Security should be a high priority in any scenario, however, and strategies for hybrid cloud environments must take into account the potential for frequent movement of data between public clouds as well as between public and private clouds. Here are six factors to consider to ensure that your security strategy is portable across all services and service providers.
Editors note: this post was republished with permission. This article was authored by Scott Montgomery, VP & Chief Technical Strategist, Intel Security. View the original here.
The prices and services that cloud infrastructure providers offer change so often that you may be doing yourself a disservice by tying your hybrid cloud to one particular vendor. We’re even starting to see services emerge that shift workloads transparently between cloud providers to give customers the best deal.
1. Sweat the SLAs
Specify to any prospective cloud provider what levels of security you need for the assets you’re moving into a public cloud and any restrictions you require regarding how data is stored, backed up, and encrypted. Among the factors to include in a service level agreement (SLA) are data privacy, data flow, data storage, the physical location of data, and the type of encryption used. Cloud providers generally have their own tools and standards in each of these areas, so focus on the desired outcomes rather than technologies.
In regulated industries, specify which compliance standards must be observed and what reporting is required. Be sure your cloud provider is aware of compliance deadlines. For example, some regulations require records to be made available with as little as 24 hours’ notice.
The more provable or measurable your SLA is, the less chance you will have to re-craft it when moving to a cloud provider with different procedures or tools.
2. Practice good data governance
Prior to engaging a cloud provider, classify your data according to what must be kept within the private cloud and what can be safely moved to the public cloud so that your most critical data is under your control.
If budget permits, enable replication of data from the cloud data store to your site or a trusted third-party so that there is minimal risk of data loss.
3. Secure communications
Many cloud services use the public Internet by default to transmit data. This practice is inherently insecure. Use a virtual private network (VPN) to maintain a secure and controlled “tunnel” between your private cloud and the public infrastructure provider.
Be aware that additional costs and limitations may be involved. For example, it’s important to understand if a cloud provider supports a limited number of gateway devices or a specific encryption-in-transit methodology. Use devices and protocols that are supported across all platforms you may want to use.
4. Use strong authentication
Simple password protection is insufficient for working with sensitive data. There are many superior alternatives, such as biometric authentication, one-time password (OTP) tokens and two-factor authentication. Be sure any prospective cloud provider supports your preferred method.
Another alternative is to use your internal authentication system, such as Microsoft Active Directory or LDAP, to log in to cloud services. Directory-based authentication makes it easy to switch between cloud services without resetting passwords or changing procedures, and also provides audit trails for additional control.
5. Use APIs
Cloud computing has created an explosion of Application Program Interfaces (APIs), which enable applications to exchange functionality and data in a secure and manageable fashion. (For example, APIs are what enable your smartphone to access the current temperature without opening the full weather.com site.) Using APIs, administrators can specify what data is available to whom at what times and under what conditions.
Because APIs provide a standardized data exchange mechanism, they can be ported easily between cloud platforms. And by using APIs instead of exposing program code, your applications are not only more portable, but also more secure.
It’s important, therefore, to specify which APIs you need your cloud provider to support before signing a contract.
6. Hold onto the keys
Sensitive data should be encrypted at all times, both while at rest and in motion between your data center and the cloud. This is true even if you use a VPN. Be sure your cloud provider supports your encryption protocol of choice. And in all cases, make sure the keys are kept in your possession, not in the hands of the service provider.
Cloud computing provides a wide variety of options for the types of cloud services as well as the providers that sell them. Make sure security doesn’t hold you back from choosing the best one for your needs.