As more organizations migrate from internal virtualized data centers to hybrid cloud environments, it's important...
for enterprise security teams to evaluate security controls and governance considerations.
The first area to focus on is network security. Many security teams are disturbed to find out that their tried-and-true network security tools and controls do not have equivalents in public cloud environments. Very few enterprise firewalls are available in the public cloud, and many commercial intrusion detection systems don't offer compatible virtual appliances for use in cloud environments, either.
Security teams need to evaluate the hybrid cloud security options they have, which may range from simple access control rules such as Amazon's EC2 Security Groups to more advanced tools and monitoring features that can be installed as virtual appliances in the cloud environment or purchased as additional service offerings from the provider. Security as a Service offerings that handle Web application firewall filtering, DDoS protection and load balancing are also common from content delivery networks like CloudFlare and Akamai Technologies; these services may be simpler to implement and maintain for organizations than trying to install virtual appliances in the cloud provider environment.
Given the lack of network security options available, some security teams are considering or implementing new host-based security tools instead as a compensating control. Many traditional host-based firewalls, IDS and anti-malware options are "cloud compatible" today, meaning that they do not consume as many hardware resources in virtual machines. In addition, cloud security services such as CloudPassage and Dome9 Security can be used to manage security agents in cloud instances. A Web-based dashboard can be accessed to configure and manage host-based security agents in a variety of cloud service provider environments, with functionality that includes configuration and patch management, file integrity monitoring, and local firewall and IDS tools.
Encryption has risen to the forefront of security controls that organizations need to implement when moving to a hybrid cloud. Numerous cloud encryption gateways exist, and key management and rotation services like Porticor and Sepior are also becoming more popular. Cloud providers themselves are offering many new encryption capabilities, and Amazon Web Services has even created a product called AWS CloudHSM that allows companies to use a dedicated hardware storage module from SafeNet for key storage and encryption control in their virtual private cloud environments. Companies like Hytrust are now offering Amazon-compatible products that can encrypt entire virtual machine file sets for public cloud instances, too, and this market continues to grow.
Vulnerability management is another area enterprises have struggled with as they move to hybrid clouds. Fortunately, many vulnerability scanning vendors have integrated their products into major cloud provider environments, so companies can perform on-demand scanning and even remediation activities as needed in many cases. Check to see if your in-house vulnerability scanner is supported in cloud providers you're evaluating, as more are supported all the time.
The biggest challenge overall for organizations implementing a hybrid cloud strategy is proper assessment of the cloud providers' security controls. With assistance from organizations, like the Cloud Security Alliance, that have published a set of controls to evaluate when negotiating with providers, the task is less burdensome; however, many cloud providers do not offer enough details about internal controls and security capabilities. With pressure from the security community, this will likely change, but until then most organizations are still looking to implement their own security controls in public cloud environments wherever possible.
What you need to know about cloud service provider APIs and security risks.