Building Bulletproof Security for Your Hybrid Cloud

It’s been just about one year since the world learned about the Spectre and Meltdown microprocessor vulnerabilities, and a little over 18 months since the big WannaCry ransomware attacks of 2017. Those events were a serious wake-up call for many organizations. Companies are revisiting their security controls not only to ensure that they can counter threats, but also to make sure that they can recover quickly if their defenses are breached.

In today’s IT operations across datacenters and hybrid cloud, building a tougher, more resilient security stance means bridging across different computing islands. You have your on-prem, and you have your various cloud pieces that depend on different providers. The challenge is to make sure that all of the components are tightly aligned and integrated, with compatible security configurations and a consistent level of security policies, processes and procedures. It can get pretty complex, because the platforms and applications involved are often very diverse.

HPE has developed a systematic, end-to-end approach to help you secure your digital enterprise. We call it the HPE Hybrid Cloud Security Solution Reference Architecture. It provides four views of your security posture:

The business view answers the question, “Why are we building a hybrid cloud and why do we want to secure it?” The answer to the last part of the question may seem a given, but it’s worth spelling out in some detail what could happen if your digital business is not well secured. When companies look at hybrid cloud, the main business drivers are flexibility, agility and, of course, cost savings. Security may not be perceived as falling into any of those categories, so it’s easily overlooked or tacked on as an afterthought. That’s risky. There’s been a spate of incidents in the recent past which showed that building in security after the fact is not a good way to go.

The business view enables you to determine your attack surface and your risks based on the sensitivity and privacy of your data. Make sure that security and data protection themes are baked into early discussions of hybrid cloud. Help your top decision-makers understand why you need the same level of security, or higher, across the new environment as you’ve traditionally had for on-premises infrastructure.

When you present your case for security investments, back it up with statistics and examples that detail the devastating impacts that companies have experienced as a result of security weaknesses. Talk about the potential dollar impacts of disruption to your business and reputational damage to the brand.

The functional view answers the question “What should the hybrid cloud solution do, and what security functions do we need?” It enables you to determine the right level of protection for your workloads, based on the risks you identified in the business view and your security policies. It systematically defines the right level of security controls that you will apply across your hybrid environment to achieve your business outcomes.

HPE’s approach takes a broad view of security controls and capabilities. It incorporates, for example, our P5 security control model (below), part of the Information Security Service Management methodology we use to define complete security programs for customers (see Lois Boliek’s blog The 5 P’s of Data Protection).