According to Gartner, approximately 85% of organizations will be embracing a cloud-first principle by 2025. Transitioning workloads to the cloud has offered businesses the flexibility they need to scale up and down with fluctuating demand and provide reliable access to resources for both employees and customers worldwide, but this expanded attack surface, free of a traditional network perimeter, comes with unique risks that companies need to keep in mind when developing their cloud strategy.
What is a Hybrid Cloud?
Many organizations are opting for a hybrid cloud environment, which means a combination of public cloud services and either on-premises servers or a private cloud. A hybrid cloud environment is usually chosen when:
- A company already has significant resources invested in on-premises architecture but wants to take advantage of cloud resources for new projects.
- A company has resources they can’t or won’t store in a public cloud.
Benefits of a Hybrid Cloud
Maintain Tighter Control of Security
While public cloud service providers have worked extensively to make the public cloud a safe option for storing sensitive data, many organizations feel more comfortable with their high-risk data stored on premises or in a private cloud, where there is less risk of it becoming available to other cloud users. For companies in highly regulated industries such as healthcare and finance, this may be the better choice to ensure compliance.
Cost Efficient Innovation
One of the main benefits for hybrid cloud users is the ability to spin up new environments for specific projects without investing in additional costly on-premises servers. A hybrid cloud allows companies to increase usage when needed to meet peak demand but scale down usage when it is not needed to save on costs. Cloud usage can get expensive, so it makes sense for many organizations to keep their on-premises architecture for the bulk of their storage and utilize cloud services on an as-needed basis. The efficiency of creating new environments for testing and product development in the cloud gives businesses a competitive edge and can help them more efficiently bring to market secure applications.
Using a public cloud provides the ability to locate resources all around the world. Hosting services closer to where your customer base is located can improve the speed at which they can access your site, providing them a better user experience.
According to RH-ISAC’s 2021 CISO Benchmark Report, 80% of CISOs anticipate maintaining hybrid work environments in 2022. As remote work becomes the new norm, the cloud allows for easy, secure access to internal resources on any device.
While start-ups may be able to launch on day one into an all-cloud environment, most companies that have been around for a while have legacy systems that may not be easily migrated to the cloud. A hybrid cloud allows you to transfer what you can while you work on updating your workflows and technology to take full advantage of cloud computing.
In the meantime, the ability to scale up with demand by moving traffic to the cloud reduces the likelihood your site will crash with high customer volume. Companies can also use the cloud for data backup, reducing downtime in the event of a ransomware attack.
Risks of a Hybrid Cloud
Lack of Visibility
While there are benefits to having a public cloud and private or on-premises servers, it also means that you have to maintain the security of two different environments. Without the proper tools and the team to manage this integration, you could easily be blind to threats simply because you do not have visibility across your entire landscape. Lack of visibility was the most significant barrier to cloud adoption in Fortinet’s 2021 Cloud Security Report.
Without proper monitoring, you may also have to worry about out-of-control usage within your own organization. Cloud service providers make it easy to provision new services, which is a benefit in that it allows for rapid development, but it can be a liability if new environments are spun up without oversight from your security team.
With any cloud implementation, there is the risk of misconfiguration. Misconfigurations can expose data to the open internet, making you an easy target for attackers. Similarly, without proper configuration, you may find yourself out of compliance with privacy and data storage regulations that can lead to hefty fines. You can also find yourself on the wrong side of laws such as the EU’s General Data Protection Regulation (GDPR) if you do not have complete visibility of your data, as you may not be able to comply with requests for deletion of information.
Decreased Control of Security
With some of your data in the public cloud, you are accepting shared responsibility with your cloud service provider. An attack on your CSP, or even just an outage of their services, could have negative consequences for your brand that are beyond your control. Cloud usage also relies on management APIs, which can have vulnerabilities that are exploitable by threat actors.
Is it Worth It?
Whether or not you choose to utilize a hybrid cloud environment will largely be based on your organization’s resources and business goals. Before moving to the cloud, make sure that you have a strategy in place with defined goals for cloud usage. Conduct an audit of your current processes to see what workloads could benefit from being moved to the cloud. Once you have a deployment strategy, shop the market of cloud service providers to find a cost-effective solution that meets your goals.
Not sure where to start? RH-ISAC members utilize the Member Exchange to get advice from peers who have successfully implemented a cloud strategy. Find discussions on container security, cloud governance policies, and identity and access management. Learn more about how membership could benefit you on the RH-ISAC website.