Five Core Principles for Hybrid Cloud Security: How To Build an Effective, Scalable and Affordable Strategy

Originally published by Tenable.

Written by Tom Croll, Advisor at Lionfish Tech Advisors.

As organizations shift on-premises workloads to public cloud platforms, their perimeter defense boundaries dissolve, creating cloud sprawl and thorny security challenges. To protect these new borderless, hybrid-cloud environments, you must move security controls to where they’re needed, enforce them with new tools and ground them around five core principles: unified access management, automation, shift-left, data security, and zero trust.

In this blog post, we’ll explain how you can adopt these five principles, which we covered in the webinar 5 Must-Haves for Hybrid Cloud Security.

Principle 1: Create a unified access management strategy

In cloud computing, the traditional perimeter is moved outside of the enterprise data center, so identity replaces networks as the primary trust boundary. To that end, a unified identity and access management (IAM) strategy is essential to securing the cloud. To achieve this you should look to:

• Adopt a unified identity strategy to ensure that cloud identities don’t exist in separate directories or authentication systems
• Enforce multi-factor authentication (MFA) for all access, or at minimum, use MFA for privileged accounts
• Use automated tooling to monitor cloud accounts for unusual access and enforce least privilege

Principle 2: Automate configuration and validation across all clouds

Over the years I have found the overwhelming majority of cloud security incidents stem from misconfigurations or mistakes – far more than from malicious actors. In the cloud world, getting cloud configuration right is just as important as writing secure code. Primary recommendations for reducing misconfigurations include:

• Use automated Cloud Security Posture Management (CSPM) tools to ensure secure configurations across all environments
• Use a unified security platform to gather data across all environments

Principle 3: Adopt DevSecOps and shift controls left

Security teams and developers speak different languages when it comes to cloud security. Developers think about technical controls, open-source products and cool application features. Security teams focus on risk and on how to monitor and validate existing controls.

Thus, cloud teams shouldn’t design security controls. Instead, security teams need to lead security efforts by embracing DevSecOps practices and ensuring controls are implemented early in the development pipeline. Teams should follow a unified strategy and use tools that allow them to speak the same language. Also important: Use as few tools as possible so you can accurately measure risk exposure and normalize risk factors across on-premises and public cloud environments.

To implement DevSecOps practices you’ll need to:

• Scan your infrastructure for misconfigurations in the development pipeline using infrastructure-as-code (IaC) security tooling
• Standardize your base images and scan them in an isolated development environment
• Implement security controls as part of delivery pipelines so you can scale to multiple clouds by abstracting controls that can scale across multiple teams

Principle 4: Strengthen data security

Organizations must secure cloud data by encrypting all data at rest. At a minimum, you should configure the cloud service provider’s (CSP) native key-management system to use a customer-controlled master key. Ideally, issue your own master encryption keys and hold them on-premises in a hardware security module (HSM) or use a virtual HSM in a public cloud environment.

Principle 5: Use zero trust to unify strategies

Zero trust is an overused term, but for our purposes it means zero implied trust and full visibility into all user-entity behavior post-authentication and throughout the lifecycle of each session. This is a key requirement for cloud, but the principle of zero trust should be introduced to private cloud environments as well. Along with cloud native, the zero trust principle can boost your security transformation and make your applications more secure across hybrid cloud environments.

To benefit fully from zero trust:

• Adopt zero trust principles across both public and private cloud environments where possible
• Phase out trusted networks and the idea of “implied trust”

Conclusion

Hybrid cloud security requires a unified approach.Security teams must use the best techniques from security operations and combine them with the best security practices from cloud technologies. It’s also important to consolidate traditionally siloed tools that result in too many controls.

By using these five key principles as a foundation, you can ensure your hybrid cloud applications are more secure and easier to manage than those in your on-premises data center.

If you’re looking for more information about the five key principles recommended above, please watch the on-demand webinar 5 Must-Haves for Hybrid Cloud Security.

About the Author

Tom Croll is an Advisor at Lionfish Tech Advisors and a Tenable consultant. As a former Gartner analyst, he co-authored the original research on CNAPP, defining the requirements for effective application security in public cloud. With over 20 years of industry experience, he was also a pioneer of DevSecOps methodologies. He currently provides advisory services in cloud application and infrastructure security (IaaS, PaaS and SaaS), security service edge (SSE), secure access service edge (SASE) and security posture management (SSPM).