The Best Security Practices with Hybrid Cloud — Part 1
By Shantanu Kaushik
Hybrid Cloud adoption is growing day by day. Many enterprises are in the middle of making the shift if they haven’t made the shift already. Like any other product or service that handles large amounts of data or is a connected resource based on an IT infrastructure, a Hybrid Cloud also needs to have good security practices associated with it.
As an IT administrator, one needs to think about a viable protection mechanism for the infrastructure, data, and applications that are running on the Hybrid Cloud setup. Cloud Bursting or workload portability being the primary feature of the hybrid cloud solution, securing the overall data flow across cloud environments, such as public and private clouds, becomes an essential practice.
Security | Hybrid Cloud
Let’s start by looking at the security model implemented by Alibaba Cloud:
The Hybrid Cloud solution leverages the security of the private cloud and gives an option where the administrator can choose to not share any sensitive or critical data over the public cloud. With Alibaba Cloud Hybrid Cloud, you can make a management policy that enables you to choose how and where you wish your workload to be processed. It can be based on any policy, compliance, or security requirements.
The Hybrid Cloud is technically a group of different products and solutions that share functionality and environments to deliver a hybrid solution. These are separate entities, and when used separately, they have their own workflow, just like implementing containers or using DevOps. The Hybrid Cloud uses containers and APIs to interact and work with these entities. This enables the organizations to shift through the workload by assigning tasks to different resources based on the criticality of the workload and security associated with it.
Let’s take a look at how the Hybrid Cloud works:
Quick Tip: Apsara ZStack is an enterprise-level solution that enables the user to fully leverage a hybrid cloud solution based on the Apsara Distributed operating system by Alibaba Cloud.
Security | Hybrid Cloud | Challenges & Solutions
Data protection is among the key concerns faced by any IT service that handles large amounts of data. The cloud is no different. Even though a private cloud is a physical resource located on-premise, it still is a cloud resource that could be vulnerable to attacks or issues.
The Hybrid Cloud solution leverages the benefits and functionalities of both public and private clouds. This enables it to take advantage of benefits like reduced security vulnerabilities, direct benefits of a private cloud setup. However, additional security measures must be in place based on an assessment of how secure and critical your data requirement is.
Let’s take a look at the data flow from an administrator using the Hybrid Cloud solution:
Practices for Data Protection
- Use of SSH protocols for data communication between unsecured networks.
- Use of SSL or TSL for data transmission security over any network.
Data encryption at every stage. Be it and idle start or during transmission
- Data at Rest ¨C Data that is sitting on your disk also requires a full-scale security practice. As an administrator, you might think of applying partition encryption to secure your data. This will enable data protection, even when it is not being used.
- A trusted platform module (TPM) is an industry-leading practice that is based on a hardware chip used to store encryption keys for data access.
- Encrypting root volumes within your cloud environment is another secure practice. You might need a fully matured and automated practice for this.
- While Object Storage Service (OSS) is a highly secure cloud storage solution, the disks on your on-premises private cloud still need added security.
- Data While Transmitting: Typically, your data is at its most vulnerable state when it is being transmitted. Using secure protocols for data transmission is an important practice to implement. As mentioned above, using SSH for data communication and SSL/TSL for data transmission is highly-recommended.
Use of RAM (Resource Access Management) for Identity and Access Control.
- The Hybrid Cloud is highly dependent on access control, as the administrator has to come up with a policy that grants or restricts data control based on a multiple level user policy. Limiting user access to VPNs (virtual private networks) and defining different policies for such access controls is an important practice to limit data exposure.
Use of APIs
- APIs are a quick and easy way to get started. APIs can be used to scale automation at many steps. We are going to discuss Hybrid Cloud Monitoring automation later in this article.
Security Updates and User Bulletins
- Updating your deployment with regular security patches and updates is an excellent practice to follow. The cloud provider issued updates are also mandatory, that is why Alibaba Cloud is very quick with its update policies. As an administrator, any outdated application or environment can lead to major security concerns for the whole setup. Regular updates for the applications are highly recommended.
Monitoring | Risk Assessment | Automation | Hybrid Cloud
Security vulnerabilities and patching practices are often defined as a race. Any network or cloud service may become vulnerable to threats and attacks at any point. With automation in monitoring, assessment, and patching of a lot of issues listed above can be reduced.
Monitoring | Risk Assessment
Monitoring your hybrid cloud solution to have regular assessment reports and threat analysis is among the top practices to implement. There are products within Alibaba Cloud’s product and service lineup that provide seamless threat analysis and solutions to counter them. There are also risks due to cloud service downtime. The Cloud Monitor helps you collect metrics related to your cloud practice to depict the true status of your cloud.
Let’s list some of the best practices for Monitoring and Risk Assessment:
- Monitoring the network traffic to evaluate suspicious behavior leads to a viable threat assessment model
- If migration is an option, evaluation of risk is highly recommended.
- Security patching of all the applications is a practice you must follow to ensure no vulnerabilities arise from the user data or interactions.
- All end-points including network and the above-mentioned application end-points must also be patched and updated regularly
- Alibaba Cloud Security is an excellent solution to secure your setup throughout the product lifecycle.
Automation keeps you ahead of the game. Manual monitoring caps the possibility of a self-sustaining system. It reduces the overall productivity of the whole system as manual patching and configuration across teams needs to be a complete in-sync cycle. Automation responds to this challenge in a more hands-on and transparent manner.
An automation practice must include:
- An automated monitoring system
- An automated patching system backed by a qualified security team
- Automated reporting of metrics to be used in future releases
Physical Resource Protection
A hybrid cloud setup is location independent and may span across locations. It depends on where your private cloud is deployed. As an administrator, the best practice is to have good Service Level Agreements (SLAs). Choose your cloud resource provider based on the type of services and security they offer. Reliable service providers have reliable physical resources.
I have chosen Alibaba Cloud for all of my hybrid cloud requirements, based on their massive and secure infrastructure.
More Information in Part 2
- Cloud Orchestration and Access Control
- Human Error
- Cloud Visibility and Control
- Endpoint Security
- Administrative Tools and Practices
Next in Line
- The Best Security Practices with Hybrid Cloud C — Part 2
The views expressed herein are for reference only and don’t necessarily represent the official views of Alibaba Cloud.