Data security is always a concern for enterprises. When they move to a hybrid cloud environment, however, new challenges emerge. Top on their list: how to apply existing security principles to a new architecture.

According to a report published by 451 Research, 59 percent of the senior IT security executives surveyed said maintaining consistent access security and authorization controls across environments was a significant challenge. Other hybrid security challenges respondents identified:

• Securing movement of data and workloads across environments (55 percent)
• Securing data residing in a third-party or hosted environment (54 percent)
• Maintaining consistent network security policies for security domains (49 percent)
• Ensuring compliance with regulatory and policy requirements (45 percent)

For the most part, the survey respondents said they are turning to cloud service providers (CSPs) to address those challenges. The report, titled Critical Security and Compliance Considerations for Hybrid Cloud Deployments, found 90 percent of respondents actively use cloud service provider tools for security and compliance.

To fill the security gaps in areas such as encryption, access management, key management and network firewalling, respondents said they use products from security vendors that are designed to operate in cloud service provider environments or private cloud environments.

Complex security requirements

While many organizations use CSP security tools, two-thirds of the respondents said their organizations’ security and compliance requirements are more complex than what is offered in the tools CSPs provide.

“Public CSPs have some levels of security,” said Ken Won, director of Cloud Solutions Marketing at Hewlett Packard Enterprise (HPE), which commissioned the report. “The challenge is when you have a mix of public and private because you want the security to be the same for both. You want consistent policies and tools.”

That follows what the study’s respondents said: “They want to be able to maintain a consistent set of security settings and policies when moving workloads dynamically between public and private cloud environments,” according to the report.

Tools can help with consistency—to monitor, detect and respond to threats, Won said. The key is to have a single tool that looks at private and public clouds.

“You want tools that apply across the entire environment that check for compliance drift,” he said. “With access management, you want one set of policies for both environments—public and private.”

Securing hybrid cloud environments

To ensure hybrid cloud environments remain secure, Won suggested organizations do the following:

1. Protect your hybrid infrastructure with data-centric security. You want unified data protection across private and public cloud and traditional IT, Won said. This includes ensuring data is encrypted the entire time—while in the cloud and in transit—and that the encryption technology works with the platform.

2. Harden your dynamic hybrid infrastructure. This involves having fortified security zones to reduce attack surfaces. “A firewall-only approach doesn’t work anymore,” Won said. “You want to use microsegmentation to create security zones. So if an intruder gets into one segment, he can’t get into others.”

3. Proactively monitor, detect and respond to threats to your hybrid infrastructure. Organizations should have tools that monitor consistently across all cloud environments to provide complete visibility into their hybrid cloud infrastructures.

4. Provide continuous regulatory compliance for your hybrid infrastructure.

5. Manage access to your hybrid infrastructure. Organizations should have consistent access policies that are maintained across all cloud environments.

The need to maintain control, protect information and ensure visibility to identify threats or security incidents is the same in a hybrid cloud environment as in a traditional environment. With hybrid environments, however, 451 Research agrees that controls must be extended across consistently across multiple environments.

“The challenge is to push your cloud vendors to make the consumption of enterprise security and compliance policies seamless for their environment and enable micro-segmentation,” the research company said.

Photo credit: Brett Jordan via flickr