The rise of hybrid IT environments, with their mix of cloud-based and on-premises services, has created new security headaches for executives.
That's because tech and security leaders must contend with not only threats to cloud-based and on-premises systems, but the vulnerabilities that arise when organizations use them together in the hybrid IT environment, security experts said.
"As the complexity expands, as there are more and more different environments in play -- and keep in mind, these things tend to proliferate -- the more complex the operations and management and security become," said Ed Moyle, director of emerging business and technology at ISACA, an independent, nonprofit, global association for IT governance professionals in Rolling Meadows, Ill.
Moyle and several other security experts were clear: A hybrid IT environment requires a cybersecurity program that offers solid strategies for its on-premises components, as well as ways to protect its cloud initiatives.
If there's any consolation to this new wrinkle in security planning and protocol, it's that most organizations are aware of the challenges. A recent report from software firm SolarWinds found that 69% of responding IT professionals said their organizations use up to three cloud provider environments.
The report, "IT Trends Report: Portrait of a Hybrid IT Environment," also found that 62% of the North American-based respondents said the increased infrastructure complexity is a challenge, while 47% said the "lack of control [and] visibility into the security of cloud-based infrastructure" creates complications.
The same report, however, found that only 39% of North American respondents reported that their organizations include security in its strategy for hybrid IT development.
Shared, consistent responsibilities
Scott Laliberte, managing director of the global information security practice at consulting firm Protiviti, said enterprise IT leaders should start by recognizing that a hybrid IT environment requires a division of security responsibilities that isn't present in an all-on-premises or purely cloud scenario.
"You have shared responsibilities, you have responsibilities handled by cloud vendors and [responsibilities handled by] the organization itself -- maybe also some with third-party app providers," he explained.
In contracts with providers, it's up to the enterprise to articulate exactly what security work the vendors will absorb and what the enterprise picks up, Laliberte said.
Many IT organizations, particularly small and midsize companies, aren't taking this step, said Richard White, author of Cybercrime: The Madness Behind the Methods.
"They jump in with both feet, and they have hardly or very little idea that they're going to lose direct control and visibility into their data," said White, who is also course chair for the cybersecurity and information assurance program at the University of Maryland University College and managing director of Pittsburgh-based Oxford Solutions.
"They don't understand what responsibilities are at the cloud level or in the service-level agreements. Where that scope of responsibility lies is very ambiguous."
Divvying up security responsibilities and documenting who does what is only part of what's needed, experts said. Enterprise IT must also specify how they're going to monitor and manage those dual responsibilities -- and ensure both sides complete these responsibilities.
"It's really understanding who is responsible for each piece, and what's the due diligence you can do over those controls that aren't in the organization's direct control and how do you get evidence of compliance," Laliberte said.
Scott Lalibertemanaging director of the global information security practice at Protiviti
A big part of the struggle for many IT organizations is maintaining consistent security policies in both parts of their hybrid IT environment, expert said. For example, tools such as data leak prevention capabilities and end-user behavior analytics should be applied and enforced wherever needed, regardless of where the application and infrastructure reside.
Laliberte said cloud access security brokers, or CASBs, are helpful in this area. A CASB is a software tool or service that sits between an organization's on-premises infrastructure and its cloud providers, working to ensure the traffic moving between the two points complies with set security policies.
But while CASBs can be useful for creating consistency in monitoring and metrics, they aren't cure-alls. "It has cons. It can be another point of failure, and some can create potential resiliency and other security issues," Laliberte explained.
More motivation for good governance
Hybrid IT environments also often require additional security steps that a purely on-premises environment or even an all-cloud setup might not.
Organizations might need to encrypt data that's in transit as it moves between on premises and cloud, where it might not need to do so if it stays always in one environment, experts noted. Moreover, a hybrid environment adds additional considerations when using encryption in general.
"Something that gets overlooked is management of the encryption keys," Laliberte said. "Oftentimes, that's done by cloud vendor and the organization has no control over it. Same thing with encryption: The vendor often has control over encryption."
The risk of unintended consequences is also heightened in a hybrid environment, with upgrades in one process potentially affecting security elsewhere, Moyle said.
The additional complexities of a hybrid IT environment also heighten the need for strong governance, according to cybersecurity leaders. Moreover, the governance has to be unified; organizations shouldn't have two completely separate governance operations -- one for on premises and one for cloud.
"Security is hard enough. Why make it harder by having two polices?" Laliberte said.
Others concurred, saying because so many details need to articulated, assigned and monitored, it can't be done well without diligent and dynamic oversight. The governance aspect, however, remains confusing to people, said Shawn Connors, a partner at professional services firm PwC.
"The technical aspects -- how to wire everything together -- are well-understood. Not so much enforcing policies and standards and understanding roles and responsibilities," Connors said. "If I have to do X,Y, Z from a governance policy, I need to understand what it is and write it into my contract with cloud providers and prescribe standards. That still seems to be a bugaboo out there."
HPE shifts focus to hybrid IT strategy
Choosing the right cloud platform to unify hybrid IT
The ins and outs of a hybrid cloud environment