Looking at Hybrid Cloud and Security? Welcome to the Matrix

Looking at Hybrid Cloud and Security? Welcome to the Matrix

By: Shelly Kramer
September 29, 2015

Looking at Hybrid Cloud and Security? Welcome to the MatrixAs a strategist, I’ve really enjoyed working on this hybrid cloud series. I love how hybrid cloud acts as an extension of what most organizations already have—providing an extremely effective additional tier to on-site physical storage infrastructure.

It’s a highly scalable option for businesses that don’t need to keep all their data physically in-house. And I know that if you’re a CIO or other IT decision maker, you’re also aware that the hybrid cloud is going to change the game in the enterprise data-driven tech landscape. Because the combination of in-house and cloud-based infrastructure and applications is incredibly versatile, industry professionals are rightfully intrigued.

That said, with all that promise comes many considerations, from cost-efficiency to risks vs. rewards. And there’s no point in glossing over the fact that cybersecurity risks are a fact of life in today’s digital business landscape, but, as with most things in life, if you’re on the ball and have policies and guidelines in place around cloud computing, security risks are definitely manageable.

What’s left from a hybrid cloud security and adoption standpoint, though? Enterprise IT pros who want to integrate the hybrid cloud into operations have to know a lot—and if they don’t know it, they have to be willing to take the time required to learn it. That sounds well and good, but the reality is that most of us don’t have the time to spare to spend on an intensive learning program. Wouldn’t it be nice if there was a go-to resource that put all that critical information together? (Spoiler alert! There is.) Cue the Matrix—the Cloud Security Alliance Cloud Controls Matrix (CCM), that is.

If You Have Questions, the Matrix Has Answers

Get fundamental security principles to guide you. The CCM is produced by the CSA (Cloud Security Alliance), whose mission is to “promote the use of best practices for providing security assurance within cloud computing, and provide education on the uses of cloud computing to help secure all other forms of computing.” In a nutshell, if you want a comprehensive and well-respected cloud resource, you go to the CSA. The matrix they maintain gives everyone involved in cloud tech, from vendors to customers, guidance when assessing a cloud provider’s overall security risk.

Nail down your needs. Want to start exploring hybrid cloud but not quite sure what model or security control environment to embrace? The CCM breaks down the process into unintimidating, easily consumed bits of helpful information. This can help you differentiate between environment and cloud model, and see the information security strength of all your options. This can also help you determine exactly what combination of public and private cloud technology your company needs, and what the security implications are of each choice should you move forward.

Search standards. If you’re working in a highly regulated industry such as healthcare, you’ll need to be hyper-vigilant that you meet the requirements as laid out in the Health Insurance Portability and Accountability Act (HIPAA), which imposes obligations on healthcare services, and often also to those who provide cloud computing services to them. Or perhaps your playing field includes regulations set by the Children’s Online Privacy Protection Act (COPPA) or Family Education and Rights Privacy Act (FERPA). Wherever you fall in the web of standards, you know how important it is to make sure your ducks are all in a row when it comes to compliance, because no one wants to face the possibilities of hefty fines. The CCM can help you navigate how those standards relate to hybrid cloud security by providing a controls framework in 16 domains. Check them out below. Where do you fall?

Cloud Security Alliance chart

Source: Cloud Security Alliance

Normalize security expectations. The CCM can help you address your concerns and normalize what your security expectations should be, all in a user-friendly matrix that also breaks down cloud taxonomy and terminology. Win-win. (If you want to download the CCM, you can do so here.)

Hybrid Cloud Security Risks, Take Two

You mean there are more? Yes, the security considerations for users of hybrid cloud models aren’t going away. And, while a tool like the CCM is certainly an integral part of navigating these risks, you should recognize that there are still potential security threats to whatever model you’ve chosen (regardless of how stacked your toolkit is). Here are some additional ways to protect your information in the cloud.

Back it up. Public cloud providers always want their networks to remain available to end users, but that just doesn’t always happen in the real world. Outages will occur and public backlash will follow, especially if the breakdown occurs when applications were run only in a single data center. The moral of the story is that cloud architects should implement data redundancy to make the operation flow smoother and safer.

Get compliant (in more ways than you think). It’s a no-brainer that both parts of your hybrid cloud—your public cloud platform and your in-house system—must be compliant to your industry (as outlined in the CCM, too). But remember that this dual environment also warrants the communication between both sides to be compliant, too. The how, what, when, where and why of your moving data from one half of your hybrid cloud to the other must all be accounted for and up to speed with the applicable standards. Don’t let compliance get lost in translation.

Be serious about timing and risk management. Because the hybrid cloud model is relatively new, your IT administrators aren’t going to have much experience in managing one. That’s a risk, and you’ll need to prepare for it by providing plenty of training and support for your team. Another thing to note is that a hybrid cloud is not a simple animal—rather, it uses new application programming interfaces and very involved network configurations. These things will take time to implement and master, so have realistic expectations and a plan to efficiently manage them.

In sum, there’s a lot to consider if you’re thinking of adopting a hybrid cloud model. It’s true that plenty of risks exist, but improved workflow and long-term financial gains are possible as a result of making this move. It’s important to remember that you don’t have to face the transition alone, either. Your cloud services vendor should be a trusted guide in this process, but it’s also helpful to know that there are accessible resources out there (like the CCM) that can be valuable as part of this process as well.

Have you ever taken a look at the CCM as you’ve gone about the process of exploring your cloud security options? If so, did you find the process user-friendly and the information helpful? I’m curious how many of you are knee-deep in the hybrid cloud security conversation. I’ve identified several potential security risks and considerations. Is there anything I’ve left out that you’d like to see addressed? I’d love to hear your thoughts and your experiences.

Other Resources on this Topic:

Second Look: Data Security In A Hybrid Cloud
How a Hybrid Cloud Architecture Stops the Data Loss and Shadow IT Threat
CSA Releases New Cloud Controls Matrix and CAIQ Standards

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell’s thought leadership site Power More. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

Photo Credit: ozrick1 via Compfight cc