Content

Hybrid Cloud Security Threats and How to Fix Them

By Pulse Secure

Naysayers often dismiss a hybrid/IT cloud as disruptive. It is not the hybrid/IT cloud that is the problem. The problem lies with poor network execution, security protocols, and management. The biggest barriers to a seamless hybrid cloud are inadequate compliance; lack of encryption; insufficient risk assessment; poor data redundancy; data leakage and other threats

Managers are not prepared. They are not following the proper rules of engagement. This is especially true when dealing with the constant evolution of mobile device management (MDM) and enterprise mobility management (EMM).

Managers need to know the stumbling blocks. Hybrid clouds are a cost-efficient solution that can maximize an organization’s internal assets with unlimited scalability in the public cloud. Learn the 17 security threats and how to fix them.

17 hybrid cloud security threats you should avoid and how to fix them:

 

Threat:  Lack of Encryption

Network transmissions are vulnerable to eavesdropping and Man-in-the-Middle (MitM) attacks that

circumvent mutual authentication by impersonating endpoints. Mobility enterprise managers must encrypt communications and data to prevent security incursions.

Fix:

  • Shield transmissions from random attacks with cryptographic protocols that include endpoint authentication.
  • Employ a reliable VPN.
  • Use a reliable proxy server
  • Encrypt all transmissions using SSL/TLS to manage server authentication and prevent interception of data off the wire
  • Use Secure Shell (SSH) network tunnel protocols to send unencrypted traffic over a network.

Threat:  Inadequate Security Risk Assessment

Failing to perform detailed risk profiles of an IT infrastructure and systems prevents network administrators from determining how and where an intrusion has occurred or when it happened. It makes future breaches virtually impossible to prevent.

Fix:

  • Rigorous risk prevention and assessment must be in place - at all times.
  • IDS/IPS systems should always scan for any malicious traffic.
  • Log monitoring must be activated and software updates current.
  • A holistic approach is the best way to handle network organization security using a reliable SIEM system. This way all enterprise security data can be viewed and easily trended.

Threat:  Poor Compliance

Hybrid clouds require more due diligence when it comes to compliance. Both the public cloud provider and your private cloud must stay within compliance parameters. Maintaining and demonstrating compliance is more difficult with the hybrid model because data moves back and forth.

Fix:

  • The two clouds must be coordinated. You not only have to ensure that your public cloud provider and private cloud are in compliance, but demonstrate the compliance of the two clouds as they work together.
  • The two cloud must meet industry standards for data security when handling sensitive data.

Threat:  Weak Security Management

Too many enterprise managers run amuck when they fail to employ authentication, identity management, and authorization procedures for both their private and public cloud. Cloud security protocols must be integrated.

Fix:

  • Replicate controls for both clouds.
  • Synchronize security data or use an identity management service that works with systems you run in either cloud.
  • Maintain in-house data storage for sensitive data not appropriate for the public cloud.

Threat:  Poor Data Redundancy

A lack of redundancy puts a hybrid IT cloud and your enterprise at risk. This is especially true if you don’t have redundant copies of data properly distributed across all data centers. Distributing data this way mitigates the damage that occurs when there is an outage in one data center.

Fix:

Implement redundancy. This can be accomplished three ways:

  • By utilizing multiple data centers from one cloud provider
  • From many public cloud providers
  • From a hybrid cloud

Threat:  Failure to Authenticate and Identify

Security management is essential when integrating public and private clouds in a hybrid environment. Cybersecurity must be mutually shared between the cloud provider and enterprise staff.

Fix:

  • Be diligent.
  • Monitor and verify all access permissions.
  • Synchronize data security by using an IP Multimedia Core Network Subsystem (IMS).

Threat: Unprotected APIs

When unprotected, API endpoints expose sensitive data to malicious attacks that exploit an   authentication/authorization token or key to manipulate personal information and data. This vulnerability is of particular concern in enterprise mobility management and BYOD transmissions over unsecure connections.

Fix:

  • API keys must be handled in the same manner as encryption and code-signing keys.
  • Third- party developers must be sure to handle keys securely.
  • Always verify a third-party before releasing API keys to avoid a security breach.

Threat:  Denial-of-Service (DoS) Attacks

Attackers render a cloud or mobile enterprise inaccessible by issuing a DoS attack. Network service is disrupted in the virtual environment through an inherent weakness in shared resources such as CPU, RAM, and disk space or network bandwidth.

Fix:

Denial of Service attacks on cloud management APIs are often caused by sending bad SOAP or REST requests from the enterprise.

  • Flow analytics can fend off DoD attacks by reacting to the incursion and redirecting traffic to a mitigation device.
  • Keep in mind, the flow analytics tool must be scalable for the amount of traffic it gathers and analyzes. Because it is a slower method, it is not as effective in combating volumetric (DDoS) attacks.

Threat:  Distributed-Denial-of-Service (DD0S) Attacks

These volumetric or application layer attacks are on the rise and even more insidious than DoS. This is because they are high volume incursions maliciously distributed from multiple sources and generated at a central location. By the time the attacks are noticed, network traffic is often in virtual gridlock and websites rendered helpless.

Fix:

Fending off a DDoS attack requires robust in-path deployment of a DDoS mitigation device that continuously processes all incoming and outgoing traffic. The device must be able to act immediately and scale and perform when there are multi-vector attacks.

Threat:  Poor IP Protection

Intellectual property (IP) requires extra protection. It must have the highest encryption and security protocols in place. IP must be identified and classified to determine potential security risks. A vulnerability assessment and appropriate encryption are needed.

Fix:

  • Completely automated systems are inadequate in classifying IP and quantifying risk. These tasks must be done manually. Risks associated with IP can only be identified once that data is classified.
  • Know the source of your threats. Develop a detailed threat model and follow it.
  • Create a permission matrix.
  • Harden all open source components to prevent incursions.
  • Conduct extensive third-party audits.
  • Make sure your network infrastructure is secure.

Threat:  Lack of Data Ownership

Cloud vendors must be fully vetted for security controls when handling data. Once cloud-deployed, enterprises lose some ability to govern their own data set. Enterprise managers must know what security levels are available in the cloud to prevent surprises.

Fix:

  • Data ownership and security must be verified. Avoid vendors who cannot provide reasonable ownership expectations.
  • Get everything defined from the vendor in a well-constructed Service Level Agreement (SLA) that covers a hybrid IT enterprise. Know exactly who has access to data, what the provider does with access logs/statistics, and the jurisdiction/geographic location of all stored data.

Threat:  Failure to Communicate with Cloud Provider

You wouldn’t have a car repaired without getting a written estimate and details of service to be performed on your vehicle. Service level agreements (SLAs) do the same. They clarify expectations and responsibilities.

Fix:

  • When it comes to security, a customer must let the cloud provider know exactly what security requirements are needed. This eliminates surprises and disasters. The CSA Security, Trust and Assurance Registry details security controls each cloud provider offers in the marketplace. Use it as a reference.
  • Ask detailed questions. Call someone else if a service provider cannot provide detailed answers on how they define and protect multi-tenant boundaries, ensure FISMA, PCI compliance and auditing.

Threat:  Poorly Defined SLAs

When moving to the cloud, customers do lose the ability to govern their own data set and are forced to rely on service providers to properly secure data when in the public sector.

Fix:

  • Access permissions and protections must be clarified and security measures well-defined in the service level agreement (SLA). The same applies to expectations and requirements of the cloud service provider.
  • Reasonable expectations of service must be clearly detailed in the Service Level Agreement so the customer has recourse if service is disrupted or data is compromised.
  • Before signing any agreement, have it reviewed by an attorney.

Threat:  Data Leakage

Inadequate security protocols on the part of a cloud provider can compromise data which can be corrupted, destroyed or inappropriately accessed. This is especially true in worker-driven BYOD environments.

Fix:

  • Never assume the provider has data leakage covered unless it is in writing. Data loss prevention is key. Cover all bases. Read the fine print.
  • Since the enterprise customer owns customer data, security is the customer’s responsibility.
  • Security measures must be able to counter infrastructure malfunctions, security breaches, and software errors.

 

Threat:  Poorly-Defined Management Strategies

Seamless hybrid cloud management is only accomplished when everyone knows what needs to be done. Jobs must be strictly defined with management policies and procedures. Without these guidelines, a network can be compromised. A holistic approach must be taken to handle the entire infrastructure.

Fix:

  • Management tools and strategies must be consistent for computing, networking, and storing resources over multiple domains. It is a hybrid cloud administrator’s job to make sure this template is in place.
  • Cloud management policies should define rules governing configuration and installation; access control for sensitive data/restricted applications as well as budget management and reporting.
  • Know exactly what cross-platform tools will be used to manage a hybrid cloud.
  • Strictly define access controls, user management, and encryption for the best security.
  • Prepare access control policies that define how sensitive data or restricted applications are

     accessed in both the public and private clouds.

  • Use configuration management tools in resource provisioning to reduce misconfiguration errors and automate image-build processes.

Threat: Badly Constructed Cross-Platform Tools

Do you know how to manage tasks across multiple domains? Hybrid clouds are not business as usual. Many administrators run amuck when they cannot multi-task. Poorly defined or executed cross-platform management in a hybrid environment are major pitfalls that must be avoided.

Fix:

Define whether specialized tools or a suite of tools are adequate to manage your enterprise. What is needed to do the job? Determine if you require:

Cloud application migration tools for interoperability and moving apps between private and public clouds. Be sure to have cloud monitoring tools that accommodate a virtualized environment.

Cloud automation tools to maintain access and security needed for dynamic cloud provisioning and VM movement.

Threat:

Sometimes the most malicious attacks can be right under our noses. Not all employees and insiders are trustworthy. Some insiders may be using customer or sensitive data to disrupt corporate activities.

Fix:

  • Your Content Security Policy (CSP) managers must have comprehensive security measures that can track employee network activities to avoid this kind of malicious fallout.
  • Create an insider threat program with clearly defined strategies.
  • Never trust - Always verify. Stop every unauthorized access attempt.
  • Implement a strong password security policy.
  • Limit access to your organization’s critical assets.
  • Develop immediate response protocols that detect and react to any suspicious or malicious network activity. This should include immediate log off, remote locking or session resets.

Have you deployed or are you considering a hybrid/IT cloud for your enterprise? Hybrid cloud computing harnesses the best of public and private clouds with a wealth of benefits. It aggressively expands an organization’s business enterprise potential with a cost-efficient, low barrier to entry that helps organizations maximize internal assets with unlimited scalability. Don’t be afraid to deploy it.

Learn how to successfully implement a threat-free hybrid cloud into your corporate enterprise.

Pulse Secure, LLC is a leading provider of secure access and mobile security solutions to both enterprises and service providers. Enterprises from every vertical and of all sizes utilize the company's virtual private network (VPN), network access control (NAC) and mobile security products to enable end user mobility securely and seamlessly in their organizations. Pulse Secure's mission is to deliver secure access solutions for people, devices, things, and services. www.pulsesecure.ne

 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.