The challenges of hybrid cloud adoption [Q&A]
Cloud is used for all kinds data processing nowadays, but there are still some things that need to be kept in-house, either for performance, compliance or other reasons.
This has given rise to the hybrid model, offering a mix of cloud and on-premise solutions, becoming increasingly popular. We spoke to Derek Taylor, lead principal security consultant at Trustwave, to find out more about the security and supply chain challenges that hybrid adoption presents.
BN: What is hybrid cloud and what are its advantages?
DT: There's obviously a number of different modes of operation of cloud. Hybrid specifically is about using a mix of your own computer equipment, data centers, servers, whatever they may be, as well as elements of a public or private cloud, traditional third party providers, infrastructure and that enables the business to work from a functional and performance point of view.
Hybrid is the deployment model that's arguably the most common because it does enable that business flexibility of having some of your data in your own organization, some of your data. elsewhere, and providing that scalability of service. It may be easiest to compare that to the concept of either having everything on your own data centers when you're paying for all of that infrastructure directly -- and it's an awful lot of capital expenditure (CAPX). Whereas, using a third party means operational expenditure (OPEX). Hybrid, as the name suggests, means there's a mix of both.
BN: Are there particular risks that hybrid poses for keeping systems secure?
DT: Hybrid, in and of itself, is not any different to using any other deployment model. And, to be fair, a large bulk of cloud security is no different to any other type of cybersecurity. There are three things to focus on.
The first is service level agreements, if you're using a third party to provide you with pretend infrastructure you will only be allowed to do, or use, or investigate up to whatever is included in your contract. The supply chain management aspects of security can be quite convoluted, particularly because while you may be interacting with the cloud provider, those providers in turn may use subcontractors to other third parties. And that can get even more convoluted particularly where multiple geographies or legal jurisdictions across the globe come into play.
The second aspect I would suggest would be encryption. There are three types of encryption, data, data in motion and use of data. Most people think of stuff as being encrypted on a hard drive or USB key, but it can be encrypted on their service providers’ computers. You also need to think about how you are transferring that data to the cloud, so data in motion is the second component, and then there's actually also data use encryption. This is pretty small by many orders of magnitude in comparison to other types of encryption and it's not very common but there certainly are possibilities around encryption of data as it's used.
Then the third aspect of it is identity and access management and this leads to a whole broader range of topics. People, non-IT people, tend to have a view of security as being a hindrance, so you need to make that security as seamless as possible. Obviously, most people think about passwords in terms of access or accessing their data, but increasingly common these days are two-factor authentication mechanisms such as SMS text messages or maybe people have applications on their mobile phone or authenticator applications for a special code. Some have tokens too, so there's multiple ways of providing multi factor authentication. And then think about your broader data security once you've got access if someone's authenticating once does that give them keys to everything or just a limited amount of data?
Hybrid tests complexity, whereby you are trying to provide all of that access control data mapping and business use case process mapping across both your infrastructure as well as a third party's infrastructure and unifying the two to work seamlessly can be a very significant implementation challenge.
BN: Is supply chain risk an area where there needs to be more awareness?
DT: Yes, I'd say that a lot of organizations assume that when they outsource IT operations they almost outsource any accountability and/or responsibility for security, but that's not actually true. Individual organizations are always, always accountable for their own security irrespective of any third party provider or anything else. What you need to understand is who is responsible for which aspects of security and that comes back to the contract rules.
There are different kinds of deployment, the easiest one is software-as-a-service, that's basically something like Gmail, where there's nothing to do other than log in to Google. You then look after everything subject to whatever settings you apply. Basically you, as a user, are really only responsible for your data. The application, the platform that application sits on at the infrastructure, the physical kit or data center overlaps is handled by Google. So for SaaS basically the user has the least amount of responsibility, but they're still ultimately responsible for the data and ultimately they're still accountable.
Again this is about contract negotiation. Businesses might assume, for instance, that they can do detailed forensic investigations in the event of a data breach, but actually if that's not explicit in the contract you might not be able to. Even though this third party company may steal your data. This applies to other models as well such as platform-as-a-service and infrastructure-as-a-service, you are always responsible for securing your own data.
BN: Does the same apply to compliance, where you've got regulated industries like like finance and healthcare for example?
DT: Yes, it’s important to conduct supply chain audits, you have to understand your physical location and where your data is potentially residing or passing through. This is particularly true in financial services where you have quite strict geographical limitations to data transfers. You can also have issues these days with things such as GDPR, CCPA and other privacy regulations for individuals.
Here again the legal aspects of cloud security contract negotiation are so important. If you don't get that first step right you might find that you've made assumptions that are bad about what you can or cannot do or where your data is residing or passing through.
BN: How much extra risk does the recent shift to remote working pose?
DT: It’s been fashionable for the better part of a decade to talk about digital transformation, but that can mean many things to different people. But 2020 has certainly seen organizations face challenges because of the coronavirus.
At the start of the year, we saw organizations struggle to maintain functionality, so that the broad assumption was that people will go to a place of work, and that place of work is looked after by centralized security with only a small percentage of people typically working from home. So organizations have had to react very quickly to enable productivity and functionality for their workforce. This has also accelerated the implementation of a number of trends in the security market which have been bubbling away last couple of years, in particular the adoption of zero trust.
There's always a tension between security and business enablement. If you push too far one way then systems are too hard to use so people find ways around them, 20 years ago it was a case of, perhaps, sending attachments to personal email address, today it’s unauthorized cloud services.
BN: Do you think data security needs to get a higher profile at board level?
DT: Cybersecurity should be no different in corporate risk management and operational risk management processes than any other type of risk. Yes companies are more reliant on technology and when these are becoming more and more complex cybersecurity should be part of risk management. But it should absolutely not be seen as this kind of scary, ugly, horrible thing that the nerds and the geeks look after. It should be part of the overall conversation, that an IT person was sitting at the table was the most important thing, then it's for boards to decide on their risk appetite and manage those risks accordingly.