Securing End Users in the Hybrid Cloud
by Gilad David Maayan
What is a Hybrid Cloud?
A hybrid cloud consists of public and private cloud resources that share data and applications. It extends a private cloud with the flexibility and scalability of private cloud resources and frees up local resources for sensitive data and critical applications.
In this model, the private cloud safely holds business-critical applications and sensitive data behind a corporate firewall, while the public cloud provides resources for non-sensitive computing. It enables organizations to scale private infrastructure to the public cloud seamlessly. It helps handle peaks in demand without giving access to all data to third-party data centers.
It also eliminates the need for massive capital expenditures dedicated solely to handling short-term spikes in demand. There is no need to buy, program, and maintain resources and equipment that remain idle. Instead, the hybrid model enables paying only for temporary resources during the time they are needed.
Planning a hybrid cloud approach involves considering how to move workloads between private and public clouds. Hybrid cloud migration strategies include redesign, refactoring, and lift and shift.
Hybrid Cloud End User Security Challenges
Hybrid cloud challenges related to end users include:
- Data Leakage
Sensitive data can be compromised in various ways—it can be destroyed, corrupted, inappropriately accessed, or lost. A hybrid cloud environment can put data at risk (even when stored in the most secure private cloud) because the environment shares data with a public cloud.
- Complex Access Management
Authentication and authorization have become a challenging endeavor in hybrid clouds. Remote access via VPN is not longer enough in a cloud environment, because it provides unqualified access to the entire network. Proper implementation requires adopting centralized protocols to access data across all cloud environments. It also requires using identity and access management (IAM) systems and single sign-on (SSO) technology to control access permissions across the hybrid cloud.
- Endpoint Hybrid Cloud Security
Endpoints interacting with a hybrid cloud are susceptible to many attack vectors, those inherent to public and private clouds and those posed by public cloud integration. Here are common hybrid cloud security challenges:
- Malware and viruses infect endpoints — occurs when threat actors or malware gains unauthorized access through a public cloud, moves laterally to endpoints, and potentially reaches private cloud environments. A single infected endpoint can spread malware to many other client machines.
- Security and compliance gaps — occurs due to a lack of central management and poor security visibility across the entire organization.
- API vulnerabilities — unprotected API endpoints can expose sensitive data to malicious actors. Typically, actors manipulate sensitive data by exploiting an authentication or authorization token or key.
Hybrid Cloud End User Security Best Practices
Here are endpoint security best practices to help protect hybrid cloud environments:
- Centralize Your Security Strategy
Hybrid cloud environments are dynamic and complex. Centralized security can help obtain visibility and control into the entire security landscape. It requires a centralization tool that supports all relevant clouds and tools. Once you set up this integration, you should be able to apply security measures and share security responsibilities between teams.
- Secure User Endpoints and Browsers
Organizations allow users to access cloud resources using web browsers. You can protect this component by implementing client-side security to ensure user browsers remain up-to-date and protect against web-based vulnerabilities and other vulnerabilities in the user’s operating system or other deployed applications.
Endpoint security solutions can protect end-user devices such as mobile devices and personally-owned laptops used for remote work, providing multiple layers of security including next-generation antivirus (NGAV), content filtering, behavioral analysis to detect suspicious activity on an endpoint, and endpoint detection and response (EDR), which helps security teams detect and respond to breaches on an endpoint.
- Network Segmentation
Network segmentation helps prevent and block attacks by restricting access to specific datastores and services. It helps minimize data loss risks and limits the scope of damage resulting from a successful attack. You can also use Ethernet Switched Path (ESP) technology to hide network structure and make it more difficult for threat actors to move laterally between network segments.
- Preventing Cloud Phishing by Securing Credentials
Threat actors actively attempt to obtain credentials to breach into systems and networks. Here are several user behaviors that can result in compromised credentials:
- Sharing credentials in an insecure manner
- Storing credentials on public devices
- Using weak passwords that are easy to crack
In addition to the above insecure internal practices, external threats attempt to compromise credentials. For example, credential phishing schemes use email scams and malicious scripts to trick users into using fake portals, where they are prompted to reveal their credentials.
Once threat actors obtain user credentials, they gain unauthorized access to corporate systems, applications, and data. You can prevent cloud phishing by implementing the following measures:
- Identity management—helps detect abnormal use of credentials.
- Secure password and login policies—set the overall policy with a session timeout policy to periodically force users to change their passwords.
- Multi-factor authentication (MFA)—provides an extra layer of protection against compromised credentials.
In this article, I covered the key challenges of securing end users in a hybrid cloud environment, and provided several best practices that can help improve the security posture on end user devices:
- Centralize the security strategy—ensure you have one set of security tools that governs security for users accessing on-premise and public cloud resources.
- Secure endpoints and browsers—deploy endpoint security technology to ensure user endpoints, especially personal devices, do not have malware or other vulnerabilities.
- Network segmentation—ensure that users connect to a network segment containing the resources they need and don’t have unnecessary access to other parts of the network.
- Prevent cloud phishing—take measures to prevent credential compromise, by implementing identity management, secure password policies, and MFA.
I hope this will be useful as you enhance security measures in your hybrid cloud environment.