Those adages about hybrid cloud strategies are true… Several enterprises are expected to deploy a mixed IT infrastructure that includes both private and public clouds as well as non-cloud applications.
Evans Data CEO, Janel Garvin deemed hybrid cloud as a reasonable approach to cloud computing. A survey conducted by his market research firm among 400 developers concludes that hybrid cloud is set to be at the center of the future IT landscape, and 60% of the polled IT shops were planning to integrate a hybrid cloud model.
Security threats however remain a concern for many enterprises; as the hybrid cloud security has multiple facets, there are security issues pertaining to exposed APIs, on-premise data resources and smart devices that connect to the cloud infrastructure.
Alto University’s Koushik Annapureddy published a report which informed 83% enterprises considered security to be important for hybrid cloud selection. It was rated as the most important criterion, followed by backing up of data (79%) and continuous data protection (76%).
Hybrid cloud: security threats to watch out
Each hybrid cloud is unique, making security an utmost priority. The following are some of the biggest security challenges associated with this cloud model:
Exposed APIs and interfaces
APIs are a part of hybrid cloud model and organizations as well as third parties are known to build upon these interfaced by deploying add-ons. This cloud infrastructure has several 100s, if not 1000s, of APIs at any given time.
Hybrid cloud APIs become susceptible to security breaches when organizations give credentials to third party developers. A published research by University of Texas and Stanford University researchers says that APIs can be utilized to gain access to sensitive data through integrated applications. Other reasons that make APIs vulnerable include poor initial configuration and ease of access.
The data of a particular company using hybrid cloud can be commingled with the data of another company on the same server, so attack on one user can comprise the data availability of the entire group. And the same principle will apply for data seizure; FBI seized servers in a raid on two Texas data centers back in 2009, and enterprises even unrelated to the investigation had to suffer.
Also, hackers are aware of hybrid cloud model and that data is moving through different cloud environments. However, a hybrid cloud provider may not notify a company when its servers are breached because it may not be required to disclose personal information infringement depending on its policy.
The multi-tenant nature of the hybrid cloud makes malware from smart devices a lot more complicated. Because information is commingled, tracking devices causing malware can be difficult, especially when the BYOD policy is trying to maintain privacy.
A survey cited by Tripwire reveals that 80% organizations use cloud-based applications to support business processes and allow employees to make use of personal devices to access enterprise networks. Also, 50% reported problems with employees accessing sensitive data after being terminated. Trojans and other malware from their devices can be replicated across the entire hybrid cloud infrastructure.
Hybrid cloud: tightening security
As with every cloud model, organizations can comply with security best practices to mitigate possible threats. They should also be keep tabs on new trends in hybrid cloud security.
For example, Dr. Murat Kantacioglu from University of Texas in Dallas was a part of a team that invented an algorithm that helps companies to create a risk-aware hybrid cloud strategy. He and his colleges set up a framework that distributes data and processing in the hybrid cloud model that hosts sensitive data disclose risk and conflicting performance goals. Organizations keeping up with such innovations can better manage hybrid cloud security.
Best practices on the other hand can include monitoring API usage patterns in the cloud infrastructure and using tools and services to track the API status. Any peak usage can indicate a security breach. The same strategy can work to track BYOD malware and making sure that employees comply with BYOD policies related to hybrid cloud infrastructure use.
The best foot forward for limiting data risks and damage would be to choose a hybrid cloud provider who notifies any breach occurrence on its servers, regardless of whose data is involved.
Locating a Silent Cloud Breach
With alert systems in place and intrusion tracking active you can be sure that a cyber criminal with enough time and skill may break through. All it takes is one weak link. What is missing is the proactive external monitoring of this data. Anything shared or stored with cloud has a unique digital identifier and this can be picked up if it shows its head anywhere.