5 steps to a secure hybrid cloud

Author: Cyrill Rüttimann

The hybrid cloud promises faster time-to-market, higher efficiency and more resilience. But does this promise also apply to security and compliance with internal guidelines and regulatory requirements? 

Our project experience clearly shows that the maturity of security and compliance clearly lags behind that of functionality. It is therefore essential to review the security and compliance of your Hybrid Cloud strategy. You can do this by following 5 concrete steps. 

Hybrid Cloud as catalyst to become faster and more agile

The Hybrid Cloud is the means of choice for Swiss companies to gradually outsource their workload from their own data center to the Public Cloud. This strategy promises to take advantage of on-premises and the public cloud. 

These are:

• More efficient solution delivery through the use of cloud services
• More resilience of the solutions in terms of load, reliability, proximity to the customer
• Self-service by developers. This helps to avoid the bottleneck of the company or engineering
• Finance only the actual need for resources
• Sensitive data can be kept on-premises
• Gentle farewell from your own data center

The issue of security and compliance is underestimated

It is usually hidden that the cloud provider only ensures the security of the cloud itself. However, you, as an entrepreneur or leader, are responsible for security and compliance in the cloud. 

For example:

• Configuration of cloud services to protect your data from unauthorized access
• Configuration of encrypted communication and persistence of your data
• Assign and remove roles for accessing your resources
• Control the access of cloud services to your company data
• Importing patches of the software stacks you operate

You now multiply this responsibility by the service catalog of a public cloud provider (over 200 services) and the configuration options (over 10,000) of these services. To keep the security expertise as well as the overview here must be carefully planned.

Agility as a threat to security and compliance

With the advent of the agile way of working, the focus is on speed and efficiency. 

Painted black means this:

• Semi-finished proof-of-concepts go into production on press from the business.
• Acceptances (quality gates) are removed from the development process.
• Dedicated QA teams, and with them the competence, are dissolved.
• Security writes concepts, but these are bypassed by the developers.
• Developers are overburdened with compliance and ethics and do not care.
• Auditors are overwhelmed by the complexity of the technology and the speed.

Review your hybrid cloud strategy in 5 steps

Building a hybrid cloud while maintaining an agile way of working is a desirable goal. It is important that you not only involve IT in the cloud, but the whole company. And this is a transformation, not a product launch. With the following 5 steps you can implement this in an orderly and targeted manner.

Step 1: Determining the level of compliance and security

Communicating your own aspirations as an entrepreneur is halfway there. This means that you determine for each individual in the company which criteria are to be applied in the subsequent steps.

Some examples of claims:

• Weekly compliance reports for the entire IT infrastructure
• We have best practices in dealing with cloud services and want to be able to detect violations within an hour.
• We follow the best practices of the Center for Internet Security (CIS).
• We pursue a zero trust or in depth strategy for security.
• Tracking the resolution of zero day exploits on an hourly basis
• Compliance over the entire value-added process - from the idea to the operation

Step 2: Cloud solution architecture - cut off old habits

Security and compliance must be rethought in a hybrid cloud. Many assumptions and concepts must be questioned. For example, the assumption that data in a private cloud is more secure than in the public cloud (Gartner 2019). Many concepts that had to be implemented in the private cloud with a lot of effort are available in the cloud as service-out-of-the-box.

Step 3: Building the hybrid cloud based on the cloud operating model

A cloud operating model is an abstract representation of how your organization operates the hybrid cloud efficiently and profitably. Among other things, specific skills are required and organizational changes are usually unavoidable. Using an outside-in assessment, you can determine your own maturity and identify the gaps to the targeted cloud operating model. These can now be closed in a targeted manner.

Step 4: Compliance and security from the cloud

The capabilities and maturity of the offerings of AWS, Azure and Google differ, sometimes significantly, in terms of compliance and security. You have to compare the offers exactly and align them with your own security needs. In the majority of cases, the capabilities of the cloud offerings in terms of security exceed the capabilities of your own data center.

For example the Cloud Service AWX Macie:

• Recognize sensitive data using machine learning.
• Automatically classify data and protect it accordingly.
• Detect and prevent potential data leakage.

Step 5: Automation

With the automation of repetitive processes you can:

• Eliminate sources of error - more time for your employees
• Reduce the throughput time over several silos by factors - faster time-to-market
• React quickly to changes and recognize dependencies - more agility
• Offer a controlled range of services via self-service and make them available within minutes - faster time-to-market

The Hybrid Cloud is a soft approach to combine the advantages of the public cloud and your own data center. However, successfully building a hybrid cloud requires additional knowledge and collaboration aligned with the public cloud. This applies in particular to the topic of security.

With the 5-step plan you have an instrument in your hand to give your project a structure. The first step for a secure, efficient and accepted introduction of your hybrid cloud.