Data security and hybrid IT: Top cloud challenges and how to tackle them

Companies continue to move their applications, workloads, and data to the cloud, despite concerns about how well they—and their providers—can protect their assets against breaches and attacks.

The average business uses 27 cloud-based products and supports hundreds of custom applications that run in the cloud, according to the Ponemon Institute's 2018 Global Cloud Data Security Study. Given all that, securing a cloud-based infrastructure—along with on-premises assets—continues to be a challenge. In a world where businesses aren't always sure that vendors are using security best practices—or the best technologies or operational strategies for reducing risks—the impetus is to add more security.

Meanwhile, global businesses continue the inexorable march toward cloud infrastructure, with nearly all moving more on-premises applications and storage to the cloud. Nine in 10 applications are scheduled to be deployed to public clouds, while more than half of companies expect private cloud use to increase, Micro Focus found in a recent customer survey that comprises the eBook, Achieving Consistent Data Security Across Hybrid IT.

Security managers and cloud operations teams should consider security when moving a workload, application, or data to the cloud. But replicating on-premises security can be cost-prohibitive, said Eric Hanselman, chief analyst at 451 Research, a business analysis firm.

"One of the biggest things to control the costs of security is to understand what you need to have when you move to the cloud. It is understanding what you have available, and what security you can afford in the cloud. You have to do homework."
Eric Hanselman

Replicating on-premises security is also ineffective because current perimeter and system-based security controls don't extend to the cloud, potentially leaving data at risk, said Marcelo Delima, an evangelist for Micro Focus Cyber Security.

“Current system and application-centric security controls embedded throughout existing IT infrastructure don’t extend to the cloud, creating risks when data is moved to a public, untrusted environment. Monolithic applications and associated security aren’t designed for the cloud, which requires a continuous integration and continuous development DevOps model.”
Marcelo Delima

Here are four recommendations to ensure data security across hybrid IT—and control costs.

How to Achieve Consistent Data Security Across Hybrid IT

1. Make sure security is part of the conversation

Only 21% of companies always or usually include security teams as part of the decision-making process when selecting cloud platforms or moving to the cloud, according to the Ponemon report.

As a result, companies can rack up huge bills when they add security after the fact or try to copy their on-premises technology into the cloud.

Costs typically wind up being a lot greater if the expectation is that you should be able to extend all of your monitoring to get all the telemetry that you had with your on-premises infrastructure, said Hanselman.

"Generally speaking, the cost of security capabilities should not be a huge increment compared to your regular cloud operational costs."
—Eric Hanselman

2. Ask yourself whether the security that comes with the service is sufficient

Many cloud platforms, especially software-as-a-service (SaaS) offerings, come with their own security features and reporting application programming interface (API) to allow for third-party integration. Companies whose security requirements are satisfied by those features can reduce security costs.

"When the security is built into the platform, unless you have specialized security needs, you are normally going to get the security along with your subscription services. That's the cool thing about software as a service," said David Linthicum, chief cloud strategy officer at the consultancy Deloitte.

If the native security tools from the SaaS provider don't meet expectations—or if your company is dealing with sensitive data or classified information—then a third-party service may be necessary.

Micro Focus' Delima said that the company's recent survey showed that when you are dealing with data flowing between multiple clouds and on-premises systems, you  need to go beyond the built-in tools to achieve consistent cloud security controls.

3. Realize that replicating on-premises security is expensive

Some security tools function identically when in the cloud or on premises, and do a good job of going across boundaries. Encryption, for example, can be deployed across different types of infrastructure.

But other technologies, such as identity and access management, require separate strategies for on-premises and cloud applications, said Linthicum. While companies may be able to leverage the same directory services, they will have to create a separate system for each infrastructure.

Such dual systems can increase costs by up to 20%, Linthicum said. And if the same security features are required for both implementations, the costs by as much as 50% with most of that driven by the costs associated with on-premises technology.

"Many of my clients are dealing with this right now. Their cloud services cost more than they thought, and now they are dealing with security. So they wonder, 'How do we get to a stable state where we are able to deal with consistent costs?'"
David Linthicum

4. Consider cloud security on the merits

Rather than simply replicating the same security technologies throughout a hybrid-cloud infrastructure, companies should use the most cost-effective security measures to achieve consistent data security.

"The ideal case is that you have the same type of controls on-prem and off-prem, and you have the ability to manage those in the same way," Linthicum said. "The reality is that cloud security offers a bunch of new capabilities and challenges, so you need to investigate those."

It's a balancing act

The challenge teams dealing with public and private cloud sprawl face is that platform-specific tools only protect data inside that specific cloud' they're not extensible to other clouds, said Micro Focus' Delima.

Controlling costs of cloud security is key, but the cost of not providing data security across clouds could be greater for many enterprise teams, he said.

“While security of most cloud-based platforms is strong, it doesn’t extend beyond the specific platform. Companies must go beyond the platform-based built-in tools to achieve consistent cloud security controls.”
—Marcelo Delima

Bottom line: You've got to get the balance right.

"You have to be a good steward of your cloud ops. It is a discipline among the people that are operating the cloud, and best practices on the part of the provider. That's the beginning of a consistent cloud security budget."
—David Linthicum

Topics: Security