Connect with us

Hi, what are you looking for?


Cloud Security

The Top Five Security Gaps in Hybrid IT

Maintaining Consistent Security Controls Across Hybrid IT Environments is Growing Increasingly Complex

Maintaining Consistent Security Controls Across Hybrid IT Environments is Growing Increasingly Complex

Hybrid IT in the enterprise is the new normal. Hybrid cloud was the buzz for a number of years, but focusing solely on the mix of public and private cloud services ignores a significant portion of the enterprise estate that isn’t going away any time soon. Hybrid IT recognizes that IT organizations cannot abandon all legacy investments without introducing unacceptable risks and costs, so cloud and legacy technologies will coexist for the foreseeable future, and increasingly interact in ways that introduce risk.

In many organizations, operational support for legacy and cloud services tends to remain divided between distinct teams and tools, though, which adds complexity from an IT security perspective. That complexity can lead to gaps in maintaining adequate security controls, which can easily go unnoticed because coverage may be sufficient on one platform but not on another. Consider how these five security gaps can be addressed in today’s hybrid IT environment.

1. Threat Detection and Analysis

Enterprise attackers don’t care if your data is stored in the cloud, on premise, or both. They will probe for vulnerabilities, phish users and attempt to install ransomware anywhere they can. You might be comfortable with the level of protection that your cloud services providers and internal controls deliver, but do you have a consistent way to visualize and analyze threats across different computing environments?

Securing Hybrid IT Environments

Without this capability, you could be missing the pieces of the puzzle that can indicate a breach in progress, particularly as user behavior analytics becomes more mainstream. Security analytics tools need the broadest set of data possible to have the full threat picture, yet even analysts performing this role manually can benefit from seeing attack patterns across the computing environments to detect and neutralize threats faster.

2. Vulnerability Management

Advertisement. Scroll to continue reading.

We expect our SaaS providers to manage and patch their own vulnerabilities, and patch management for legacy systems is typically a well-understood discipline. But enterprises continue to accelerate the adoption of IaaS as DevOps teams drive faster release cycles. Is the same rigor applied to testing code for security vulnerabilities for applications running in the public cloud as it is for applications running in your own data centers?

If not, this is an easy pitfall for attackers to exploit. Code in the cloud is easy to overlook when testing, both before deployment and as part of a regular vulnerability management program. DevOps is not opposed to the “shift left” of security testing, but the DevOps steamroller will flatten any attempt to slow the release of code. Automated testing is table stakes to participate. 

3. Privileged User Management

Cloud providers have mostly convinced enterprises to accept their security practices as adequate to protect their most sensitive data. Customer records, health care information, financial transactions and even government records are now routinely stored in the cloud, often with better security controls than are provided for legacy systems. But who is watching and managing what your privileged users have access to and how they are using that access?

Privileged user management remains the responsibility of the enterprise, regardless of where the data resides. In the cloud, there is less concern for database or systems administration, but there remain users with enormous access to data such as developers, healthcare workers, financial controllers or executives. A system for monitoring and possibly limiting their usage to deter fraud has to be considered the same as it would for legacy services.

4. Access Controls and Authentication

From a SaaS perspective, the focus in access management has been on enabling Single Sign-On (SSO), mostly as a means of convenience for users. This has the added security benefit of supporting better controls such as strong, unique passwords, enforcing step-up authentication or risk-based authentication where needed. But having access controls does not necessarily mean that they are consistent with security policy across the enterprise. Policy, whether based on good security practices or regulations, doesn’t relax just because a workload has been migrated to the cloud.

Access controls for the cloud are often times less integrated with identity systems than legacy services. Those identity systems are typically where policy is recorded and automated. One example of the impact of this disconnect could be that when an employee leaves the organization, or when they change roles, their access to cloud services are not revoked automatically, leaving the organization vulnerable to an angry former employee with an axe to grind. Having an integrated identity and access management system across cloud and legacy systems can ensure controls are consistently enforced across the entire hybrid environment in accordance with policy.

5. Identity Governance 

Most enterprises have significant Identity Governance and Administration (IGA) capabilities for their legacy apps, but SaaS in particular is still on an island in many environments. Many regulations and security practices expect a periodic review or recertification of access rights, so they can be revoked where those rights are no longer needed. Are you reviewing the rights to your cloud apps with the same rigor applied to legacy apps?

Some organizations are addressing this with separate IGA platforms for the cloud and legacy systems, but given the lack of enthusiasm that business users have for the recertification process, doubling the number of apps to learn to perform this task isn’t going to produce the best results. Business users are notorious for rubber-stamping the recertifications, which is less likely to impress auditors who are starting to scrutinize cloud services with greater attention. A single platform that can support recertification across legacy and cloud services is more likely to satisfy auditors while reducing the risk of excessive access.

Maintaining consistent security controls across the entire hybrid IT environment is growing increasingly complex as more cloud services are adopted. And as these cloud services interact with data maintained on legacy systems, simultaneously multiplying risk, attackers can identify more opportunities to exploit the gaps in security coverage between the systems. As long as enterprises operate hybrid environments, though, consistent controls must be enforced. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility