One of the biggest concerns around hybrid cloud for organizations is data security. According to Gartner, 38 percent of companies who don’t plan to use public cloud cited security and privacy as the main reasons. It’s very logical (and necessary) to ask how the cloud will protect your most valuable asset – your data. What are the biggest security challenges in hybrid cloud adoption?
According to experts, the biggest security concerns in a hybrid environment are compliance, lack of encryption, poor SLAs, data redundancy, and data privacy and visibility. Some clouds are more equipped to handle these challenges than others, and it’s important to make sure you have the cloud that addresses your needs best. Let’s look at the above barriers and see how they can be addressed.
Whether your data is moving from cloud to cloud or a cloud to a physical server, it’s critical that you and your cloud service provider (whether that’s you or someone else) have the correct controls in place. This is especially important in today’s mobile world and BYOD.
What should you do? Make sure your provider can pass third-party audits as part of a standard check for regulatory compliance. But remember, just because your provider is compliant with industry regulations doesn’t mean you’re off the hook—you as an organization must also meet requirements.
Lack of encryption:
According to a recent report, less than 10 percent of cloud providers offer encryption at rest. This could leave your data vulnerable to attacks or user abuse.
What should you do? Encryption could be an important component of your compliance strategy as well. Encryption is widely considered a best practice for your data. Network endpoints are some of the most vulnerable spots for an attack, so you’ll want encryption between your devices. The Healthcare Insurance Portability and Accountability Act (HIPAA) does not specifically require encryption, so if you decide not to use it, think about what other measures you should take to keep your data secure. PCI requires encryption.
An SLA (Service Level Agreement) is what your provider promises to give you to operate your environment, and what they will do if they can’t provide what you need. Think of it as the guarantee seal your provider slaps on your contract. Are you getting enough with that guarantee?
What should you do? Make sure to read the fine print carefully. Poor SLAs can result in more downtime and security risks than you’re willing to accept.
In today’s world, you can’t rely on just one copy of your data. What’s your backup strategy? If part of your environment goes down, can you still access your data?
What should you do? Take advantage of multiple data centers from your provider. In case of an outage at one, you can rest assured knowing your data is backed up at another. Disaster Recovery as a Service (DRaaS) or Backup as a Service (BaaS) are two different ways you can address potential downtime and data loss effectively, no matter what cloud environment you have.
Data leakage really boils down to data visibility. What’s happening with your data, and where exactly is it going? You’ll want to monitor not only external network access, but internal access as well. According to the Protenus Breach Barometer, it takes healthcare entities an average of 607 days to detect a data breach from insider wrongdoing. How long will it take you? What kind of access does your provider have to your data, if any?
What should you do? Track your employees and track your network traffic using services such as daily log review (link). Some providers offer this as a managed service (link).
Hybrid cloud, like any other environment, is only as secure as you and your partners make it. Ten years ago, organizations hesitated to move to the cloud because they assumed it wasn’t secure. Now, they’ve swung in the opposite direction: If it’s in the cloud, it must already be secure. This isn’t true! It’s up to you to thoroughly vet your cloud providers, and work with them to put the proper security measures in place that will keep your data protected.