What is hybrid cloud security?
While hybrid cloud refers to the combined use of both public clouds and private clouds as one computing system, Hybrid cloud security specifies the method of providing protection for enterprise data, applications, and resources in a hybrid cloud environment. The goal of hybrid cloud security is to unify protection across all environments while allowing management to be enforced on a single pane of glass. However, before we get into more detail of hybrid cloud security we must understand the nature and implications of hybrid cloud.
Understanding hybrid cloud
A public cloud is provided by third-party cloud services, such as Amazon AWS, Microsoft Azure, or Google Cloud. It makes resources, such as applications and storage, available to users remotely either free of cost or offered through a variety of subscription or on-demand pricing schemes, including a pay-per-usage model. The public cloud provider is responsible for securing the infrastructure that your data runs on.
A private cloud is hosted on infrastructure that’s only accessible to specific users in one organization. Sometimes a private cloud can be hosted in a data center on a company’s own premises. Other times, a private cloud is hosted on a third-party’s infrastructure, but your company is the only external entity that can access the particular server machines that the cloud runs on. Private clouds offer enterprises more control than public clouds, but they’re more expensive and take more work to deploy.
A hybrid cloud model is a cloud computing environment that uses a mix of on-premises, private cloud, and third-party, public cloud services with orchestration between the two platforms. By allowing workloads to move between private and public clouds as computing needs and costs change, a hybrid cloud gives businesses greater flexibility and more data deployment options.
One common approach to this hybrid cloud environment is to categorize your cloud data into categories—low- or moderately-sensitive and highly sensitive. Industry requirements and regional regulations in particular can help determine what types of data are more sensitive than others and how the different security levels should be managed. Often, less-sensitive data is stored in your public cloud while your highly sensitive data is stored in your private cloud. But even your less-sensitive data in your public cloud should be secured as much as possible.
Most enterprises will adopt a hybrid cloud strategy, as almost no company can afford to put everything in a public cloud or do everything itself.
Key considerations for hybrid cloud security
Again, Hybrid cloud security specifies the method of providing protection for enterprise data, applications, and resources in a hybrid cloud environment. Some of the significant areas that must be addressed when securing a hybrid cloud environment include:
- Traditional security: A hybrid cloud environment changes traditional security because your IT and security teams are no longer in complete control of your computing environment. Many of the computing assets you employees use on a daily basis are no longer on your premises. This has prompted organizations to investigate the security measures of your cloud provider, ensuring they meet with industry and legal requirements. Business continuity plans must be part of any service-level agreement to ensure that the provider meets its obligation for continuous operation with you. Disaster recovery plans must also ensure that your assets (for example, data and applications) are protected.
- Incident handling: A hybrid cloud environment changes incident handling in at least two ways. First, whereas you may have control over your own data center, if an incident occurs, you’ll need to work with your service provider because the service provider controls at least part of the infrastructure. Second, the nature of multi-cloud often makes investigating an incident more complicated as information may be commingled. Service providers are also concerned about data privacy, which can make log analysis difficult. It is critical that organizations understand how the service provider defines an incident as well as how you can work with the provider to ensure that everyone is satisfied.
- Application security: When an application is in the cloud, it’s exposed to every sort of security threat. Application security can cover multiple areas, including securing the software development lifecycle in the cloud; authentication, authorization, and compliance; identity management, application authorization management, application monitoring, application penetration testing, and risk management.
- Encryption and key management: Data encryption refers to a set of algorithms that can transform text into a form called cyphertext, which is an encrypted form of plain text that unauthorized parties can’t read. The recipient of an encrypted message uses a key that triggers the algorithm to decrypt the data and provide it in its original state to the authorized user. Therefore, you can encrypt data and ensure that only the intended recipient can decrypt it. In the public cloud, some organizations may be tempted to encrypt all their information because they’re concerned about its movement to the cloud and how safe it is once it’s in the cloud. Recently, experts in the field have begun to consider other security measures aside from encryption that can be used in the cloud.
- Identity and access management: Identity management is a very broad topic that applies to many areas of the data center. The goal of identity management is to control access to computer resources, applications, data, and services. Identity management changes significantly in the cloud. In a traditional data center, you might use a directory service for authentication and then deploy the application in a firewall safe zone. The cloud often requires multiple forms of identity to ensure that access to resources is secure.
A strong approach to hybrid cloud security
Many organizations choose one security platform and strategy for their private cloud and a different security solution for their public cloud—with the two often not being compatible with each other. Ideally, security and IT teams need a unified platform that can simultaneously secure both environments while still providing an unfettered look at all traffic, as well as addressing the above-mentioned items.
The key to this type of security platform is that it must be built for the cloud and must address the very specific requirements of the cloud world that organizations operate in today. In other words, security must move beyond the network perimeter now that apps are existing in multiple environments. The security paradigm must shift from the static network to the user, device and app. Your security must also root out architectures that are susceptible to excessive trust, such as those that base security on IP address. These can be problematic because their inherent default “allow” posture leads to implicit trust, which can then be abused by nefarious actors. And your security infrastructure should accelerate, not slow down cloud adoption efforts. Cloud-delivered security is ideal for those using a hybrid cloud strategy.
A zero trust approach is the best way to accomplish this. Zero trust network access (ZTNA), also known as the software-defined perimeter (SDP), is a zero trust technology that provides identical security across all cloud or on-prem environments and operates on an adaptive trust model. Trust is never implicit, and access is granted on a “need-to-know,” least-privileged basis defined by granular policies. ZTNA gives users seamless and secure connectivity to private applications located in any environment while never placing them on the network or exposing apps to the internet.
Built on a zero trust architecture, the Zscaler Cloud Security Platform ensures all connections are inspected and secured, no matter what user they are coming from, the app being accessed, or encryption that may be used. Security controls are built into a unified platform, so they communicate with each other to give you a cohesive picture of all the traffic that’s moving across your network—whether in your private or public clouds. Through a single interface, you can gain insight into every request — by user, location, and device around the world — in seconds