Securing Hybrid IT: Considerations When Moving To a Mixed Ownership Model

Written by

It seems that hybrid IT is here to stay, with 92% of IT professionals stating that adopting cloud technologies is important to their organization’s long-term business success, as highlighted in our recent report. However, there is some confusion around hybrid IT as a concept, and therefore caution around its adoption. 

SolarWinds IT Trends Report reveals that the majority of businesses have migrated at least one critical application or element of infrastructure to the cloud in the past year. Simultaneously, the report reveals that the top reason organizations bring applications and infrastructure back on-premises is uncertainty over security and/or compliance in hybrid IT environments.

Part of the problem with securing hybrid IT is that, due to many IT professionals still being confused about what hybrid IT actually means, they can’t comprehend how to secure a hybrid IT environment until they fully understand it. 

Confusion is understandable, as hybrid IT is complex, with IT infrastructure and applications running on-premises and in the cloud. It’s a mix of services completely owned and managed by an internal team, plus services completely owned and managed by cloud service providers (CSP).   

Many IT professionals who understand what hybrid IT means are still unsure of how security policies should account for it. The first step is to understand that, rather than sticking with traditional security policies, the IT team needs to develop security policies that work in a world of combined—both on- and off-premises—ownership models.

Hybrid cloud - responsibility without control
One of the key pieces to making sense of this complex hybrid IT model is Software as a Service (SaaS). SaaS simply means that the consumer of the software doesn’t have to worry about the underlying details of the applications or infrastructure. They just consume the business service, such as email or customer relationship management (CRM).

In the past few years, SaaS has grown in popularity due to its ease of use. However, as with the adoption of any new service, there are challenges to be addressed. 

The main challenge of SaaS is responsibility without control, and hybrid IT has the same core challenge. When there is a problem with the infrastructure or applications required to deliver a service that we don’t own or manage, the IT professional will have to submit a ticket request and wait to hear back like everyone else.

Of course, there are a few things that can be checked from an internal point of view, such as the functioning of the internal infrastructure and that the next ISP isn’t experiencing problems. After that, it’s just a waiting game.

Securing data is crucial to hybrid IT
Beyond the availability issue, there is also the question of data confidentiality. Moving from traditional on-premise data storage to a hybrid IT environment means that internet-based cloud services are now involved. Therefore, it can be hard to ensure the confidentiality and privacy of data if it is entered into a vendor’s application, and then potentially housed across the world in data centers with different local data security regulations. Encryption in transit, such as Transport Layer Security (TLS), can help to keep data confidential. However, even if data is transported securely, it won’t necessarily be stored securely.

Additionally, security is a concern when certain components of an application are deployed in the cloud. For example, a database or message queue service. Many IT teams opt for this approach when migrating applications, such as web services, from on-premises to the cloud. However, the IT team must ensure they don’t skip the usual internal security processes, and that those processes are updated to take into account the unique deployment nature of cloud-based services and the resulting changes to design.

It’s easy to start using Database as a Service (DBaaS), for example, but just as you wouldn’t put your entire database server directly on the public internet, the IT team also needs to ensure that network policies are in place so that only the required servers can access that service. Remember that DBaaS is just one component, and that security and connectivity problems need to be solved in the same way as if a database was deployed in an owned data center. 

Less speed, more security with hybrid IT
When it comes to anything “as a service”, there is often the expectation of very fast deployment, often at the expense of security. Speed versus security can be an issue, so slow down and put robust procedures in place that consider the new design of your hybrid IT environment. Also don’t give in to the “easy to deploy” temptation of rapidly rolled out cloud if speed risks compromise security. It is critical that the IT team takes its time and gets security and compliance right from the outset. 

It’s never too late to strengthen hybrid IT cloud solutions
Whether you are just starting your journey to a hybrid IT environment, or are already fully deployed, the IT professional needs to remember that it is never too late to strengthen security and reliability. Take the time to understand the distributed, mixed ownership IT world, and how it changes the infrastructure, team, and overall approach to security. If you follow these guidelines, you’ll be in a much better position to get it right. 

What’s hot on Infosecurity Magazine?