Moving to hybrid IT? Make sure cloud cyber security isn’t left behind

Today’s new hybrid IT approach lets organizations tap into the public cloud, private clouds, conventional IT, mobility and more to create a single, comprehensive set of compute services. But cyber security in this environment is far too often treated as a separate element. That’s a big mistake, and a dangerous one.

When organizations neglect security, they risk costly breaches that can negate hybrid IT’s many benefits, including a shift of CAPEX dollars to OPEX, greater flexibility and improved scalability. What’s needed is an integrated model for security, which ensures that the movement of data and workloads, as well as the data-sharing between public and private clouds, will be completely protected.

In this white paper, we describe why hybrid IT requires a new approach to security, outline a dozen best practices, and show how DXC Technology can help your organization safely implement hybrid IT.

Consider a public-cloud application that depends on, and shares data with, an application run from a private data center. Both environments will need to be secured as part of a single integrated view. Similarly, while various elements of a hybrid IT environment may need different tools and techniques, these must be organized under a unified security strategy. That means single compliance and governance models as well.

New security approaches will be needed because the public cloud creates new attack surfaces. That’s a serious issue in light of the fact that many organizations hope to move up to 80 percent of their legacy applications to the public cloud. In today’s cloud-first environment, older tools designed to protect legacy IT no longer suffice.

Most of the security tools that companies are using today will need to be either remediated or replaced. In addition, moving to the public cloud makes it far easier for organizations to accidentally expose their sensitive data and workloads. With the rise of “shadow IT,” all it takes is one naive user mistakenly placing sensitive files in public cloud storage and suddenly an organization’s data is at risk.

On top of all that, hackers and cyber criminals are getting more sophisticated, and there’s a growing need for regulatory compliance worldwide. In fact, chief information officers (CIOs) and chief information security officers (CISOs) who fail to create an integrated security strategy as part of their move to hybrid IT will put their organizations at serious risk. These organizations will likely need more time to resolve security incidents, exposing themselves to greater damages. And they’ll be less able to quickly and accurately predict where the next attack or breach is likely to occur, potentially exposing themselves to even more attacks and losses in the future.

Best practices for secure hybrid IT

Cyber security in today’s hybrid IT environment must be relentless. What’s needed is an “unblinking eye” that’s always watching and, in the event of a breach, always ready to respond, quickly and consistently.

On the one hand, cyber security involves lots of relatively simple activities. On the other, these activities must be done repeatedly and consistently — that is, all the time.

Start by taking an approach that’s holistic, not just tactical. The approach of “I’ll just move this workload to the cloud and secure it” is no longer sufficient. Instead, you’ll need a strategy for the entire perimeter of your hybrid cloud environment, one that includes not only cloud security, but also identity and access management (IAM), monitoring, and more. Also include a cloud-readiness assessment to plan the transformation of your applications and infrastructure.

Here are a dozen key steps that will help keep your hybrid IT environment safe and secure:

• Assign duties and responsibilities. Talk with your cloud service providers to find out who’s responsible for what. Which tools should you use, and how? And how do you connect these new tools with those you already use?
• Adopt policies. You’ll need policies to manage the explosive growth of bring-your-own-device
• practices. You’ll also need policies to manage your service providers.
• Start with identity. In a hybrid IT environment, your organization’s ability to accurately authenticate every user’s identity is essential. So is your ability to quickly determine which workloads, applications and data each user is entitled to view, change and share.
• Apply AI. Artificial intelligence and analytics tools can correlate security telemetry to information stored in your organization’s data lake. In this way, they can provide you with an integrated view of your organization’s total data pool, not just the data in single environments. And by analyzing this data, AI tools can also detect your most urgent security threats today, and predict where they’re likely to occur tomorrow.
• Gain greater visibility, audit and reporting. Although separate tools now exist, the next frontier will involve their integration. The larger goal: a single view into your hybrid IT environment’s security standing.
• Adopt DevSecOps. This approach essentially bakes security into the DevOps process, rather than bolting it on at the end, as has been traditionally done. DevSecOps is a proactive approach to ensuring that all your new applications are kept highly secure.
• Embrace the self-service model. Many public cloud services offer self-service to provision resources and services, and this is dramatically different from the traditional IT approach of work orders and service requests. To proceed safely, ensure that all security-automation features are engaged so that your newly provisioned services and resources will have automatic security built in.
• Approach cloud security from an enterprise perspective. First, understand the workloads that could be migrated to the cloud. Second, understand each workload’s enterprise-security requirements. Third, select the cloud platform and architecture. Fourth, understand the shared responsibilities between you and your service providers. Finally, adjust your existing security approaches and solutions to focus on IAM, data protection, privacy and more.
• Implement key security capabilities. These will likely include data-centric security; dynamic infrastructure hardening; monitor/detect/respond; continuous regulatory compliance; and shared access management.
• Scan data on use. Data stored in the cloud has a serious security limitation: It cannot be scanned for malicious content. For this reason, you’ll need to establish processes that let you scan contents accessed via cloud storage “on the fly.” You’ll also need to be able to re-scan repositories when a type of malware is known to have spread into the wild.
• Follow industry best practices. With so much work done in this area, there’s no need for you to reinvent the wheel. One good place to start is with the Cloud Security Alliance’s data-security life cycle.
• Gain new skills. Training will be vital. That’s because securing hybrid IT involves new approaches, such as software-defined networking and microsegmentation, and these require skills your staff is unlikely to already have. Don’t neglect training!

DXC: Your guide to a secure hybrid IT environment

Fortunately, when securing your hybrid IT environment, you can turn to DXC Technology for help and guidance. For more than 50 years, we’ve been securing core IT systems for many of the world’s leading businesses and governments. Today, DXC employs more than 4,000 security professionals worldwide. As a vendor-agnostic, prime security integrator, we also offer industry-leading, end-to-end security solutions and around-the-clock security management and monitoring.

You can turn to DXC for a broad array of services to make your hybrid IT environment secure — both inside and outside your data center. We’ve been marrying our traditional approach to cyber security with new tools and approaches for today’s hybrid IT environments. That includes focusing on the integration of a continually evolving set of services that include IAM, cloud broker monitoring and network capabilities.

For example, DXC’s Managed Cloud Access Security Broker can help your organization protect its most sensitive data. This solution first identifies all cloud applications being used by your organization. Next, it determines which applications should be sanctioned. And finally, it creates and enforces security policies through continuous monitoring and threat analysis. That’s powerful and secure.

You can also turn to DXC for an overarching view of your hybrid IT environment, which is far better than the more common piecemeal approach. DXC’s security-first mind-set can help you shape your security standards, share responsibilities with your third-party suppliers and provide for an in-depth defense.

Continue reading about what's next for cloud security and how to prepare.

Contact us to find out how to create a security strategy for your hybrid IT architecture that’s truly integrated.