After the massive attack on SolarWinds that impacted companies around the world, a debate has emerged about cloud security, and whether the public cloud may be a more secure option than a hybrid cloud approach. Alvaro Santa Maria, IBM Security Director Latinoamérica, offers some guiding principles to consider to help design security for the hybrid cloud era.
Rather than debating which approach to the cloud is more secure, the question we should ask ourselves is: which model do we need to design security for? As the Director of IBM Security in Latin America, I believe that technology leaders should be designing for the way businesses are working today, rather than pigeonhole one computing model over the other.
The SolarWinds incident, for example, took advantage of the broad chain of technology providers that companies are relying on today. The security challenge of this supply chain has been around for decades, but it is also just one factor that contributes to an even bigger problem facing security teams today: complexity.
In other words, the biggest security challenge we face today is not inherent in the technologies themselves, but rather in the disconnected technologies and strategies that are used to secure them.
Complexity is the enemy of security
Hybrid cloud environments have emerged as an important focus for governments and companies, public or private, that have critical and regulated data that they need to protect. In fact, in a recent Forrester Research study, 85% of technology decision makers agreed that on-premises infrastructure is critical to their hybrid cloud strategies.
However, the ad hoc adoption of cloud technologies has created a ‘rugged landscape’ of dispersed IT resources to ensure, with gaps in visibility and data propagation across multiple tools, the cloud and on-line infrastructure premise. This problem has only been compounded by the hasty deployment of new tools and resources in the cloud to accommodate remote work amid the global pandemic.
Unfortunately, this disconnected approach is reflected in much of the security tools that have emerged to protect today’s cloud environments. We have reached the point where large companies are often using 50-100 different security tools from dozens of different vendors.
The problem here is not the cloud resources, or the security tools themselves, but the fact that the various pieces are not being connected with a single singular approach, creating security blind spots and complexity as a result.
A well-executed ‘hybrid cloud model’ combines parts of a company’s existing on-premises systems with a mix of public cloud resources and Resources-As-a-Service and treats them as one. In turn, security must also be redesigned with a single point of control that provides a holistic view of threats and mitigates complexity.
Connecting security through the clouds
In the hybrid cloud world, both data security and privacy become a shared responsibility among data owners, users and providers.
Ultimately, many of the security risks emerging in cloud environments are the result of human error, combined with a lack of centralized visibility to find and fix these issues before they become harmful. Cloud misconfigurations were cited as one of the leading causes of data breaches studied in the Cost of a Data Breach Report from IBM and the Ponemon Institute, corresponding to nearly one in five of the data breaches analyzed.
Additional issues may arise due to mishandling of data. The fastest growing innovation to address them is called Confidential Computing. Right now, most cloud providers promise they won’t access your data (they can, of course, be forced to break that promise by court order or other means). This also means, on the other hand, that threat actors could use that same access for their own nefarious purposes. Confidential Computing ensures that the cloud technology provider is technically unable to access the data, making it equally difficult for cybercriminals to access it.
Understanding how attackers leak into the cloud is also key to the evolution of security protocols. According to an IBM analysis of cloud security incidents, the most common pathway is through cloud-based applications. In fact, remote use of cloud applications accounted for 45% of cloud-related security incidents that were analyzed by IBM X-Force incident response teams over the past year.
With these challenges in mind, here are some guiding principles to consider to help design security for the hybrid cloud era:
- Unify the strategy. Design a comprehensive cloud security strategy that spans the entire organization, from application developers to IT and security teams. Also, designate clear policies for new and existing cloud resources.
- Choose open architecture. Identify the most sensitive data and ensure that the appropriate privacy controls are in place, even down to the hardware level. Consider technical insurance as in Confidential Computing and keep your own password, this means that not even the cloud provider can access the data.
- Have an open approach. Ensure that security technologies work effectively across hybrid cloud environments (including on-premises and multiple clouds). When possible, take advantage of open standards and technologies that enable greater interoperability and can reduce complexity.
- Automate security. Implement Artificial Intelligence and automation for greater speed and accuracy when responding to threats, rather than relying solely on manual reactions.
Improving security in the cloud for the new normal is possible, but we have to put aside previous assumptions. A clear picture of security challenges based on policies and types of threats targeting cloud environments will help to shift to this new frontier. When done right, hybrid cloud can make security faster, more scalable and more adaptable.