Maintaining Consistent Security Controls Across Hybrid IT Environments is Growing Increasingly Complex
Hybrid IT in the enterprise is the new normal. Hybrid cloud was the buzz for a number of years, but focusing solely on the mix of public and private cloud services ignores a significant portion of the enterprise estate that isn’t going away any time soon. Hybrid IT recognizes that IT organizations cannot abandon all legacy investments without introducing unacceptable risks and costs, so cloud and legacy technologies will coexist for the foreseeable future, and increasingly interact in ways that introduce risk.
In many organizations, operational support for legacy and cloud services tends to remain divided between distinct teams and tools, though, which adds complexity from an IT security perspective. That complexity can lead to gaps in maintaining adequate security controls, which can easily go unnoticed because coverage may be sufficient on one platform but not on another. Consider how these five security gaps can be addressed in today’s hybrid IT environment.
1. Threat Detection and Analysis
Enterprise attackers don’t care if your data is stored in the cloud, on premise, or both. They will probe for vulnerabilities, phish users and attempt to install ransomware anywhere they can. You might be comfortable with the level of protection that your cloud services providers and internal controls deliver, but do you have a consistent way to visualize and analyze threats across different computing environments?
Without this capability, you could be missing the pieces of the puzzle that can indicate a breach in progress, particularly as user behavior analytics becomes more mainstream. Security analytics tools need the broadest set of data possible to have the full threat picture, yet even analysts performing this role manually can benefit from seeing attack patterns across the computing environments to detect and neutralize threats faster.
2. Vulnerability Management
We expect our SaaS providers to manage and patch their own vulnerabilities, and patch management for legacy systems is typically a well-understood discipline. But enterprises continue to accelerate the adoption of IaaS as DevOps teams drive faster release cycles. Is the same rigor applied to testing code for security vulnerabilities for applications running in the public cloud as it is for applications running in your own data centers?
If not, this is an easy pitfall for attackers to exploit. Code in the cloud is easy to overlook when testing, both before deployment and as part of a regular vulnerability management program. DevOps is not opposed to the “shift left” of security testing, but the DevOps steamroller will flatten any attempt to slow the release of code. Automated testing is table stakes to participate.
3. Privileged User Management
Cloud providers have mostly convinced enterprises to accept their security practices as adequate to protect their most sensitive data. Customer records, health care information, financial transactions and even government records are now routinely stored in the cloud, often with better security controls than are provided for legacy systems. But who is watching and managing what your privileged users have access to and how they are using that access?
Privileged user management remains the responsibility of the enterprise, regardless of where the data resides. In the cloud, there is less concern for database or systems administration, but there remain users with enormous access to data such as developers, healthcare workers, financial controllers or executives. A system for monitoring and possibly limiting their usage to deter fraud has to be considered the same as it would for legacy services.
4. Access Controls and Authentication
From a SaaS perspective, the focus in access management has been on enabling Single Sign-On (SSO), mostly as a means of convenience for users. This has the added security benefit of supporting better controls such as strong, unique passwords, enforcing step-up authentication or risk-based authentication where needed. But having access controls does not necessarily mean that they are consistent with security policy across the enterprise. Policy, whether based on good security practices or regulations, doesn’t relax just because a workload has been migrated to the cloud.
Access controls for the cloud are often times less integrated with identity systems than legacy services. Those identity systems are typically where policy is recorded and automated. One example of the impact of this disconnect could be that when an employee leaves the organization, or when they change roles, their access to cloud services are not revoked automatically, leaving the organization vulnerable to an angry former employee with an axe to grind. Having an integrated identity and access management system across cloud and legacy systems can ensure controls are consistently enforced across the entire hybrid environment in accordance with policy.
5. Identity Governance
Most enterprises have significant Identity Governance and Administration (IGA) capabilities for their legacy apps, but SaaS in particular is still on an island in many environments. Many regulations and security practices expect a periodic review or recertification of access rights, so they can be revoked where those rights are no longer needed. Are you reviewing the rights to your cloud apps with the same rigor applied to legacy apps?
Some organizations are addressing this with separate IGA platforms for the cloud and legacy systems, but given the lack of enthusiasm that business users have for the recertification process, doubling the number of apps to learn to perform this task isn’t going to produce the best results. Business users are notorious for rubber-stamping the recertifications, which is less likely to impress auditors who are starting to scrutinize cloud services with greater attention. A single platform that can support recertification across legacy and cloud services is more likely to satisfy auditors while reducing the risk of excessive access.
Maintaining consistent security controls across the entire hybrid IT environment is growing increasingly complex as more cloud services are adopted. And as these cloud services interact with data maintained on legacy systems, simultaneously multiplying risk, attackers can identify more opportunities to exploit the gaps in security coverage between the systems. As long as enterprises operate hybrid environments, though, consistent controls must be enforced.