Hybrid IT and data security musts
According to a recent SolarWinds public-sector survey, 96 percent of respondents reported moving applications and infrastructure to the cloud during the past year. That said, 29 percent ultimately brought some of these applications or infrastructures back on-premises due to security and compliance issues, poor performances or technical challenges.
The reality is, the cloud is secure -- oftentimes more secure than on-premises implementations. The key to an agency's successful cloud or hybrid IT implementation is to understand and maximize its cloud security posture in advance of the move. By understanding the differences in security demands for cloud and on-premises environments, and implementing any necessary changes in advance, federal IT pros can be confident that their applications and data in the cloud are secure.
While there are many ways federal IT pros can harden security within a hybrid IT environment, four actions come to mind as the most important.
First and foremost, identify potential areas of vulnerability and ensure counter measures are in place. It is naïve to think an environment is not vulnerable or will not be compromised at some point. Luckily, there is an entire federal organization designed to help combat those threats.
Start by leveraging the National Institute of Standards and Technology cybersecurity framework that guides federal IT pros through developing a framework -- based on existing standards, guidelines and practices -- for reducing cyber risks to critical infrastructure.
For example, NIST specifies that IT pros implement and monitor encryption of data at rest and data in transit. This way, data is protected regardless of which device it’s on, and even as it travels over the wire, regardless of whether that wire is on premises or in the cloud.
Second, understand the variety of additional actions that can help enhance security. For example, VPN tunneling can provide a highly secure point-to-point connection, and monitoring user access can ensure that only authorized users are able to access and/or control certain aspects of the infrastructure. These types of additional processes are critical to helping ensure data remains secure when it’s traveling from a server closet to the cloud and back again.
Third, cultivate or hire a team with the skillset to manage a hybrid IT environment. It’s possible that an agency's current IT team will not have the skills required to stand up and successfully operate a hybrid IT environment -- and that’s fine. The key is to start enhancing the team’s skills by adding competencies in hybrid IT management and monitoring, application migration, distributed architectures, automation and programming as well as vendor management. And, just as important, be sure the team has the right tools to manage and monitor both on-premises and in the cloud. Then build up administrator skillsets so the agency can successfully maintain a hybrid environment once it’s implemented.
Fourth, and finally, move all potential workloads into a test environment first. Monitor all performance closely for as long a period of time as possible, to create a baseline and historic perspective. This will provide an understanding of potential limitations as well as opportunities for improvement.
Agencies that take these four items into consideration should be well on their way to a secure hybrid IT environment.
Joe Kim is executive vice president engineering and global CTO at SolarWinds.