Managing Compliance and Cyber Risk in Today’s Hybrid Cloud Environment
Protecting An Ever-Increasing Attack Surface
Today, it comes as no surprise that enterprises need to protect a hybrid cloud environment that could include their on-premise data center, multiple public and private clouds and managed clouds.
How to apply security policies and maintain control across all these environments was the subject of a keynote on “Top 10 Ways To Manage Compliance And Cyber Risk Posture For The Hybrid Cloud,” by Kaus Phaltankar, president of Caveonix, on the first day of the Cyber Security Digital Summit.
Phaltankar started out by summarizing the challenges of migrating to the cloud, including the cyber risks, compliance and risk mitigation. There are also increasing regulations including from GDPR, ISO and PCI, among others. “This is a continuous exercise,’’ he noted. As you add new apps and workloads and new tech like microservices you want to be able to know they meet compliance requirements on a continuous basis, which means automation.
Who is responsible for compliance in the cloud? It’s a shared risk model in the public cloud environment, he said. The cloud provider will state in their contract they are responsible for infrastructure, security risk and compliance. Workloads and applications fall under the purview of the enterprise. However, Phaltankar noted that there are assumptions in multi-cloud environments. While service providers are doing everything they need to do to make sure the infrastructure is secure and compliant, “that does not mean you and your workloads are automatically compliant,’’ he cautioned. “You still are responsible for what you’re running,” meaning the platforms, the databases and the applications running on that infrastructure. This is especially true in a hybrid cloud model, where portions may be running in your environment.
There are significant penalties for non-compliance, and they could put a company out of business, he noted.
Getting a handle on compliance and risk management
Gone are the days when IT just reacted to the problems, Phaltankar said. Today, “the good guys have to get it right every time, while the bad guys only have to get it right once.” Reacting to problems you’re alerted to from your SIEM system isn’t going to put you ahead of the curve, he said, so you need to develop a good security and compliance posture and take a risk-based approach.
There needs to be a combination of proactive and reactive risk management tactics that identify the risk elements that may impact your application in the hybrid cloud, so they can be addressed before something becomes a problem, he said.
Phaltankar also discussed the different cybersecurity frameworks available, the different steps to determine which framework is best for your organization and how to implement one. All of them are free, he stressed.
He talked about how to create a single plane of glass for visibility into your risk management structure and protection at different layers.
Software-defined data centers are not new, he pointed out but what is new now is the virtualization of the network component overlaid on a physical network. As workloads are moved around, it’s a good idea to make that process simple, he said, because there is a whole stack of software-defined components that include compute, network security and storage. You also need risk management controls in a hybrid cloud environment and be able to extend it across the control pane, he said.
In the final segment, Phaltankar detailed 10 ways to secure hybrid cloud and multi-clouds when you digitally transform your environment. The first is by focusing on automation, he said. “Doing this manually in the cloud is just not scalable.”
Other ways to manage compliance and cyber risk in the hybrid cloud include having processes that are continuous and not discrete; proactive and not just reactive (although both are needed); and quantitative, not qualitative. Focus on the business/mission impact versus non-business issues, he advised. Put your resources into what is important to the business. Also, you also need predictive analytics, not just historical analysis.
Click here to hear the rest of the top 10 tips Phaltankar offered and view his entire presentation.