Multi-Cloud, Hybrid Cloud Security: Options and Flexibility
Multi-cloud and hybrid cloud strategies. The cloud is in the top three IT investment priorities for businesses, according to the newest Flexera survey. In fact, our own David Close, chief solutions architect at Futurex, wrote about how enterprises are commonly using multiple clouds for diversification and to fulfill requirements and regulations in his article, Maintaining Control Over Your Security Infrastructure in a Multi-Cloud World.
“The movement toward broad acceptance of cloud-based encryption and key management will accelerate as more of the pieces come together,” adds Ryan Smith, vice president of global business development at Futurex, in his Help Net Security article outlining cryptographic trends. At Futurex, we have definitely seen organizations become more aggressive with the cloud, especially financial services organizations, that are moving toward payment processing in the cloud.
“Financial services is among the sectors looking to [the] cloud to secure workloads. Sophisticated cyberattacks pushed businesses to shape up cloud security strategies… Hybrid cloud is a popular approach as a way to balance security and cost,” echoes Katie Malone in CIO Dive.
We see these as the top cloud trends this year:
- The cloud will play a bigger role in financial services
- Increased cloud infrastructure deployments and spending across all industries
- Prioritization of security in the cloud
- Increased hybrid cloud use for cryptographic needs, such as payment processing
- More attention to encryption key management
The Importance of Cloud Security, Encryption Key Security
Cloud security continues to be one of the biggest issues concerning IT departments, with 96% of respondents in a recent survey, The State of Cloud Security 2020, expressing concerns. “A fundamental principle of enterprise security is robust key management and ensuring critical data is protected by well-managed encryption processes, wherever the data resides,” states Close.
It’s vital for enterprises to maintain control of their security infrastructure from end to end, a requirement that has become more complex with the advent of the cloud — and multi-cloud. Since encryption keys are what are used to unlock data, enterprises must maintain control over the keys, and have air-tight protections in place to keep them from becoming compromised in any way.
We know that the core of encryption is key management — hardware security modules (HSMs) — are tasked with managing the lifecycle of encryption keys used across an organization’s entire real estate of applications. Sophisticated key management solutions are essential to any cryptographic operation because encrypted information is only as secure as the encryption keys. If the keys are compromised, then so is the encrypted data. I wrote about this in detail in my recent article, Key Management with Acuity: On-Premises, Cloud, Hybrid, published in Infosecurity.
What About a Hybrid Approach?
When it comes to encryption key management and securing cryptographic infrastructures, there are several options for organizations: on-premises, cloud, or hybrid. Today, we have seen many organizations seeking a hybrid model. They like the combination of physically overseeing their own HSMs plus the accessibility and convenience of the cloud. A hybrid approach, using both on-premises HSMs and cloud HSMs, allows organizations to construct an elastic infrastructure model for scalability, backup, and failover.
In fact, Forrester’s research indicates that 74% of enterprises describe their strategy as hybrid/multi-cloud. A recent CISO Mag roundtable, Gearing for Greatness: The Future of India’s BFSI Ecosystem, gathered financial services organizations to weigh in on hybrid approaches to HSMs. Highlights of the webinar are here.
While there is no one-size-fits-all approach when securing your cryptographic infrastructure, there are increasingly more options especially as cloud providers are giving organizations more flexible options such as retaining control of the keys. Organizations can now shift from one cloud provider to another or embrace a multi-cloud strategy.
I think my colleague, David Close, says it best when he recommends, “Whether it’s managing workloads, handling spikes and surges, providing disaster recovery, holding data at rest, or satisfying audit requirements, having a robust key management system as part of your security infrastructure is ever-critical.”