September 14, 2020 - 450 views
Evolve hybrid cloud security to meet COVID-19 challenges
Remote work poses new demands for hybrid cloud security. Here's how organizations can protect themselves from security threats in this complex landscape.
With employees continuing to work from home to meet the social distancing requirements of COVID-19, more people are juggling business with personal engagements, at times outside normal business hours. Often, they’re using their mobile business laptop, as well as a plethora of additional wireless mobile devices. This has increased the security demands on the hybrid cloud.
To maximize the security of their hybrid cloud environments, here are some points businesses should consider in developing their cloud security strategies:
- Hybrid cloud security is more complex than public cloud security. Cloud environments are often a composite of legacy applications hosted in the data center and newer applications hosted on the public cloud. This produces a mishmash of multiple authentication systems and various forms of access control that might require, for example, federated security or legacy integrations through anti-corruption design patterns. Because of this, the hybrid cloud security model requires careful analysis of all components residing on platforms with different characteristics.
Consider, for example, a mainframe application program hosted in a data center that is extended to support mobile device access through services running on the public cloud. The strict security controls with the original program could potentially be bypassed or defeated as the mainframe program is extended into supporting cloud hosted services.
Recommendation: Conduct careful analysis and testing to ensure new security vulnerabilities are not introduced during the process of application modernization.
- A data security classification policy is an integral component of the security design. With a data security classification policy, data is categorized into security levels ranging from “highly sensitive” to “public,” and various policies are created for accessing and updating the data. The data classification policy determines what data can be accessed from where and in which fashion.
On hybrid cloud, the data can reside on multiple platforms; often, the same data takes on different forms and might not be fully aligned with the security characteristics of the original data. Consider, for example, an intranet search crawler indexing data with restricted access along with public data. A security breach could result if the restricted data index contents are returned during a search by an unauthorized user.
Recommendation: If the hybrid cloud handles sensitive data, use methodical data flow mappings to ensure data security constraints are preserved.
- Mobile access, anytime from anywhere, increases the vulnerability footprint. With the prevalence of mobile device access due to COVID-19 social distancing needs, the days of accessing intranet applications from the corporate network on secure office premises are waning. This increases the security vulnerability footprint due to interactions with mobile devices of varying capabilities that might be in potentially unsecure locations.
Recommendation: Addressing this issue requires a comprehensive endpoint security strategy, combined with other security controls, such as limiting certain operations from mobile devices. Additional verifications could include fingerprint access to perform certain operations and a robust security monitoring capability to quickly detect unauthorized usage.
- Authentication and identity management are cornerstones of hybrid cloud security. Most security breaches are accomplished by circumventing authentication security controls through phishing, replay, brute force and other spoofing attacks. This makes authentication a critical component that is optimally secured through multiple security tiers.
Recommendation: Password authentication can be supplemented with a CAPTCHA system to avoid brute force attacks. Two-phase authentication offers additional validation, allowing only registered mobile devices onto the network, as does biometric security, such as fingerprint detection for physical validation. These mechanisms should be combined with robust identity management to set password requirements, password expiration times, password disablement policies and identity validation questions. Finally, a robust security monitoring capability can rapidly analyze patterns of network access for any security attacks in motion.
- Automation is the vehicle for delivering consistent hybrid cloud security. The hybrid cloud can be thought of as a mosaic of interacting components. Within this mosaic are frequently shared and repeatable patterns of infrastructure and software design.
Recommendation: The strategy that works best for consistent security includes the following components: Identify these patterns (i.e., a security configuration to set up a virtual machine or to invoke a REST service); set up automation, such as for infrastructure as-a-service templates that capture all security concerns or for a Java Web Token (JWT) software-based framework to enable secure invocation of web services; automate everything through version-controlled scripts, including capturing any manual tribal knowledge; continually challenge the security characteristics of all components through a fully automated DevSecOps pipeline.
In our experience, these measures can result in a robust hybrid cloud security model to meet the challenges of the COVID-19 era.