Table of Content
- Optimizing workload and data placement through a hybrid cloud strategy
- Closing the security gap in the cloud
- The best of both worlds: Hybrid IAM with a Zero Trust approach
- Balancing accessibility and security: Hybrid IAM best practices
- Use the right tool: How ManageEngine AD360 can help build a hybrid identity management program
The hybrid cloud is a boon for digital-first businesses
For organizations that depend on the on-premises IT infrastructure and traditional security models, it is easier to verify and authorize everything inside the corporate network, including devices, users, applications, and servers. Users trying to gain access from outside the corporate network are authenticated using virtual private networks (VPNs) and network access control (NAC). With the increasing adoption of the cloud and remote work, the new enterprise architecture is redefining the perimeter. Data is also stored outside of corporate walls, and users access enterprise applications that are located on the cloud, as well as inside their corporate network through various types of devices from locations outside the corporate network.
As the traditional perimeter of the network, with its known points of entries and exits, shifts into something with softer boundary lines, identity is considered the new network perimeter. Identity management will become even more crucial with the adoption of the hybrid cloud and the means of access increasing day by day.
The United States National Institute of Standards and Technology (NIST) defines the hybrid cloud as "a mixed computing, storage, and services environment made up of on-premises infrastructure, private cloud services, and a public cloud, with orchestration among the various platforms." Its primary benefit is agility. Cloud infrastructure is owned, managed, and monitored by the cloud service provider (CSP), which possess a considerable amount of control over data security functions and services within their cloud-hosted infrastructure. Some service providers are not always transparent about their business decisions, which might adversely impact operations for their clients. For example, a service provider might choose to move their data centers locations but not announce this, potentially causing compliance issues. Even differences between vendors platforms create issues for customers wanting to efficiently switch between services, and limits their ability to transition from on-premises data centers to a public cloud, or to a private cloud, and vice versa. A hybrid cloud enables organizations to optimize their cloud connectivity, and maintain flexibility in terms of migrating data and workloads between cloud infrastructures.
Optimizing workload and data placement through a hybrid cloud strategy
As companies embark on application and data modernization, they should consider using a hybrid cloud, as it balances the application and data workload across both platforms.
Hybrid deployments include the benefits of both the cloud and on-premises. They bring innovation, speed, storage, and scalability of the cloud, and regulatory compliance, performance, and data gravity of on-premises in a single platter. Organizations that operate with workloads distributed among multiple data centers and the cloud need to keep pace with emerging trends in digital transformation and IT security. A hybrid cloud deployment can be beneficial as it can effectively enhance performance, flexibility, and security.
With the increased adoption of remote working, organizations are struggling manage IT services efficiently. Enterprises must strategically utilize their resources so that all infrastructures, applications, data, cloud and on-premise deployments are secure and optimized for business continuity. In these situations, global enterprises often prefer a hybrid application for optimizing data placement. The key factors to remember while deploying the hybrid cloud model are:
- Organizations should begin with a roadmap to build a hybrid cloud strategy. This includes choosing which applications and workloads are placed in the cloud and which remain as on-premises to obtain scalability, better performance, and availability.
- The existing IT infrastructure layout should be taken into consideration while framing the roadmap. This ensures that business critical capabilities are in place in case the cloud migration does not succeed.
- Abstracting real-time data from a cloud operating model, and analyzing using machine learning-based solutions can provide organizations full control over their data, applications, and workloads. It can help drive business agility while ensuring data security.
- Most often, cloud deployments do not succeed due to the lack of trained professionals with the right skills and expertise able to perform technical operations. Organizations should bring on board well-trained technology and service providers who can help the organization successfully implement a hybrid deployment while ensuring business continuity.
In the on-premises model, everything within the network perimeter is verified and trusted. Now, as we move towards remote working and modernization programs for cloud-ready infrastructure and the Internet of Things (IoT), the network perimeter is disappearing. With the increasing number of data breaches, enterprises are realizing that the traditional "moat and castle" approach will not work for hybrid models.
Closing the security gap in the cloud
The misuse of employee credentials and improper access controls accounts for 42 percent of unauthorized network access, according to research conducted by Cybersecurity Insiders. Unauthorized access is perceived as the single biggest vulnerability to cloud security, and that’s why it’s critical to deploy a comprehensive security management tool designed exclusively for hybrid cloud security. With the right tool, all cloud applications and gateways can be managed and monitored from a single console.
Managing identities, authentication, and access in on-premises infrastructures can be accomplished simply with Microsoft’s Lightweight Directory Access Protocol (LDAP) and Active Directory (AD). However, in the cloud, it’s much more difficult for IT departments to monitor which users are accessing which applications and services. Therefore, most organizations take a practical approach and adopt more Software as a Service (SaaS) applications. Many organizations upgrade their existing applications to a cloud version, and retire obsolete on-premise and legacy versions when possible.
With a portion of the workload placed outside the on-premises data centers, hybrid enterprises should focus on ensuring secure access to every user, application, and device, irrespective of their location. This access should be contextual, which allows IT admins to create access policies for users based on location, IP address, device, etc. In other words, the only way you can succeed on your cloud journey is by deploying the right identity and access management (IAM) solution.
IAM providers can be classified into three categories:
- Legacy on-premises IAM: Organizations committed to on-premises IAM do not typically migrate their legacy technology to a cloud platform as it presents many challenges. Instead, many of these organizations initiate their move to the cloud through a hybrid option.
- Mix of legacy on-premises and cloud IAM: IAM vendors who started with on-premises solutions, are now trying to offer hybrid identity solutions. A hybrid cloud identity and access management solution includes both on-premises and cloud-based systems, and uses a common method for authorization. While these vendors have advanced solutions built for pure on-premises workloads, their equivalent hybrid cloud IAM functionalities, like multi-factor authentication (MFA), single sign-on (SSO), and social logins are integrated with their existing on-premises IAM solution. Addressing concerns such as data management and security, mid-size to large enterprises prefer to choose this approach.
- IDaaS: As the number of users increase rapidly, an Identity as a Service (IDaaS)-focused vendor helps to leverage cloud identity efficiencies, as well as the manage the network effects of the cloud. Organizations planning to transition to the cloud, and keep a minimal on-premises footprint, have to enable cloud-based authentication in their security architecture. Certain legacy applications cannot be re-engineered to modern standards. In such cases, organizations should be able to integrate the IDaaS benefits to their legacy applications. This approach, known as cloud-first hybrid, can reduce the burden of organizations performing workload-sizing before the initial deployment.
With varied cloud deployment models, organizations need to enforce proper access policies to ensure data security. Traditional IAM strategies are not enough in an ever-evolving hybrid environment. To address this challenge, organizations must build a unified security strategy with hybrid identity management at the center. Hybrid IAM should focus on three main objectives:
- Verifying and providing secure access to each and every user who is attempting to access organizational resources across private cloud, public cloud, or on-premises data centers.
- Enforcing just-in-time provisioning integrated with least-privilege access to control, and limiting access to business-critical assets. Such granular access control is essential to prevent lateral movements by the attackers.
- Inspecting network traffic for malicious activities or anomalies to prevent attacks. All users and devices connected to the network should undergo real-time monitoring, and based on the contextual access policies, access should be revoked as and when an anomaly is detected.
As organizations move to the cloud, a significant amount of an organization's data migrates outside the corporate perimeter. To build a security framework that can withstand the dynamic challenges of cloud infrastructure, it’s important to adopt a Zero Trust security model.
The best of both worlds: Hybrid IAM with a Zero Trust approach
Based on the notion "never trust, always verify", the Zero Trust principle addresses security concerns pertaining to remote work, cloud adoption, and bring your own devices (BYOD). Organizations need to monitor the network and verify every user trying to access the corporate resources. Zero Trust adds additional security with real-time contextual authentication where the user or entity is continuously monitored to assess risk against a benchmark (risk score). In case of an anomaly or malicious behavior, it can trigger re-authentication as necessary.
When sensitive applications and critical data are placed across systems, both on-premises and in the cloud, it is highly crucial to fragment data into micro-perimeters or micro-segments. This reduces the attack surface and protects organizational data from the risk of exposure to malware and vulnerabilities.
Cloud adoption boosts digital transformation for organizations embarking on a modernization program. It is crucial to decide which workloads move to the cloud and which stay on-premises. To ensure secure data access management, organizations must perform proper data valuation by assessing the criticality of the workload they are looking to migrate to the cloud. Exploiting workloads that contain sensitive data could wreak havoc if the organization fails to protect them during data breaches.
There are various stages of implementing the Zero Trust security model. A good place to start is enabling MFA along with strong password policies to all applications and devices. SSO ensures a seamless authentication experience by asking users to log-in with a single ID and password for multiple applications, thereby reducing the attack surface. As a best practice, a MFA-enabled VPN should be implemented to access the corporate network.
Balancing accessibility and security: Hybrid IAM best practices
- Defining the security perimeter: With data and workloads distributed between on-premises and the cloud, critical information is readily accessible to resourceful threat actors. This undefined security perimeter increases the entry points and attack surface giving hackers easy access to an organization's network. User and device identification should be in place to implement proper security and access controls.
- Using strong authentication methods: Various password attack methods are used to gain unauthorized access to user accounts. This is why it is crucial to enforce strong password policies based on recommendations from agencies, like NIST, to prevent bad actors from misusing user information and applications. An even better option is to implement a MFA policy which acts as a second line of defense if the first one is compromised.
- Utilize a centralized identity and access management system: In hybrid deployments, it is advisable to manage all user accounts and devices from a single console. This helps the IT administrators monitor their network and detect anomalies easily.
- Enforce a least-privilege principle: Least-privilege principle enforces minimal level of user rights to ensure that no application or user has unauthorized rights to business-critical resources.
- Monitor and protect hybrid environment using SIEM: To comprehensively monitor a hybrid environment, organizations must implement system information and event monitoring (SIEM) solutions that continuously log and analyze data, and identify risks pertaining to it.
Use the right tool: How ManageEngine AD360 can help build a hybrid identity management program
- Stream-lined user life cycle management: Easily provision, modify, and de-provision accounts and mailboxes for multiple users at once across AD, Exchange servers, Office 365 services, and G Suite from a single console. Use customizable user creation templates and import data from CSV to bulk provision user accounts.
- SSO and self password management for enterprises: AD360's SSO capability eliminates the need for end users to remember multiple passwords, which saves them from having to log in multiple times to different applications. AD360 enables users to securely access all their enterprise applications from a single dashboard, and provides MFA SSO for an additional layer of security.
- Securely audit AD, Office 365, and file servers: Gain insight into all changes happening in your AD, Office 365, Windows Servers, and Exchange Servers. Monitor user logon activities, changes to AD objects, and more in real time. Comply with IT compliance regulations such as SOX, HIPAA, PCI DSS, and GLBA using prepackaged reports.
- Intelligent threat alerts: Using AD360, IT admins can configure alert profiles to send customized messages to administrators when specific actions happen inside your Office 365 setup. These alerts can include information on the severity of the action that triggered the alert, who performed the action, the time it occurred, and more. This makes it easy to prioritize and act on alerts. With its user behavior analytics (UBA) capability, AD360 uses machine learning to create a baseline of typical actions specific to each user to accurately detect anomalous behavior and threats.