Guest Author: Patty Hatter

Proper security in any enterprise is all about managing the risk to your business. The operative word there is “your.” No two organizations are exactly alike when it comes to their business, so no two risk-tolerance profiles are identical. That’s why performing a risk assessment is a highly individualized endeavor and should be Step One in any mature information security program.

This doesn’t mean each organization has to reinvent the risk management wheel. There’s no shortage of tools and approaches available that provide guidance on calculating information security risks based on existing threats and vulnerabilities and the consequences of a successful attack.

These methods become increasingly important, however, as enterprises continue to build out hybrid cloud environments that combine on-premise, private cloud, and public cloud services, as well as multiple SaaS providers. Hybrid cloud deployments are growing as organizations seek to increase their agility to meet rapidly evolving market and customer demands, while reducing initial cost outlays. Because hybrid deployments introduce different types of complexity – and potentially more risk – to the enterprise, InfoSec policies and practices must keep pace.;

Following are four best practices to help you manage risk in a hybrid cloud environment. 

1. Assess risk, tolerance, and treatment. Security teams should meet with business stakeholders to determine which assets are most essential to the business, and any identified or potential threats against them. The goal is to gauge the probability of a specific threat exploiting a vulnerability or producing a negative business impact.

You may, for example, determine that your online Salesforce automation tool is a critical business asset that would present potentially dire consequences if it were compromised, while an online backup of a low-priority development server presents a less severe risk.

2. Establish effective controls based on the risk treatment. After quantifying risks and defining the risk appetite, the resulting risk treatment strategies will drive the program in a rational, pragmatic, and prioritized way. A particularly risk-averse organization may opt for a “moat” model that essentially ring-fences the datacenter. This creates a zero-trust model in which all access points, regardless of the source, require authentication.

Other organizations may not want to be so restrictive that they inhibit the usefulness of the applications they are protecting. For example, if it becomes too difficult to access and share data from a cloud-based application due to the security controls in place, then many employees may simply not use the application or, worse, try to find ways around the security controls.

A key part of managing risk is to develop strong data classification and data lifecycle management processes. It can also be valuable to include processes to secure, and even destroy, data stored in a public cloud within your SLA’s.

Striking the right balance between risk and productivity also involves educating end users about their own role in protecting the organization’s assets. Your IT team should encourage personal responsibility in mitigating risk through safe cloud behavior. The goal is to empower users to understand the risks while remaining innovative and productive. That’s the best way to ensure the effectiveness of the controls you’re implementing.

3. Ensure visibility across all endpoints. One of the more challenging aspects to securing hybrid clouds is their elastic nature, with an ever-changing mix of compute and network resources located in numerous locations in both the private and public domains. Workloads in hybrid environments is nearly impossible to track using conventional approaches. To apply the proper level of monitoring diligence, you first need to understand where your critical assets and data are housed.

To effectively secure all these resources – including virtual servers and software-defined networks – IT must keep an inventory of services and endpoints and map each component to the risk assessment to understand which resources are associated with different applications and workloads.

Do you have a security management connection with your cloud infrastructure provider to enable asset discovery scanning? You should, because this connection provides visibility as to how many images are in the cloud and what is online or offline. This helps you to enforce security policies and check if things like antivirus and intrusion-detection systems are up-to-date.

4. “Templatize” services to bring shadow IT to light. Since employing cloud services is so easy, business users are provisioning their own cloud services without IT’s knowledge, and without proper security controls in place. Having your IT department offer predefined templates for services and an automated workload provisioning process can help to protect the infrastructure not managed by  IT and maintain a more accurate inventory of services in use. This will go a long way to ensure that each new VM, application, or workload deployed to or from the cloud has the appropriate security policy assigned to it, based on the level of risk associated with the application and the data it will be handling. It is crucial that shadow IT becomes visible so that it can be secured with the same policies and technologies that apply to IT-managed infrastructure.The hybrid cloud has opened up tremendous elastic computing power for enterprises.  As organizations deploy a broad and varied mix of services across private and public cloud environments while maintaining on-premises infrastructure, it is imperative that new processes are put in place for integrated security. Each deployment requires different approaches to managing risk.

For more tips, tools, and techniques for protecting IT environments of all types, including hybrid clouds, check out the information risk management section of the ISO27k Information Security Management System FAQ.

About the Author: