New: ESG Technical Validation: One-Click Segmentation. Download now!
 
 

Protecting Your Hybrid Cloud (part 2)

In the first post on Protecting Your Hybrid Cloud, we looked at the challenges organizations face when deploying multiple data centers scattered across on-premises, multi-cloud, and container environments. In this second part, we’ll detail the 5 capabilities all vendor solutions should include to ensure that the platform is able to stop attacks against the customer’s hybrid cloud workloads.

Asset inventory: All organizations use and manage a wealth of data that’s attractive to cyber criminals. Plus sprawling technology ecosystems provide a plethora of places for criminals to hide. That said, security teams can’t protect systems or data about which they have no knowledge. It’s therefore imperative for security tooling to include the ability to provide an up-to-date inventory of assets communicating on and across their hybrid clouds.

Access controls: Needless to say, cyber criminals seek to gain unauthorized access to data-rich applications and services inside corporations’ networks. Cutting off that access is key, but it would be a mistake to focus only on user and device access. Skilled attackers will piggyback on approved communication paths or simply leverage stolen credentials, so simply limiting who can access what doesn’t sufficiently address the vulnerability.


Subscribe to our newsletter:


Security teams know that internal processes, hosts, servers, etc. need access to other processes, hosts, servers, etc. for the network to function. Therefore, security control must incorporate the identity of software and services (as well as users and devices) into access decisions so that the network can provide connectivity without complexity. Further, authorization requests must be iterative and must work on a least-privilege basis. Reducing the number of things that can access sensitive data stores, and verifying authenticity for every access request, will significantly reduce risk.

Automation: Given the size and scope of organizations’ technology deployments and data stores, manual processes simply don’t work. Whether it’s identifying assets in the environment, finding system weaknesses, or fixing those weaknesses, providers should automate low-level processes so that security talent can focus on strategic initiatives rather than time-consuming, rote work.

Segmentation/microsegmentation: Flat networks introduce unnecessary risk. Even though running a flat network may be better for speed and ease of use, those benefits are extended to attackers who find their way into corporate networks. To adequately protect sensitive data, organizations need “secure zones” inside of which only certain types of data or services can communicate. In effect, microsegmentation can be viewed as micro-perimeterization. Because an external perimeter that “keeps the bad guys out” isn’t sufficient in today’s threat landscape, segmentation/microsegmentation moves these “security checkpoints” closer to the assets organizations need to protect.

This is especially important in autoscaling, ever-changing environments like hybrid cloud. If the security plane is now communicating entities instead of network constructs, organizations can be sure their databases, hosts, and servers are protected all of the time, even when the network changes.

Patching: Patching is a tricky beast. On the one hand, security pros know that patching vulnerabilities is imperative for low-risk environment. On the other hand, deployment issues are no small consideration. While it might not always be possible for an organization to apply a patch to a vulnerable system or software, it’s critical that the organization understands when things are out-of-date. Though many security vendors don’t offer patching assistance, they can automatically identify when software or firmware is missing critical patches and prevent or limit communication to those system until the organization has the time and ability to fix the vulnerability or make a risk-based decision to leave well enough alone.   

In conclusion

Today’s hybrid networking landscape is a tricky one to manage, but the challenge of securing multiple data centers is one with which most companies must contend. Though traditional security tooling offers a patchwork-like solution, this approach is not optimal because it requires security/network teams to juggle too many balls in the air and not drop any of them. Networking today isn’t traditional, and so your security strategy must not center around traditional solutions. To reduce complexity, effort, and frustration, the best solution is one that addresses security fundamentals while being flexible enough to tackle current threats.

Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.