The federal government is looking toward hybrid data centers as an ideal solution for balancing agility with security, while meeting IT consolidation goals. But those data centers bring with them their own set of challenges that need to be solved.
As hybrid environments become more popular, federal IT teams are faced with managing and securing their on-premises and cloud infrastructures, while minimizing costs – and there’s no single tool or approach that can solve all these problems.
With this in mind, let’s look at three ways federal agencies can address these challenges by adopting new mindsets, tools, and best practices.
1. Shift skills and mindsets from on-premises to cloud thinking
In order to ensure a successful hybrid data center strategy that minimizes cyber risk, agencies must understand that the skills involved in managing a physical data center are quite different than those needed to manage hybrid cloud environments.
The cloud draws on a vast array of capabilities, such as virtualization and containerization, that are driving innovations in application development and deployment. At the same time, these bring a hidden challenge – a cloud security skills gap.
According to CSO Online, nearly a third of organizations have identified a challenge in locating individuals capable of managing converged infrastructures. It’s not surprising. IT staff, used to managing on-premises data centers, are suddenly faced with myriad considerations that span two universes – the data center they already know and a new cloud environment where much of what they are familiar with (racks, servers, networks, and some elements of security) have been abstracted away.
Things get even more problematic when staff try to manage their cloud infrastructures as an extension of their private data centers. Use of a hosted provider is great for efficiency and agility, but it can play havoc with an IT administrator’s ability to visualize and control everything that’s going on with regard to their applications and data. This can create security blind spots – something that no government IT professional wants.
Then, there’s the shared security model, which can be confusing, particularly for more unseasoned administrators. According to shared security models, although the cloud provider is responsible for security of the cloud, the agency is responsible for securing applications and data in the cloud. Any misunderstanding about where that line of separation falls could create gaps in the organization’s security posture that threat actors would be all too willing to exploit.
Many IT operations managers make the mistake of thinking that tools and technology will solve all these challenges, rather than focusing on building the right understanding and knowledge so those tools can be used appropriately.
To do this there must be a concerted effort by IT and agency leaders to find ways to bridge the divide between traditional IT and the cloud. They must identify staff with the proper skill sets needed to support agencies’ hybrid data center strategies. If additional education is required, agencies must train individuals in the area of cloud security and performance or supplement them with outside resources.
Finally, they should augment this strategy by building a “security first” mentality across the organization. Bringing together IT, developers, DevOps teams, and functional business leaders and ensuring there is clarity and understanding of how a hybrid environment can be leveraged in a safe, secure, and comprehensive way can go a long way toward creating an effective security posture that everyone supports.
Remember that people are often the weakest link in any organization’s security posture, but they also understand the goals of the mission. Given the opportunity and training, they are often best placed to deliver on those goals.
2. Choose the right tools
While tools and technology in and of themselves will not solve these challenges, the right solutions can support agencies’ security efforts. But, managing applications on different infrastructures requires a new approach to tooling.
Traditional security and IT management tools are either designed for the cloud or on-premises infrastructures, not both. This forces administrators to move back and forth between dashboards and consoles to keep track of what’s going on across their hybrid portfolio – further introducing the risk of security incidents or performance issues going undetected.
Administrators need a single pane of glass that gives them an unfettered view across their hybrid and multi-cloud environments. Through this view they can gain a complete picture into the overall health, performance, and security of their network, database, systems and applications so they can quickly and easily identify and mitigate risk.
The right tools also make it easier for IT managers who struggle to manage massive and confusing hybrid environments to get a handle on things. If they can do that, they can feel more assured that their data and applications are secure.
3. Harmonize access control
Compliance requirements and other mandates require detailed user access monitoring, particularly for users who have access to critical and sensitive data. But access control and management become much more complicated as employees, contractors, and sub-contractors interact with data served from different infrastructure sources.
Between mistakes and technology deployment misconfigurations, organizations are finding themselves highly susceptible to threats that are perpetuated from the inside, leaving themselves effectively wide open to attacks. Indeed, according to a SolarWinds federal IT survey, 56 percent of IT managers cite user errors as the top cybersecurity threat facing their organizations.
To minimize the risk posed by insider threats, agencies must harmonize their access control mechanisms, such as Active Directory or Microsoft Office 365, so that they can manage and audit access rights across the entire infrastructure – both cloud and on-premises.
Hybrid cloud management and security: more than a ‘lift and shift’ approach
While the flexibility and agility of hybrid IT environments can help the federal government support its mission-critical operations and meet IT consolidation goals, these environments are incredibly complex and must be properly implemented, managed, and secured. The challenge for agencies is to balance the elasticity, scalability, and nimbleness of the cloud without introducing overbearing levels of security and monitoring, or overburdening IT teams.
A simple “lift and shift” of people, tools, and thinking is not always feasible. Instead, agencies should approach their hybrid data center strategy in a way that leverages their resources wisely – sharpening the skills to avoid exposing their cloud environment to risk and adopting new tools designed for the complexities of hybrid environments.