access. This not only reduces the attack surface that a hacker could exploit, but also increases the cost of attack as cybercriminals would have to breach other security layers before getting to that critical data.
Legal aspects involving hybrid infrastructures should also be taken into account, as different countries have different laws concerning the storage and processing of data in datacentres operated in their territories. Handling and storing data in a country with legislation favourable to your business interests is also important, as cloud service providers need to abide by local data protection laws otherwise your company could risk judicial repercussions.
Backup and encryption are also key components that can guarantee business continuity, especially if backups are performed in off-site locations and encryption encompasses much more than just at-rest and in-transit data, but also strong authentication mechanisms. Two-factor authentication has become the status quo in accessing secure data, but coupling it with strict access lists could make the world of difference in preventing a breach.
Probably the most important security aspect when dealing with hybrid infrastructures is the creation and implementation of fast security response procedures aimed at covering techniques and methods for identifying, isolating and remedying security breaches. Constant testing, evaluation, and upgrading of a company’s security mechanism and technologies is vital in preventing and quickly identifying breaches and vulnerabilities.
The Future is Hybrid
The hybrid cloud is believed to be the future that all companies should adhere too, as the benefits far outweigh the risks. Although CIOs and IT decision-makers have expressed some concerns as to how exactly the transition will take place and the security challenges associated with the transition, the truth is that it’s not impossible to achieve if the proper steps have been taken.
Liviu Arsene, Senior e-Threat Analyst, Bitdefender
Image Credit: Melpomene / Shutterstock