I have a hybrid cloud. Who is responsible for information security, and what new threats appear?


A hybrid cloud is formed in two cases: someone still has a fleet of iron, which still needs to be depreciated, or there are some unique servers that cannot be purchased from a cloud provider.

The most common situation is mergers and acquisitions, when you bought a competitor, and he has a bunch of old, but still good iron. And you already have a cloud approach. Or when you are so cool that you have IBM P-machines or some special storage facilities (available at television studios and medical centers). In any case, you will encounter a situation where there are security people in the cloud, there is an information security department on your side and a bunch of crutches in the middle.

According to Garnter, there is a 90% chance that the question of moving to the cloud will concern you this or next year, so you should consider cybersecurity now.

Below in the article are basic things in case it would be easier to agree with the provider on the areas of responsibility and implement the best practices for ensuring information security. Accordingly, we use the separation of areas of responsibility and practice in information security at Technoserv Cloud for customers with hybrid environments, and therefore we know what and where can go wrong.

Hybrid clouds are increasingly used

Because there are more and more such deals. From the point of view of architecture, hybrid clouds are not the best story, from the point of view of business processes it is a temporary substitute for a complete transition to the cloud, and from the point of view of information security it is more chaos and communication with contractors. But, according to Gartner, by 2020, about 90% of organizations will accept hybrid infrastructure management capabilities. This year, many dominant cloud service providers have taken steps to expand their hybrid and multi-cloud offerings, another clear sign that the market is ready and waiting for demand.

The provider protects the cloud infrastructure, on the basis of which the offered services work. This infrastructure consists of hardware and software, networks and objects, on the basis of which cloud services operate. Customer responsibility depends on the service. The table below shows a small comparison of the four service delivery models:

A small comparison of the four service models

  • PaaS – Platform as a Service – platform as a service;
  • IaaS – Infrastructure as a Service – infrastructure as a service;
  • SaaS – Software as a service – software as a service;
  • DaaS – Desktop as a Service – a workplace as a service.






· The customer of cloud services is tied to the provided platform.

· The choice of SPI is limited and lies with the cloud provider.

· Customer can customize application security features.

The customer of cloud services can use any information protection tools installed on the provided hardware platform.

· The customer of cloud services does not have the ability to choose the means and mechanisms of cloud protection.

· The choice of SPI lies with the cloud service provider.

· Customer can customize application security features.

· The choice of SPI is limited and lies with the cloud provider.

What does the customer control?

· Data, applications.

· The client should request regular security reports from their cloud service provider and provide an understanding of how this data should be protected.

· Data, applications, runtime, operating systems, virtual infrastructure (virtual machines, networks, computing resources).

· The customer must develop and regularly test incident response procedures that are based on shared responsibility between the customer and the cloud service provider.


Applications, data.

What does the service provider control?

Runtime environment, operating systems, virtualization, servers, storage systems and networks.

Virtualization environment, physical servers, hardware storage systems, physical and logical communication channels.

· Applications, data, runtime, operating systems, virtualization, servers, storage systems and networks.

Applications, data, runtime, operating systems, virtualization, servers, storage systems and networks.

The choice of this or that type of service determines the amount of work to configure security policies that the client needs to perform within their area of ​​responsibility. For example, IaaS will require most security settings and virtual infrastructure management tasks. Clients who deploy to IaaS are responsible for managing the guest operating system (including installing updates and security patches), managing applications or service components installed in the virtual infrastructure, and for configuring the firewall (security group) provided by IaaS. At PaaS, the provider manages the infrastructure level, operating system, and platform, and clients gain access to endpoints to store and retrieve data. Clients are responsible for managing their data (including encryption settings), classifying their resources, and using various tools to apply the appropriate permissions.

Likbez about 10 major threats

  1. Data breach. The risk of hacking and data security breaches is not unique to cloud computing, but it is invariably the main concern for cloud clients.
  2. The human error. According to Gartner, “until 2020, 95% of failures in cloud security will be a client error.”
  3. Data loss without backup. Yes, there are still people who do not backup. In all seriousness. An accident or attack can lead to loss of information over years of work.
  4. Insider threats. A recent Gartner research report noted that “53% of the organizations surveyed confirmed insider attacks on their organizations.” Often these are situations where an offended employee leaves the database (or part of it), or when a competitor purposefully arranges for the work of a victim of his spy.
  5. DDoS attacks. Here, the construction industry can tell a lot about the features of preparation for competitions. DDoS has long been in the digital world an analogue of the “hitting” of the 90s. This is already an argument in the negotiations, a way to show pressure or a way to “put” an objectionable site with some important information in the moment.
  6. Insecure APIs. As the public “front door” of your application, the API is likely to be the entry point for intruders. Given how many people expose their APIs (by chance after moving or thinking that they are Elusive Joe), the problem is acute. After the case of the outward API of the cash registers of a large retail chain, I am not much surprised.
  7. Exploit The multi-tenant nature of the cloud (when clients share computing resources) means that shared memory and resources can create new surfaces for attackers.
  8. Account hacking. Using stolen credentials, attackers can gain access to critical areas of cloud computing services, which compromises the privacy, integrity and availability of these services. Given that the password is unstable – this is its actual absence – a lot of systems are vulnerable.
  9. Extended persistent threats. Many advanced threat groups target cloud environments, and public cloud services are used to implement them. In Russia, these are often trivial “orders” to extract certain data or attacks on infrastructure such as ICS. But they are quite rare outside of major competitive wars.
  10. Hardware vulnerability. Attackers can use hardware vulnerabilities to view data on virtual servers hosted on the same physical hardware. This could be disastrous for cloud infrastructure.

What is changing in a hybrid environment?

Essentially nothing, the threat model is the same, only responsibility is spread between the two IS departments of the two companies – cloud and home. Hybrid environments are created as companies move from purely on-premises solutions to environments with multiple cloud computing. Local applications are saved. Any cloud security is based on a shared responsibility model where the provider is responsible for a safe and reliable infrastructure and the client is responsible for the security of their assets in the cloud.

But precisely when using hybrid clouds, the junction points of these areas of responsibility are especially visible. Deploying security controls for data transferred between cloud and on-premises systems can be quite difficult due to native APIs or tools. This can lead to deep gaps in monitoring and auditing. With a few exceptions, cloud service consumers accept this shared responsibility model and go beyond the question of whether cloud services are secure or whether they can manage and regulate systems.

Simply put, if the information security departments of the client and the supplier do not let each other into their processes, then a direct threat to the information security will be created. That is why we need a clear separation of areas of responsibility and a formal interaction procedure described in the framework of the agreement (agreement) between the service provider and the client.

Below is a table with a high-level comparison of public, private and hybrid clouds in various directions:

Comparison of public, private and hybrid clouds in different directions


Public cloud

Private cloud

Hybrid cloud


· Least secure, SZI may vary in composition and functionality.

· Managed by one legal entity.

· Multi-tenancy.

· Data transmission over the Internet.

Not suitable for storing confidential information..

· The safest.

· Managed by an organization or a third party.

· Access to resources is possible through a secure or dedicated channel.

· Data transmission over the Internet.

Applicable for storing confidential information.

Flexible environments require flexible and dynamic security — security controls at the level between public and private clouds.

Depending on the implementation, it can be both applicable and not applicable for storing confidential information.

Cloud Infrastructure Segment

Normal (open).

Closed / Protected.

Normal / Closed / Protected.




Average, usage fee.


Very high.




Public access to resources.

Support for a large number of users.

Access to cloud resources is limited.

Access can be granted only to certain users.

· Part of the cloud is owned and / or managed by another organization or third party.

· The cloud customer may not have full control over the configuration.

A shared responsibility model defines an obligation to protect infrastructure.

IB compliance

The required minimum information security requirements are being met to protect data, the protection requirements of which are the lowest.

Since the management is at the client of the cloud services, protection of any confidential information can be ensured.

Depending on the planning, some cloud environments may not meet the requirements for information security or, conversely, correspond to them, thus it is easy to distribute the load during deployment.

When using a hybrid cloud, organizations (client and supplier) should be able to independently audit and confirm compliance with a number of regulatory requirements for information security. This means that it is important to ensure data portability so that if business priorities change, the company can safely exchange or transfer data between on-premises and public cloud environments with minimal additional effort.

The rule is simple: something has changed in the process – warn another IS service.

It is important that when using a hybrid cloud, you can distribute the workload between public and private clouds in accordance with the requirements of the legislation on information security, as well as in accordance with internal requirements for information security. And this is also good practice. Here is an example of which segments the Technoserv Cloud offers:

Segment Examples

Comparison criterion

Technoserv segment Cloud

Normal (open)



Placement of systems that process information constituting a client’s trade secret.

Suitable for placement of systems for which there are no requirements for information security or minimum requirements for information security.



Placement of personal data information systems.

Up to the 3rd level of security of personal data inclusive.

Up to the 1st level of security of personal data inclusive.

Placement of state information systems.


Up to 1st class of security inclusive.

Placement of systems processing data on money transfers and / or data of bank card holders.



Compliance with the legislation of the Russian Federation.

Order of the FSTEC of Russia dated February 18, 2013 No. 21 (3rd and 4th security levels);

Payment Card Industry Data Security Standard (PCI DSS);

Regulation of the Bank of Russia dated 09.06.2012 No. 382-p;

Bank of Russia Standard (STO BR).

Order of the FSTEC of Russia dated February 11, 2013 No. 17 (up to and including the 1st security class);

Order of the FSTEC of Russia dated February 18, 2013 No. 21 (up to and including the 1st security level).

Means of protection.

At the infrastructure level.

Certified and uncertified FSTEC / FSB of Russia protective equipment.

Exclusively certified FSTEC / FSB of Russia protective equipment.

Certification /


Certificate of compliance (as a service provider) with PCI DSS requirements.

The segment infrastructure has been certified for compliance with information protection requirements for state systems up to and including the 1st security class and personal data systems with up to the 1st security level inclusive.

The Bring Your Own Encryption (BYOE) paradigm and centralized key management to ensure data security with maximum control, visibility and mobility is awesome. This gives companies the flexibility to deploy the right data protection solutions where it matters most, without transferring key control to the cloud providers.

Just in case: yes, in our usual cloud installation, you can encrypt everything and not store keys on cloud servers. This is a good practice. But even in unencrypted environments, we do not go further than the hypervisor, that is, we don’t even know if you have a licensed OS on the VM.

Bottom line: a hybrid IS cloud is similar to a normal one, but requires a very tight interaction between the two IS services, cross-audits (ideally) or something like BYOE. In any case, it is better to first discuss the nuances of protection with the cloud provider before deciding to move. If you have a question on this topic regarding our Technoserv Cloud or you want to find out where friction is possible specifically in your architecture, you can discuss this in the comments or in the mail MKoptenkov@technoserv.com.

Similar Posts

Leave a Reply