5 security gaps introduced by hybrid IT

As enterprises evolve towards more use of cloud infrastructure and services, it will become increasingly necessary to mind the security gaps between traditional and cloud environments

The fundamental challenge of hybrid IT is that it breaks what have historically been considered standard management practices. That’s not just an issue for IT operations, but for IT security as well.

Hybrid IT environments arise as innovative IT services that run outside of a corporate datacenter (in the cloud) are added to proven IT services running in the corporate datacenter. Without a centralized, standardized approach to defining policy, and enforcing controls and measuring compliance, the result is inconsistent security that can be exploited by attackers.

The frustrating thing about security in a hybrid IT environment is that you can have the best policies and controls in the world in one part of your environment at enormous expense, but one gap in another part can open the door to exploits for the organization as a whole. Here are five gaps that can emerge in any hybrid IT environment to look out for and address.

1. Inconsistent code testing for security vulnerabilities

Security testing in a traditional waterfall development process is often at the end of the development cycle. While it can be rushed, due to pressure to deploy after the inevitable delays in development, it is often anticipated and completed. Deployment delays, if necessary, are acceptable to ensure the stability of the application, especially when that application is tied to significant revenue generation.

Much of the new code being deployed today, though, is being developed through agile methodologies in a devops pipeline to the public cloud. With a priority on increasing release velocity, there can be resistance to delays brought about by testing for security vulnerabilities at the end of, or even after deployment.  

Rather than waiting to test code for security vulnerabilities at the end of a development cycle, (whether that cycle is agile or waterfall) there is good reason to consistently perform these tests at earlier intervals prior to deployment, such as when code is integrated into the trunk in the devops pipeline. This “shift left” approach to security testing can identify the use of vulnerable code libraries or other insecure coding methods early enough to avoid an expensive rewriting of code to eliminate vulnerabilities.

2. Inconsistent access management and governance

Enterprises have invested heavily in access management and governance systems to provide employees and contractors with access to resources they need, while demonstrating that least privilege is enforced to auditors. But much of that investment has been focused on the traditional environment.

The public cloud environment is often a patchwork of SaaS services acquired by business units, and infrastructure or platforms (primarily AWS or Azure) used by developers, set up with little consideration for security polices or controls. Many take a disconnected approach to access management and governance in these environments, thinking that apps in the cloud need access management and governance in the cloud.

The challenge is that in a hybrid IT environment, there is integration between cloud and traditional environments, so the policies and controls in effect are going to represent the least common denominator. An administrator’s credentials are always attractive to attackers, but even more so if she has access to resources both in the cloud and the corporate datacenter. A centralized approach to access management and governance is necessary to consistently enforce policies and provide visibility of all access privileges and unusual usage.

3. Inconsistent incident response in concert with service providers

Like access management and governance, most enterprises have invested heavily in incident monitoring and response processes to minimize damage when (not if) breaches succeed. The challenge in a hybrid environment is that service providers need to be factored into both the monitoring and the response processes.

Many organizations don’t adequately plan for how to engage with cloud service providers during breaches, which can cause delays in responding. Even though many cloud service providers have security controls that exceed that of their customers, no security is impossible to breach, and there is a point where the service provider’s security responsibility ends, and the enterprise’s security begins. If you aren’t aware of where those lines are drawn, and don’t have procedures and controls that bridge those gaps, then those gaps can be exploited by attackers.

4. Inconsistent encryption policies

Significant amounts of data are now stored in the cloud. Data security has been a major focus of both enterprises and cloud providers, and encryption of data at rest is an option for either Amazon S3 buckets or Azure SQL Database. Sensitive data in transit also can and should be encrypted, especially between enterprise and external cloud environments.

The challenge is to apply policies consistently across the hybrid IT environment, particularly for unstructured data. Most enterprises make extensive use of file sharing and code repositories both hosted internally and in the cloud that may or may not be encrypted. If employees aren’t provided with a convenient way of sharing information, they will self-source file sharing from companies like Dropbox or Bitbucket, without enterprise security policies and controls.

Data protection policies and controls should be applied consistently across the hybrid IT environment and across the data lifecycle. But data must also be available to applications that need it and encryption must be as transparent as possible to the end user, or users will find ways around the controls, exposing the enterprise to more exploitable gaps.

5. Inconsistent configurations

As new vulnerabilities are identified in existing software, such as via bug bounty programs or revealed on Patch Tuesday, configuration policies must be updated, and systems and applications must be patched. New server builds, whether being deployed in the datacenter, or in containers in the public cloud, also need to be built in accordance with current policies. And records must be available to demonstrate to auditors that policies are in place and being enforced when required by regulations, regardless of where the infrastructure resides.

The scale of this effort in an enterprise rapidly adopting cloud instances, and subject to multiple regulations can be overwhelming. The operations teams that maintain the automation for deploying servers need to work closely with those responsible for maintaining security policies. And they need to be educated to look for gaps in coverage across the hybrid environment.

As enterprises evolve towards more use of cloud infrastructure and services, it will become increasingly necessary to mind the security gaps between traditional and cloud environments. Consistency is key if you want to deny data breaches, extortion, or sabotage.

Copyright © 2018 IDG Communications, Inc.