The robust security design of applications moved to hybrid cloud infrastructure is much on people’s minds today, as serious breaches and data compromises seem to occur almost daily. The Colonial Pipeline ransomware attack caused widespread gas shortages across the east coast of the US; another ransomware attack disrupted Ireland’s Health Service Exchange; a data supply-chain attack “trojanized” updates to SolarWinds software; and then there were the Microsoft Exchange server data breaches.
In many application modernization projects, such as cloud migration or microservices refactoring, security is designed using prevailing industry standards such as OpenID and Security Assertion Markup Language, as well as cloud platform capabilities such as Identity Access Management and Credential Vault.
These standards and capabilities are strong, but security designs that feature them typically overlook certain elements that are unique to locking down hybrid cloud infrastructure — a situation made more complicated by the rapidly evolving security threat landscape.
We believe six critical security principles have emerged that must be considered by organizations hosting applications in a hybrid cloud environment:
- Hybrid cloud security is more complex than public cloud security.
- A data security classification policy is an integral component of security design.
- Mobile access anytime from anywhere increases the vulnerability footprint.
- Authentication and identity management are cornerstones of cloud security.
- Automation is the vehicle for delivering consistent hybrid cloud security.
- DevSecOps pipeline and middleware vulnerabilities can compromise the entire IT ecosystem.
In this article we explore each of these principles, making recommendations and noting applicable real-world scenarios.
1 Hybrid cloud security is more complex than public cloud security.
Hybrid cloud environments are often a composite: legacy applications running on the data center blended with newer applications hosted on the public cloud. This produces a mishmash of multiple authentication systems and various forms of access control that might require, for example, Federated Identity to provide a single point of access to multiple systems across different enterprises, or legacy integrations through anti-corruption design patterns to isolate modern architecture from legacy design.
- Recommendation: Conduct careful analysis and testing to ensure you do not introduce new security vulnerabilities — for example, by integrating high-risk cloud-native apps with legacy systems housed on premise, which did not address the vulnerability of open-source code during the application modernization process. The notorious 2017 Equifax breach occurred because the company used a version of Apache Struts with high-risk vulnerability.
- Real-world scenario: Consider, for example, a mainframe application program hosted in a data center that is extended via IBM MQ support to support mobile device access through services running on the public cloud. The strict security controls in IBM’s mainframe RACF with the original program could potentially be bypassed or defeated as the mainframe program is extended into supporting cloud-hosted services because the mainframe RACF controls were incorrectly mapped to cloud role-based access control (RBAC), creating the potential for a backdoor attack.
2 A data security classification policy is an integral component of security design.
With a data security classification policy, data is categorized into security levels ranging from “highly sensitive” to “public,” and various policies are created for accessing and updating data. This determines what data can be accessed from where and in which fashion. On hybrid cloud, the data can reside on multiple platforms; often, the same data takes on different forms and might not be fully aligned with the security characteristics of the original data.
- Recommendation: If the hybrid cloud handles sensitive data, use methodical data flow mappings to ensure data security constraints are preserved.
- Real-world scenario: Picture an intranet search crawler indexing data with restricted access along with public data. A security breach may result if the restricted data index contents are returned during a search by an unauthorized user.
3 Mobile access anytime from anywhere increases the vulnerability footprint.
With the prevalence of mobile device access as a result of COVID-19-driven social distancing protocols, the days of accessing intranet applications from the corporate network on secure office premises are waning. This increases the security vulnerability footprint due to interactions with mobile devices of varying capabilities that might be in unsecure locations.
- Recommendation: Addressing this vulnerability requires a comprehensive endpoint security strategy combined with other security controls, such as limiting certain operations from mobile devices. Additional verifications could include fingerprint access to perform certain operations and a robust security monitoring capability to quickly detect unauthorized usage.
- Real-world scenario: A CRM application provides role-based access ranging from read-only to full access to edit or recategorize sales pipeline records. Additional security is provided by adding digital signatures through mobile device verification, and by limiting that access to a time window.
4 Authentication and identity management are cornerstones of cloud security.
Most security breaches are accomplished by circumventing authentication security controls through phishing, replay, brute force and other spoofing attacks. This makes authentication a critical component that is optimally secured through multiple security tiers.
- Recommendation: Password authentication can be supplemented with a CAPTCHA system to avoid brute-force attacks. Two-factor authentication (2FA) offers additional validation, allowing only registered mobile devices onto the network, as does biometric security such as fingerprint detection. These mechanisms should be combined with robust identity management to set password requirements, password expiration times, password disablement policies and identity validation questions. Finally, a robust security monitoring capability can rapidly analyze patterns of network access for any security attacks in motion.
- Real-world scenario: Consider a case in which a strong password policy is deemed sufficient to go live but fails to prevent password spoofing. Subsequent measures to strengthen security would include introducing 2FA to guard against password spoofing; adding CAPTCHA on the login screen to prevent brute-force password attacks; and caching all publicly accessed content on a content delivery network in case of denial-of-service attacks.
5 Automation is the vehicle for delivering consistent hybrid cloud security.
The hybrid cloud can be thought of as a mosaic of interacting components. Within this mosaic are frequently shared and repeatable patterns of infrastructure and software design.
- Recommendation: Identify these patterns (i.e., a security configuration to set up a virtual machine or to invoke a REST service); set up automation for infrastructure-as-a-service (IaaS) templates, for example, that captures all security concerns or for a Java Web Token software-based framework to enable secure invocation of web services; automate everything through version-controlled scripts, including capturing any impervious manual tribal knowledge; continually challenge the security characteristics of all components through a fully automated DevSecOps pipeline.
- Real-world scenario: Security best practices have been historically understood by IT teams, but their designs are often implemented as a jumble of approaches across manual, scripted and automated processes, causing security vulnerabilities. A systematic approach to define global roles, as well as IaaS templates for consistency enforced and validated through DevSecOps pipelines, could help build a robust security infrastructure.
6 DevSecOps pipeline and middleware vulnerabilities can compromise the entire IT ecosystem.
The SolarWinds and Exchange Server attacks both underscore the far-reaching impact that is felt when attackers compromise the security of many sites that use popular products.
- Recommendation: Adopt a zero-trust security policy for all IT components, particularly from external sources — even sources widely perceived as trusted and secure.
- Real-world scenario: The DevOps team puts in place a quarantine zone for all new software products, for all software products that were recently patched, and for all software leveraging new versions of libraries. Within the quarantine zone, the behavior of the software component is closely monitored for a specified time period prior to a phased wider release.
In our experience, the measures shown in the following figure result in a robust security model that addresses many challenges of hybrid cloud security.