A technician working for Indonesian mobile operator Smartfren is seen working on a server station at the company's office in Tangerang, Banten, on Nov 4, 2020. (B1 Photo/Arief Hidayat)
Security vs. Complexity: The Key Battleground of the Hybrid Cloud Era
BY :TAN WIJAYA
JUNE 02, 2021
In the wake of the massive SolarWinds attack that impacted companies worldwide, a debate has emerged on cloud security and whether or not a public cloud may be a more secure option than a hybrid cloud approach.
Rather than debating which cloud approach is more secure, the question we should be asking instead is: which model do we need to design security for? As a professional in the IT industry, I believe that technology leaders should be designing for the way businesses are working today rather than pigeonholing customers into securing one computing model over the other.
The SolarWinds incident, for example, took advantage of the broad supply chain of technology vendors that companies are relying on today. The challenge of supply chain security has been around for decades but is also just one contributing factor adding to an even bigger problem facing security teams today: complexity.
In other words, the greatest security challenge we’re facing today isn’t inherent within the technologies themselves but rather the disconnected strategies and technologies being used to secure them.
Complexity is the Enemy of Security
Hybrid cloud environments have emerged as an important approach for governments, public and private enterprises with critical and regulated data they need to protect. In fact, in a recent study from Forrester Research, 85 percent of technology decision-makers agreed that on-premise infrastructure is critical to their hybrid cloud strategies.
However, ad-hoc adoption of cloud technologies has created a “wild west” of dispersed IT resources to secure – with gaps in visibility and data spread across multiple tools, cloud, and on-prem infrastructure.
This problem has only been exacerbated by a rushed rollout of new cloud tools and resources to adapt to remote work amidst the global pandemic.
Unfortunately, this disconnected approach is mirrored in much of the security tooling that has arisen to secure today’s cloud environments. We’ve gotten to the point where large companies often use 50 - 100 different security tools from dozens of different vendors.
The problem here isn’t cloud resources or the security tools themselves. Rather, the various pieces are not being connected with a singular approach – creating security blind spots and complexity as a result.
A well-executed “hybrid cloud model” combines part of a company’s existing on-premises systems with a mix of public cloud resources and as-a-service resources and treats them as one. In turn, security must also be redesigned with one single point of control that provides a holistic view of threats and mitigates complexity.
Connecting Security Across Clouds
In the hybrid cloud world, security and data privacy becomes a shared responsibility between data owners, users, and providers.
Ultimately, many of the security risks being introduced to cloud environments result from human error, combined with a lack of centralized visibility to find and fix these issues before they do damage. Cloud misconfigurations were cited as a top cause of data breaches studied in the Cost of a Data Breach report from IBM and Ponemon Institute, representing nearly 1 in 5 of the data breaches that were analyzed.
Additional issues can arise due to the mishandling of data. The fastest-growing innovations to address this gap are called confidential computing. Right now, most cloud providers promise that they won’t access your data. (They could, of course, be compelled to break that promise by a court order or other means.)
Conversely, it also means malicious actors could use that same access for their own nefarious purposes. Confidential computing ensures that the cloud technology provider is technically incapable of accessing data, making it equally difficult for cybercriminals to gain access to it.
Understanding how attackers breach the cloud is also key for evolving security protocols. According to an IBM analysis of security incidents in the cloud, the most common pathway is via cloud-based applications. In fact, remote exploitation of cloud apps accounted for 45 percent of cloud-related security incidents analyzed by IBM X-Force incident response teams over the past year.
With these challenges in mind, here are a few guiding principles you should keep in mind to help design security for the hybrid cloud era:
- Unify your strategy. Design a comprehensive cloud security strategy that spans your entire organization – from application developers to IT and Security teams. Designate clear
- policies for both new and existing cloud resources.
- Choose the right architecture. Identify your most sensitive data and ensure the right privacy controls are in place – even down to the hardware level. Consider technical assurances such as confidential computing and keep your own key, which makes it so not even your cloud provider can access your data.
- Open approach. Ensure your security technologies can work effectively across hybrid cloud environments (including on-premise and multiple clouds). Where possible, leverage open technologies and standards which allow for greater interoperability and can reduce complexity.
- Automate security. Implement AI and automation for greater speed and accuracy when responding to threats, rather than relying solely on manual reactions.
Improving cloud security for the new normal is possible, but we have to let go of prior assumptions. A clear picture of policy-driven security challenges and the types of threats targeting cloud environments will help the pivot to this new frontier. When done right, a hybrid cloud can make security faster, scalable, and more adaptable.
Tan Wijaya is the president director of IBM Indonesia, a local unit of the New York-based multinational technology company.