How To Maintain A Strong Security Posture In Hybrid Cloud Environments

Innovation How To Maintain A Strong Security Posture In Hybrid Cloud Environments Brian Spanswick Forbes Councils Member Forbes Technology Council COUNCIL POST Expertise from Forbes Councils members, operated under license. Opinions expressed are those of the author. | Membership (fee-based) Oct 14, 2022, 08:00am EDT | Share to Facebook Share to Twitter Share to Linkedin Brian Spanswick is Chief Information Security Officer at Cohesity .

getty There are many business reasons to move data, software and IT infrastructure to the cloud. These include reducing the need to maintain servers and costly or outdated legacy hardware, shifting costs from capex to opex and having the flexibility to rapidly accommodate changing requirements for compute, storage and application use. However, from a cybersecurity perspective, the cloud can introduce risks that don’t exist with on-premises systems, which are under the complete control of an organization.

With cloud-based systems, organizations are extending their attack surface beyond where they have direct responsibility for the execution of security controls. They are outsourcing the maintenance of the security posture, where they still own the risk. No matter where their data and applications reside, organizations will still be held accountable in the event of a breach, so the need for secure systems, business continuity and cyber resilience remains.

Adding to the complexity, each cloud vendor and each SaaS application offer disparate capabilities when it comes to security. For example, each has its own data retention policy, and once that policy expires, the customer is responsible for backing up, protecting and, if needed, restoring their own data in the event of a cyberattack. End users are forced to try to understand and reconcile these differences among vendors while also trying to manage an increasingly fragmented data environment.

All of these issues raise a big question for already overstretched IT teams within today’s modern enterprises: How do I accelerate the move to the cloud while also meeting stringent security and cyber resiliency objectives that my company mandates? MORE FOR YOU They Inherited Billions Upon Billions: Meet America’s Richest Heirs These MLB Ballparks Were Kindest To Hitters In 2022 Will Johnson & Johnson Stock See Higher Levels Post Q3? Below are a few best practices for organizations looking to benefit from a hybrid cloud environment while maintaining a strong security posture. Establish a baseline security posture. The first step, of course, is to make sure your organization’s security posture delivers foundational security protection; get the fundamentals right first.

When defining a security posture, security and IT leaders should review all security controls around data and systems. Industry-standard frameworks such as the CIS Critical Security Controls and the NIST Cybersecurity Framework are a good place to start. From there, you can begin to establish key performance indicators (KPIs) of efficacy such as recovery objectives, patching SLAs and data encryption standards, and you can then set service level agreements (SLAs) for those KPIs that deliver the security posture that makes sense for your business objectives and risk appetite.

Define recovery time and recovery point objectives. Many organizations are now implementing cloud-first and SaaS-first strategies, although plenty of others still keep critical assets on-premises. Regardless of what your hybrid environment looks like, two factors that should influence the decision of which applications and infrastructure to move to the cloud are recovery time objectives (RTOs) and recovery point objectives (RPOs).

An RTO is the amount of time under which a system should be restored. For example, a system should be restored within one hour of a breach to avoid unacceptable business disruption. An RPO is a point in time or the state from which a system should be restored.

For example, a system should be restored to the state it was in one hour before a breach or from the most recent backup. You define RTOs and RPOs for systems based on the impact the amount of time to recover has on your business objectives. The more stringent your RTOs and RPOs are, the more likely you’ll want to keep applications and systems to which they apply under your direct control.

RTO is controlled on-premises when an organization restores its own systems, but it is outsourced in the cloud because only the cloud vendor can restore its applications and infrastructure. RPO can be controlled both on-premises and in the cloud, but it depends on the data management and backup systems in place. Ensure your cloud vendors meet security requirements.

In order to manage your acceptable level of risk, it is imperative that your cloud and SaaS vendors meet your security posture requirements. They must comply with the same security policies and standards as internal security control operators. Otherwise, those relationships can easily become the weakest area of your security posture.

If a current or future cloud vendor cannot meet a particular service-level agreement (SLA), and not meeting it creates a vulnerability to business outcomes, document the risk and present it to the risk owner to decide whether they are willing to bear the risk in exchange for the benefits of outsourcing to the cloud. In addition, use it as a negotiation tactic to encourage the cloud vendor to improve its service and security. As most organizations look to accelerate their move to the cloud, understanding the associated risks of all on-premises and cloud-based systems in a hybrid environment is critical.

The more cloud vendors you use, the more likely it is that you will need to manage a patchwork of backup and restoration processes. In addition to the three best practices outlined above, you could also consider incorporating modern data management to help mitigate risks. Remember to always assume risk, especially with the cloud, and plan security postures accordingly.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify? Follow me on LinkedIn . Check out my website .

Brian Spanswick Editorial Standards Print Reprints & Permissions.