Mark Houpt, Chief Information Security Officer at DataBank, takes a look at key security and compliance factors when adopting a hybrid IT strategy for your business.
Hybrid IT focuses on how to efficiently manage existing networking systems and multi-cloud solutions with the goal of delivering IT resources as a service. There’s no question that hybrid IT offers many advantages such as agility, scalability, resiliency, automation, simplicity and reduced costs. And yet, according to a survey by 451 Research, 55 percent of enterprises stated that security and compliance issues surrounding hybrid IT were the primary factors inhibiting adoption. Meanwhile, IDG Research found that 76 percent of IT decision makers say they are experiencing challenges implementing a hybrid IT model.
Although the commercial and operational advantages of hybrid IT are compelling, for financial services and healthcare organizations as well as enterprises that market their services to the government sector, security and regulatory compliance are non-negotiable. Any organization that must meet HIPAA, PCI, FedRAMP or other types of compliance measures must ensure that their IT and cloud providers can satisfy stringent standards.
Assessing the Threat Landscape
As hackers and cyber criminals become more aggressive, chief information officers (CIOs) and chief information security officers (CISOs) who fail to create an integrated security strategy as part of their move to hybrid IT are putting their organizations at serious risk. An increasingly sophisticated threat landscape and more distributed IT environments are forcing organizations to ensure that security governs all aspects of their hybrid IT models, from colocation facilities to cloud applications.
In the healthcare sector, we need only look to the 2017 cyberattack on Georgia-based Augusta University Health to recognize the vulnerabilities of organizations that are negligent to establish a robust security posture. A security breach exposed the data of 417,000 patients, including demographic information, medical data, dates of services and insurance information. For a small percentage of patients, Social Security and driver’s license numbers were pilfered. Hackers commonly use this type of data to commit medical and financial fraud.
The same year, Equifax, one of the ‘Big Three’ credit reporting agencies, reported a data breach that exposed the sensitive personal information of 147.9 million U.S. consumers, including their names, addresses and Social Security numbers. In addition, the credit card numbers of 209,000 cardholders were accessed.
Nor is the government sector immune from such attacks. According to Thales e-Security’s 2018 Data Threat Report, 71 percent of IT security professionals in U.S. federal agencies disclosed that at least one breach had occurred at their respective agencies. Additionally, while there has been an increase in government agencies moving to the cloud, only 23 percent of those agencies are using encryption. Moreover, of those using encryption on the cloud, 34 percent lack full control because the cloud providers possess the encryption keys. In these cases, a third-party is actually in charge of government data. Perhaps most concerning, these disclosures came to light during a period when the U.S. government had elevated spending in IT security.
Colocation and Protecting Data Across Public and Private Clouds
As the above instances of cyberattacks and data breaches clearly demonstrate, a secure and resilient infrastructure is vital to reduce risk and increase the reliability of mission-critical systems and applications. Reinforcing an organization’s security posture, hybrid IT provides the option to calibrate business decisions and determine the optimal place for data to reside. The challenge, however, is not so much where the data is stored, it’s the added complexity of safeguarding information as it traverses colocation, public cloud and private cloud environments. More on that later.
As hackers and cyber criminals become more aggressive, chief information officers and chief information security officers who fail to create an integrated security strategy as part of their move to hybrid IT are putting their organizations at serious risk.
A critical step in shoring up hybrid IT security practices is to first conduct a comprehensive security and governance audit. Such an audit should include an evaluation of all data security policies, user privileges and compliance regulations, when applicable. Next, organizations need to determine the workloads that could and should be migrated to the cloud. For example, data stored in the public cloud has a serious security limitation in that it cannot be scanned for malicious content. Equally important is to understand each workload’s security requirements and select the appropriate cloud platform and architecture. Finally, businesses should understand the shared and discrete security responsibilities between them and their cloud service providers.
Not performing this level of due diligence prior to cloud migration can have costly repercussions. A study by IDG Research found that more than half of organizations surveyed had to move one or more workloads back from a public cloud to an on-premises model because of data security concerns. 451 Research has even coined a term for this reverse migration: cloud repatriation.
A third-party colocation provider that can offer a broad range of managed services is the foundation of any sound hybrid IT strategy. At DataBank, for example, we take a holistic view of client workloads, no matter where they reside. Colocation offers an even better security posture than on-premise since physical security is in the hands of experts.
Among the core benefits of our platform is that we can control colocation, private cloud and public cloud, applying consistent security coverage and compliance to all these environments. In fact, one of DataBank’s most significant security advantages is that we provision and maintain a company’s infrastructure, enforcing security to its platform while covering a far greater number of compliance controls than public cloud — 80 percent versus 20 percent — thus freeing up the organization’s resources.
Also essential is to maintain end-to-end visibility across the entire infrastructure so that IT staff can introduce the right mix of security layers and controls to ensure redundancies and create a protective environment. For example, keeping a network up and running at all times is critical in a healthcare setting. If the network goes down, physicians and staff aren’t able to access medical records, utilize next-generation medical applications, communicate with other departments, and view or order lab tests, all of which would undoubtedly harm their ability to treat patients.
Lastly, data-centric security techniques combined with identity-based controls should be implemented to defend against unauthorized access to information and systems across distributed environments. Security-minded organizations, especially those that face stringent compliance regulations, deploy advanced encryption techniques to protect data at rest, in motion, and in use across public and private clouds and enterprise systems. Identity management adds an additional layer of role-based access rights across enterprise directories and service catalogs.
Ensuring security and compliance are essential when adopting a hybrid IT strategy. The aforementioned steps can assist organizations to reduce the risk of a cyberattack or data breach that could disrupt operations and lead to significant financial loss or damage to brand reputation.
Mark Houpt is Chief Information Security Officer at DataBank.