How is hybrid cloud security different from multi-cloud or single cloud security?
Hybrid cloud offers marked benefits for enterprises, but there are key security considerations that separate this approach from its public and multi-cloud counterparts
Hybrid cloud has surged in popularity in recent years amidst a widespread enterprise shift toward incorporating both public and private storage capabilities.
During the early days of the global cloud shift, public cloud reigned supreme. But increasingly, hybrid and multi-cloud approaches have gained traction among enterprises globally.
Multi-cloud, for example, which includes organizations using a combination of two or more cloud service providers, has also been gaining traction. Research from OVHCloud found nearly two-thirds (64%) of enterprises expect their use of this approach to increase in the next two years.
Meanwhile, Cisco’s 2022 Global Hybrid Cloud Trends report found that 82% of IT leaders had adopted a hybrid cloud approach. This method has a number of key advantages, not least of all flexibility, enabling organizations to host workloads both in the cloud and on-prem depending on their individual business needs.
There’s more to hybrid cloud than just flexibility, however. Analysis from 451 Research notes that enterprises adopting a hybrid approach can also unlock cost benefits and heightened operational resilience.
“More enterprises are finding that a hybrid environment - one that uses on-premises resources in coordination with public cloud services - offers the best of both worlds,” it said.
Notably, hybrid cloud can enable organizations to reduce risk by running certain applications on private infrastructure, rather than in the public cloud. In regulated industries, in particular, enterprises may seek to air gap applications or workloads, or to maintain data residency and compliance.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
The 2024 ISG Provider Lens Private/Hybrid Cloud – Data Center Services report, for example, found that hybrid cloud adoption is being driven by heightened security and compliance risk concerns among enterprises.
Cisco’s Global Hybrid Cloud Trends report also specifically highlighted these considerations as key contributory factors to the appeal of hybrid cloud.
“One factor in the maturing of cloud operations is managing risk by being selective about where workloads and data are placed,” the report states.
“Hybrid environments can give security teams options that allow them to balance placement, putting some workloads in public clouds while keeping others on-prem, or using different regions for data residency requirements.”
Air-gapping, in particular, has come to the fore since the emergence of generative AI in late 2022. Employing a hybrid cloud approach has become a key tactic for organizations adopting the technology, allowing them to experiment and tinker with applications in public cloud environments, and thereafter bringing them on-prem to bolster security and safety.
But while hybrid cloud does offer marked benefits, it does pose unique cybersecurity challenges for enterprise IT leaders.
Increased complexity
Cloud security in a broader sense has become a major focus for enterprises globally in recent years, with research showing a significant rise in the volume of attacks targeting cloud environments.
Thales’ 2024 Cloud Security report found nearly half (44%) of organizations have experienced a cloud data breach, and 14% reported a breach in the year between June 2023 and June 2024 alone.
Practitioner sentiment on cloud-related security threats is also growing, according to the ISC2 2024 Cloud Security Report.
The majority (96%) of respondents expressed “significant concerns” over security within the public cloud specifically, marking an increase from 95% in the year prior.
With the public cloud, security teams typically contend with a single, uniform environment. Multi-cloud and hybrid cloud approaches, however, which include environments spanning multiple cloud providers - or a combination of on-prem and off-prem workloads and applications - add a degree of complexity that many enterprises aren’t prepared for.
Managing security across disparate or siloed environments poses serious challenges about data governance, compliance, and identity management in particular.
Research from the Cloud Security Alliance (CSA), for example, specifically highlighted identity and credential management as a key risk for hybrid cloud operators.
“The lack of a decentralized and unified identity management solution may cause account information inconsistency between clouds, resulting in discontinuous log audits and failures to trace resource misuse.”
Similar research from Expel in January 2024 found two-in-five cloud infrastructure incidents were directly attributed to compromised credentials.
With this in mind, the CSA recommends organizations adopt a “unified identity strategy” to ensure that cloud identities do not exist in disparate directories or systems.
This should be underpinned by robust multi-factor authentication (MFA) practices for privileged accounts, the CSA noted, while automated monitoring tools for cloud accounts.
Misconfiguration is also a leading concern for security teams operating in a hybrid cloud environment, research shows. Managing multiple environments can increase the likelihood of errors, thereby creating the potential for additional vulnerabilities. Analysis from Thales, for example, highlighted cloud misconfigurations as the leading cause of breaches for organizations last year.
The complexity of hybrid cloud environments is further exacerbated by a distinct lack of visibility for security teams, with one-quarter of organizations unable to identify the root cause or source of a breach, according to research from Gigamon.
Again, this combination of on-prem and off-prem environments can create a clouded picture for security teams responding to threats. Gigamon’s research noted that one-third of respondents cited blind spots as one of their top concerns.
Organizations pursuing a hybrid cloud approach are increasingly turning to zero trust practices to bolster security capabilities and improve visibility within cloud and on-prem environments, research shows.
Skills deficits are hampering hybrid cloud security capabilities
The global cybersecurity skills shortage has become ubiquitous across the global technology landscape. ISC2’s 2023 Global Workforce Study found the workforce gap has reached a record high, with four million security professionals needed to fill this gap.
When it comes to cloud security skills the situation is equally dire, according to ISC2. Around 93% of respondents to ISC2’s 2023 Cloud Security Report said they were “moderately to extremely concerned” about a growing cloud-related skills deficit.
This issue isn’t limited to hybrid cloud, however, with organizations operating in a public and multi-cloud approach also contending with skills shortages.
What separates hybrid cloud though again lies with the inherent complexity of this approach. Managing security across multiple environments requires a wide range of skills, and a lack of expertise in one - or more - of these domains could potentially increase exposure.
“Embracing a hybrid or multi-cloud strategy requires a robust framework for managing complexity, ensuring data protection across environments, and a broader skill within security teams,” the report notes.
“The security skills shortage not only impacts the ability to defend against cyber threats effectively but also constrains organizations’ capacity to innovate and leverage cloud technologies fully.”
Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.