Snyder says companies looking to build hybrid clouds should demand from their service providers proof of two-factor authentication for all server management purposes.
And they should be demanding that all of the security parameters of the hybrid deployment should be manageable from the same pane of glass, says Kevin Jackson, vice president and general manager of NJVC, an IT consultancy catering to highly secure government clients. Jackson contends that unified management is going to be even more necessary as customers evolve to use multiple cloud services providers in the future. He suggests that customers look to cloud service brokerages to provide those management links.
Every practitioner interviewed for this story said that employing encryption in a hybrid cloud is a no-brainer decision both for data at rest and in motion. But one of the major issues with encryption in a hybrid situation is where to hold the key as data and access to data can be spread across both places and routine security practice dictates that you don't store the keys where the data resides.
Segal McCambridge, a Chicago-based law firm, opted to go with maintaining its own keys and storing the data for its hybrid applications on Nasuni's cloud-based storage offering.
The firm's CTO, Matt Donehoo, explains that all of his firm's litigation files stored electronically must be managed in a way that guarantees absolute defensibility in a court of law - anything else would render it inadmissible. By design, the Nasuni storage controller installed at Segal McCambridge's site fully encrypts any data or metadata that leaves a customer's office and keeps that data encrypted both on the wire and at rest in the Nasuni cloud.
The customer controls the keys to the encrypted data, by design. From there it's up to the enterprise to pick whether to employ a key management product on premise or use a third-party key management service.
The two depths of security that come into play for virtualized networks -- whether private, public and private -- address virtual machine security.
"Sometimes the enterprise security team doesn't have a say in how virtual machines get spun up within a provider's cloud. But they should, because that is a fundamental point of security in the cloud. You want to push to make sure your security policy travels with your virtual image no matter where it is running," says Rand Wacker, vice president of products for CloudPassage, a cloud server security vendor.
Sign up for CIO Asia eNewsletters.