I have written many times about hybrid cloud security, but there’s a fundamental security requirement that happens as you access the hybrid cloud. In our previous back to basics article we wrote about the need for situational awareness. We’re going to expand on that topic some more. The real success to hybrid cloud security is understanding how the users access the hybrid cloud: where they access it from, why they access it, and what is accessed or used. From a security standpoint, it starts with one organizational item: people.
The secure hybrid cloud, as depicted in Figure 1, has only one entry point. That entry point is into what I call the transition stack of the hybrid cloud. This stack has many components and can live in many different environments (cloud, data center, mobile, etc.) Where it lives is not all that important to the user at the other end of the entry point. The what is important, however, as in “What I can access?” as is “How easy is it to access?” and “Why do I need to access it?” as well as “Where is it accessible?”
The entry point is a desktop, smartphone, tablet, or laptop used from home or work, or from a car, train, plane, coffee shop, etc.
This entry point isn’t controlled by IT in many cases, but is the responsibility of the person using the device. As part of IT security, we need to educate our colleagues and users about self-protection by phrasing security awareness in terms they understand. This is crucial. Overuse of jargon, with terms like “hack,” “malware,” and “virus” means our message becomes gobbledygook. If we asked ten people on the street how to protect their computers from from malware, we know we’d get blank stares from most, or an answer of “someone else does that for me.” Both answers are incorrect.
The correct answer should be “I do,” and an acknowledgement that IT contributes as well. It’s the answer we’d like to see, but it’s not the answer we get. However, if we asked ten people how to protect themselves from a raging fire, they could tell us. Therefore, we need to use terms they understand. Let’s go back to basics and educate the user in safety; we’re going to include device safety as a part of that. Here are some points to emphasize:
- Look around before logging in. That login could be to your bank: do you want your funds stolen? This approach will translate into people looking around when they log in to most things and moving to a more secure location to perform the login or minimally turning the screen.
- Use a VPN, protected environment, or well-known machine to access your bank accounts. If you do not protect your money, no one else will. This will make using the corporate VPN and protected environments more palatable. Even go so far as to help them set up these environments by using VPN to a home virtual machine running Bromium or a sandboxed browser.
- Double check what you write on social media sites before you press enter. This is a crucial one, as it could cost people their jobs or friends, or perhaps ruin a long-running relationship. Would you want your children to be on the wrong end of cyberbullying? This translates into IT very well, as employees are the ones who keep the reputation of the company high. Remind them that this is part of their job and that they shouldn’t post denigrating remarks about competition, suppliers, or customers.
Couching items in and around family security will aid IT security. Going so far as to assist employees in setting up proper environments for home use (whether virtual or physical), which builds good will, educates them.
With the entry point into the cloud in user hands, we also have to educate about proper device usage. Teach them to not loan devices to others without proper safeguards. Would you loan your device to another if you did not require a fingerprint to access mobile payment services such as Apple Pay? Perhaps you would, but then others could use that to pay for a service while you weren’t looking. Adding a fingerprint is a way to protect your money. If you are willing to use a fingerprint to protect your money, then it is not too far a leap to use fingerprints to protect other data.
This implies that we need to find the easiest way possible to enhance security on our devices without overly disturbing usability. If the security makes a device unusable or painful to use, that security measure won’t be used. However, if we employ the same technology people use daily, then the additional security no longer seems draconian or even difficult: just more of the same.
We as IT need to rethink how we look at security and how to train the people who use devices in the field. They, and their devices, are the entry point to the secure hybrid cloud. There are layers of security within a secure hybrid cloud, but it all starts with the user and what they wish to do within that hybrid cloud. Are they going to the cloud? Or are they going to the data center? Are they using the device to access something that could infect the device and therefore compromise the data? We need to consider all of those possibilities.
Train the people, improve layers of security, but most important, consider the device the entry to the cloud. Find out what your users are actually doing with those devices. You can combine tools such as Skyhigh Networks, Imperva Skyfence, or Elastica with WiFi Pineapples to force users onto your network so you can track their behavior and fine tune your awareness programs.
Security really becomes effective when the employees are behind it. Use real-world examples tied to the family to build a training program.