3 Aspects of Hybrid Cloud Security

The main goal of hybrid cloud security is to implement security protection for data, applications, and infrastructure associated with cloud IT architecture. The architecture is a multiple IT environment (including at least one public cloud or private cloud), which integrates a certain number of workloads with portability and orchestration and management capabilities.

Hybrid cloud provides opportunities to reduce potential exposure of data. You can keep sensitive or critical data somewhere outside the public cloud. In other words, it not only reduces the risk of data leakage, but also makes full use of the advantages of cloud technology.

Why choose hybrid cloud to enhance security?
Hybrid cloud allows companies to choose to place actual workloads and their data in relatively safe logical systems based on compliance, audit, policy, or security requirements.

Although the environments that make up the hybrid cloud are different and relatively independent, the migration between them can be achieved through containers that help transfer resources and workloads, and encrypted application programming interfaces (APIs). This independent but still interconnected architecture enables enterprises to run various critical workloads in the private cloud at the same time; and run those less sensitive workloads in the public cloud. It can be said that such a configuration can minimize data leakage and allow enterprises to flexibly customize the combination of IT products.

What challenges does the security of hybrid cloud face?
Protect your data

Encryption is used to limit the leakage of organizational data. The same data may be in a transmission state or in a static state at different time periods. Therefore, you need to use various security mechanisms to prevent data leakage in these two states.

Compliance and governance

If you work in a department with high regulatory requirements such as healthcare, finance, or government, you may need to focus on more aspects for the hybrid cloud architecture. For example: You need to know how to check distributed environments to ensure that they meet regulatory requirements; how to implement security benchmarks for custom or regulatory requirements; and how to prepare for various security audits.

Security in the supply chain

Hybrid cloud environments usually contain products and software from multiple vendors in other complex ecosystems. Therefore, you need to understand how your cloud service providers test and manage their software and products. At the same time, you also need to understand when and how cloud service providers check the source code, which implementation guidelines and methods they follow, and how and when they provide updates and patches.

Components of hybrid cloud security
Similar to the security of a local data center, the security of a hybrid cloud usually consists of three parts: physical, technical, and management.

Physical controls are used to protect your actual hardware, including commonly used locks, guards, and security cameras.
Technical control includes the protection measures involved in the design of the IT system, such as encryption and decryption, web identity authentication, and management software. Most of the powerful security tools in the hybrid cloud are technical controls.
Management control is a process designed to help people handle daily affairs in a way that enhances security, such as training and disaster recovery planning.
Physical control of hybrid cloud security
Because hybrid clouds can span multiple geographic locations, this makes physical security a special challenge. You can't establish a physical control boundary around all the hosts as in the past, and add a lock to it.

For shared resources such as public clouds, you can sign a service level agreement (SLA) with your cloud service provider to define the physical security standards that need to be met. For example: Some public cloud service providers can sign agreements with government-type customers to restrict certain personnel from accessing designated physical hardware.

However, even with a good SLA, you will still reduce your original control to a certain extent because of the services of the public cloud provider, so you need to increase security control in other areas.

Technical control of hybrid cloud security
A preliminary exploration of hybrid cloud security from the three aspects of physics, technology and management

Technical control is the core of hybrid cloud security. Because hybrid cloud has the characteristics of centralized management, technical control is easier to implement. Currently, conventional hybrid cloud technology control methods include: encryption, automation, security orchestration, access control, and endpoint security.

encryption

In scenarios where the service system is subject to physical threats and the read data is easily leaked, encryption technology can greatly reduce such risks. You can encrypt data at rest and dynamic data. among them:

Encryption to protect data at rest includes:

Full disk (partition) encryption can protect the data on your hard disk when shutting down. Here, you can use the Linux Unified Key Setup-on-disk (LUSK) format (see). This format can batch encrypt each partition on the hard drive.
Hardware-level encryption can protect the hard drive from unauthorized connections (that is, connected to other hardware systems after being disassembled) and access. Here, you can use Trusted Platform Module (TPM, see). This is a hardware chip that can store encryption keys. Once the TPM is enabled, the hard drive will remain locked until the user is authenticated to complete the login.
No need to manually enter a password for root volumes encryption. If you have built a highly automated cloud environment, then please adopt automated encryption on this basis. If you are using the Linux platform, please try to use Network Bound Disk Encryption (NBDE) on both physical and virtual machines. Note: You can also incorporate TPM into NBDE, let NBDE protect the cloud network environment, and let TPM protect the local environment, thereby providing double-layer security.
Encryption to protect dynamic data includes:

Encrypted network session. The risk of interception and modification of data in the transmission process is much greater than that of the static state. Here, you can use IPsec (see) to support it. This is an extended IP protocol using encryption technology, which can encrypt the transmission channel.
Choose some mature safety standard products. Here, you can refer to version 140-2 of the Federal Information Processing Standard (FIPS). It is a security requirement for cryptographic modules issued by NIST, which provides a basis for cryptographic module evaluation, verification, and final certification for US government agencies to protect various high-risk data. Please refer to the specific content.
automation

As we all know, for the safety and compliance of manual monitoring, the risks often outweigh the rewards. And manual patching and configuration management also lurks the risk of asynchronous implementation. In actual operations, once a safety accident is caused by manual negligence, and the related records of patches and configurations may be lost in the manual process, these may lead to mutual excuses and blame between team members. In addition, the process of manual identification and monitoring often consumes more time.

In contrast, automation not only allows operations teams to quickly set rules, share and verify implementation processes, but also makes security audits more efficient. When evaluating a hybrid cloud environment, consider the following automated processes:

Monitor the operating environment.
Check current compliance.
Implement patch management.
Implement custom or regulated security benchmarks.