“There’s no way that company exists in a year.”
Tom Siebel said this back in 2001 about Salesforce running an enterprise application 100% in the cloud. He couldn’t have been more wrong. His own company, Siebel CRM Systems, was eventually sold to Oracle and evolved into a hybrid cloud offering that few people have heard about.
Microsoft, instead, transitioned successfully to the cloud. They embraced the paradigm early on, built their own version, Azure, and migrated their suite of applications to it. Many of their productivity and enterprise tools work both on-premise and in the cloud and are a good example of a successful hybrid cloud model.
It wasn’t easy, though, given enterprise’s reliance on legacy systems running on-premise. It’s not uncommon even today to come across a large financial institution, for example, running DOS-based applications or an unsupported version of Internet Explorer. This has been a key driver for the development of hybrid cloud solutions — to marry the new with the old.
But what exactly is a hybrid cloud? Citrix has a short and accurate definition for it: “a solution that combines a private cloud with one or more public cloud services”.
It’s a simple idea to grasp but most miss what the word ‘combines’ represents in that statement. Namely, the hardware, software, and protocols needed to integrate public and private clouds.
This last point is particularly relevant to security as integrations are susceptible to security attacks. They are often the weakest link, literally speaking.
What is hybrid cloud security?
It’s certainly big business! The global cloud security market was worth $34.5B in 2020 and growing.
Here’s RedHat’s definition: “Hybrid cloud security is the protection of the data, applications, and infrastructure associated with an IT architecture that incorporates some degree of workload portability, orchestration, and management across multiple IT environments, including at least 1 cloud — public or private.”
Security is not just about the tools and processes, though. The design of a hybrid cloud environment is a key factor too. Cloud architects need to decide what data needs to be kept more isolated and what can be public-facing, and ensure it all works.
Why does cloud security matter?
Try asking the cyber insurance firms servicing clients involved in the recent SolarWinds hack that are expected to spend $90M to clean up the mess, so to speak. This only affected 40 of Microsoft’s customers that had implemented a vulnerable SolarWinds solution.
Looking at the market more broadly, the average cost of a breach in 2020 was $2.3M. It’s even more than that — this figure doesn’t quantify the long-term financial impact of an organization's damaged reputation.
Even more dramatic are stats relating to smaller organizations that often lack resources to handle security properly. Inc. reports that over 60% of small businesses fold following an attack.
Security matters from a legislative perspective too. GDPR has introduced strict requirements for data storage, access, privacy, and breach notifications. California’s Consumer Privacy Act (CCPA) addresses similar requirements, and countries such as Australia and Japan are also introducing new legislation.
You need to make sure that your hybrid cloud implementation and governance is compliant with relevant legislation in the jurisdiction you operate in.
To answer the original question, cloud security matters because it can make or break an organization.
Tom Siebel’s quote about Salesforce mentioned at the very beginning of this article is more accurate in the context of cloud security — without proper risk mitigation, organizations risk “not existing next year.”
What is cloud security architecture?
In short, it’s the strategy adopted to make sure that an organization's cloud infrastructure is designed, deployed, and managed to minimize security risks. This also covers processes, policies, protocols, and collaboration practices that facilitate what is effectively a “shared responsibility.”
McAffee covers this idea well in their “What Is Cloud Security Architecture?” article, an overview of one of many approaches you can take. Cloud security is mapped out at a high level by categorizing each component into two main categories. First, we have the type of clouds being managed:
- Infrastructure-as-a-Service (IaaS)
- Platform-as-a-Service (PaaS)
- Software-as-a-Service (SaaS)
Components for each are then flagged as being the customer’s or the vendor’s responsibility, which is the second level of categorization.
This is a very high-level schematization that can be understood by non-technical folk and discussed in management meetings. A more detailed version will represent individual components, their relationship, and other key technical information. It’s a working document for system administrators, security experts, project managers, and solution architects to refer to.
How do you know if your cloud data is secure?
The starting point is having a view of how an organization’s cloud infrastructure has been architected. A service such as Netapp Cloud Insights can help you do just that.
An example: The PMO of a government agency will have documented this as part of their risk management planning and have audits scheduled regularly as part of their risk mitigation strategy.
Smaller organizations are likely to have most of their data and applications in the cloud, therefore relying on vendors securing their systems.
There are a number of tools and processes you can use to check if cloud data is secure:
- Penetration testing: This involves simulating an attack to find vulnerabilities in a system. This is often carried out by ethical hackers who adopt the same techniques as malicious ones.
- Network security monitoring tools: There are a plethora of options on the market that cater to a wide range of hybrid cloud solutions. For example, Gigamon’s suite of products covers visibility, analytics, and security.
- Vulnerability scanning: These tools are ‘always-on’ in order to detect and mitigate malicious activity. G2 lists 92 of these solutions in their vulnerability scanner software category.
- Vulnerability audits: These audits are best carried out by specialist service providers delivering independent reports.
What are the challenges of hybrid cloud security?
While there are many positive risks associated with deploying hybrid cloud models, there are challenges too — many of which are related to security. Let’s have a look at a couple:
- Hybrid cloud solutions are fundamentally complex and, therefore, harder to manage and monitor. As they become more sophisticated, risks increase too.
- Networks are inherently vulnerable. As data flows between public and private clouds, there are more opportunities for errors or a vulnerability being exploited by a malicious actor.
- You’re relying on third parties, each with their own security strategies and protocols. Are they as diligent as your own IT team?
These, along with many others, need to be captured, evaluated, and managed in a risk register.
What are the benefits of hybrid cloud security in project management?
A cloud-based project management solution like Wrike should be assessed via the same risk assessment process as other systems.
Looking at the function of a project management tool and the data it stores, those responsible for risk identification may deem some information to be too sensitive to be held in a public cloud.
For example, documents holding sensitive customer data are better stored in a private environment, behind a strong authentication protocol, and linked from the project management tool instead.
Other considerations for the selection of a project management tool are:
- Is it hosted in an environment that is regularly tested for security?
- What does a disaster recovery plan look like?
- Is it ISO/IEC 27001 certified?
- What does the SLA cover?
Next, let’s see how Wrike fits into a hybrid cloud environment and why it’s a good choice for enterprise.
How does Wrike protect your cloud data?
Wrike is flexible for small, mid-sized, and large-scale enterprise organizations. Our security protocols comply with and exceed industry requirements and standards.
You can read more about Wrike’s security here: https://www.wrike.com/security/. Better still, sign up for the free trial and discover how our 400+ integration options can streamline and secure your day-to-day workflows.