The average company today is a hybrid collection of traditional on-premise and cloud-based IT solutions. On-premise solutions may include identity and authorization servers, custom applications, packaged applications, and local data repositories. Cloud services fulfill a wide variety of business tasks such as document sharing, group collaboration, customer relationship management, payment processing, marketing, and communication. This combination of on-premise and cloud services is called Hybrid IT.
On-premise applications require equipment purchases, software deployment, and user training but cloud services can be purchased with a credit card and used almost immediately. As a result, the same rigor in assessing the business need, risk, and other factors is not often conducted with adopting cloud applications.
Getting up to speed
Hybrid IT can be difficult to manage when different users who may or may not be tech-savvy utilize cloud systems in whatever way they deem best for the situation. Many organizations are in a hybrid IT situation now that was somewhat unplanned for. Follow these steps to get up to speed.
- Identify the cloud solutions in place.
- Determine if it is feasible to continue using the solutions.
- Transfer administrative credentials to IT.
- Create an approved application list
- Enforce restrictions through network and endpoint controls on which cloud services can be utilized for organizational data.
- Standardize security controls on systems including those in organizational private clouds.
Identify a security solutions provider that can deploy consistent security onto your on-premise equipment, private clouds, and other assets such as those that have addressed the technical challenges of Advanced Persistent Threats (APT) and zero-day exploits. These same solutions meet the increasingly stringent compliance requirements and give datacenter owners the ability to know what they don’t know and act on information from below the operating system.
The most frequently cited risk in hybrid IT is the potential for a lack of organizational control over the customer, employee, and business data. Without effective endpoint and network security controls, a single user may adopt a cloud platform using their personal email address. They can then load organizational data to it and leave the organization. At this point, his or her successor tries to assume control over the system but realizes that they have no ability to do so.
Organizations need to strike a balance between agility and administration. There needs to be a level of control over which cloud applications are used for business purposes, but the process for evaluating and approving applications needs to be able to keep pace with today’s fast-paced business. See the suggested steps below.
- Establish a procedure for requesting a cloud application.
- Create a semi-automated workflow from the procedure.
- Establish a cross-functional approval group that will respond to requests through the workflow.
- Educate employees on the process.
Hybrid solutions are often user or department initiated with little or no involvement of the IT department or those responsible for security within the organization. Cloud applications may change the organizational risk profile, but the business as a whole is not often aware of this change in risk and therefore cannot evaluate whether actions are required to reduce the risk to an acceptable level. One good way for data center administrators to be as informed as possible about risks is to deploy solutions such as Hypervisor Introspection which can evaluate security independent of the virtual machine and analyze system memory at the hypervisor level. This ensures consistent security management and awareness even when users or administrators deploy non-standard virtual machines.
From there, a combination of endpoint and network controls such as software restrictions on agents on user machines and traffic filtering on the network can be used to restrict access to unapproved cloud services and applications. This way, users will be required to utilize the process to request applications.
Next, using the workflow developed earlier, users can take the information collected on the approved cloud applications and services and compile into a report for risk management. The entire process of creating this document can be automated in the workflow. The cross-functional approval team should have included someone from risk management but this portion of the process involves a more in-depth review of the hybrid IT portfolio of applications against the organizational risk tolerance threshold. Risk management can then make recommendations to ensure that risk is kept to acceptable levels.
Reducing attack surface
In some cases, a cloud application is adopted by a user or department when another cloud application has already been adopted to satisfy the same need. Redundant cloud services increase management costs as well as the attack surface because they create additional potential avenues for attackers to obtain access to organizational data or systems.
- Determine which cloud service offers the greatest fit for the organization
- Train users of the redundant service on how to use the preferred one
- Transfer data from one service to the other
- Terminate the redundant service.
Hybrid IT offers organizations an excellent way to augment existing on-premise IT offerings with cutting-edge cloud services. However, it can also be a nightmare if not managed properly. Some companies are in a precarious security position. Yet, the problem is not insurmountable. With some planning, automation, discipline and the right mix of endpoint and network security controls, organizations can deploy and manage hybrid IT so that attack surfaces, cloud costs, and management time and efforts are minimized.
As always, thoughts and ideas are my own. This insight wouldn’t be possible without the help of my associates at Bitdefender.