How Azure Enables Data Security in Hybrid Cloud Deployments

Data security is at the top of the mind of every organization, and possibly even more so for those that have adopted a hybrid cloud architecture as their first step in their digital transformation journey. Azure is just one of the options that can be used for the cloud component of such deployments, and it offers a number of security capabilities to overcome hybrid cloud management security challenges

In this blog we will explore the different security challenges associated with hybrid cloud deployment and the different tools and services available in Azure that help address them, including deployment with the help of NetApp Cloud Volumes ONTAP.

Use the links below to jump down to the sections on:

The Rise of Hybrid

It’s clear why hybrid cloud usage is growing. It offers many different paths to adoption:

  • The logical first step

Hybrid architectures often make it simpler for organizations to make a less risky, slow and steady transition to the cloud, if a fully cloud-native deployment is their end goal.

  • The middle way

In some cases, hybrid deployment will be the preferred mode of operation in the long run as some sensitive data and services are required to be deployed on-premises due to reasons such as data residency or compliance.

  • Cloud bursting

Hybridity is also commonly used when organizations need to leverage the scale of the cloud on the fly by cloud bursting during peak hours.

These myriad reasons have contributed to the steady growth of hybrid cloud adoption. Hybrid cloud trend statistics confirm this—Flexera’s state of the cloud report claims that as much as 80% of organizations already have a hybrid cloud strategy in place.

But does that mean the data is safe?

With the increased adoption of hybrid cloud deployment comes the paradigm shift for data security. Unlike architectures based completely on-premises, where you have access to and full visibility over the tech stack, hybrid cloud deployments add the complexity of abstracted components managed by the cloud service provider. The security perimeter now also extends to the cloud. These are all major concerns for organizations adopting the hybrid cloud model.

What can users do to address these data security concerns? Security strategies that work in fully cloud native or fully on-premises deployments will not work well in hybrid environments. Hybrid cloud data security calls for specialized tools, specialized services, and strategies tailored specifically for the challenges associated with operating in two environments at once.

What Makes Hybrid Cloud Security Challenging?

What are some of the challenges faced by organizations in a hybrid cloud environment?

Visibility: When there are multiple environments to be managed, visibility into the overall security posture of your IT landscape is challenging. Operations teams often have to switch between multiple tools and consoles to manage security of their hybrid workloads. These additional tools mean additional overheads and more points of failure.

Lateral attack vectors: Hybrid cloud architectures can lead to attacks originating in the cloud to traverse to on-premises systems and vice versa. Customers should have tools that help them investigate and isolate infiltrations across all of the environments in use in order to address this challenge.

Compliance management: While strictly on-premises deployments give full control of the infrastructure and the application stack, deploying some operations in the cloud will abstract most of these aspects. Adhering to compliance standards can require regular risk assessments, audits, and governance measures to be implemented both by the customer and the cloud service provider.

Data transmission: As some components of an application can reside on-premises while other parts of the components exist in the cloud, data needs to be mobile all the time. This data needs to be securely transmitted across boundaries and over potentially insecure networks.

Data estate security: With hybrid cloud deployments, the entire data estate security will be dependent on the available security measures of the cloud services or on-premises devices that store the data. This could imply juggling many security standards and protocols for various data sets.

Hybrid Cloud Security in Azure

How can you meet data security challenges if the cloud component of your Azure hybrid cloud architecture?

As one of the leading cloud providers, Azure has a number of products and services designed to meet the security needs of hybrid cloud deployments. Azure Sentinel, Microsoft Defender for Cloud, Azure Stack, and secure hybrid cloud connectivity encryption are just a few of the tools Azure has available to help users with hybrid deployment security. Let’s take a look at some of the features that these services have to offer.

Microsoft Sentinel

Microsoft Sentinel provides visibility into the state of security across different platforms through cloud-native SIEM and SOAR services. It helps collect and correlate security data from hybrid cloud components to deliver a single solution for detecting infiltration, threat hunting, and tracking.

Microsoft Sentinel supports data ingestion from end user devices, infrastructure and applications deployed on-premises, and in the cloud. It also has built-in connectors available for a number of Microsoft as well as non-Microsoft solutions. This unified approach helps users quickly detect and mitigate lateral threat movement, which is one of the major security challenges with hybrid cloud deployment.

Microsoft Sentinel is powered by AI-enabled threat detection that can detect attack patterns at scale. The built-in SOAR capabilities will help automate responses to security incidents. You can create workflows integrating it with tools like ServiceNow, Jira, Zendesk, Teams, Slack, and more to create organization-specific workflows.

Microsoft Sentinel uses advanced machine learning to correlate security incidents and network behavior to detect anomalies. Many of these correlation capabilities are available out of the box or can be used by customers to create their own custom rules for threat detection. Additionally, Microsoft Sentinel can also integrate with Microsoft 365 Defender (formerly Microsoft Threat Detection) to deliver XDR capabilities under the hood of the same service.

Microsoft Defender for Cloud

Microsoft Defender for Cloud (formerly known as Azure Security Center) helps with cloud security posture management (CSPM) and threat detection of workloads deployed on Azure, on-premises, and in other cloud platforms.

Microsoft Defender for Cloud offers a single-pane-of-glass view into the status of security and unifies the security and threat management process. It continuously assesses the state of security and provides a security score that quantifies your security posture against defined Azure benchmarks. Customers can use available templates to measure compliance against regulations such as NIST or Azure CIS or define custom benchmarks templates aligned with your organization’s security strategy.

Workloads deployed in Azure are automatically onboarded to Microsoft Defender for Cloud for security posture management. These capabilities can also be extended to hybrid resources through deployment of log analytics agents. Another option to on-board non-Azure machines is through Azure Arc, the hybrid and multicloud management solution from Azure. Once onboarded, the resources are continuously analyzed for vulnerabilities through built-in security scanners and analyzed against Microsoft threat intelligence information to protect from emerging threats. Customers can also create prioritized alerts targeting different environments.

Azure Stack

The Azure Stack portfolio of products helps to extend the Azure ecosystem to on-premises and edge deployments. It consists of components including Azure Stack Hub and Azure Stack HCI, which helps customers implement Azure Resource Manager-based capabilities in a cloud-like, self-service model to on-premises.

Azure Stack Hub is built using the same technologies as Azure and delivers IaaS and PaaS services on-premises and in hybrid deployments. Azure Stack HCI on the other hand is delivered as a hyper-converged hardware solution custom built to connect to Azure for use cases such as Azure backup, Azure DR, and containerization.

Azure Stack Hub is built on an “assume threat” approach that focuses on reducing the blast radius of attacks. It comes baked in with all of Azure’s standard security features for protecting infrastructure. Data at rest is protected through BitLocker encryption and encrypted communication is enabled to protect data in transit. All certificates used for the Azure stack operations are encrypted using 4096-bit RSA keys. Azure Stack uses Windows Defender Application Control (WDAC) to prevent execution of unauthorized code. Additionally, it enforces security measures such as secure boot and antimalware for workloads and underlying infrastructure.

Hybrid Connectivity Encryption

The most commonly used hybrid connectivity options for on-prem to Azure are VPN and Azure ExpressRoute. An Azure VPN connection creates a secure communication channel between customer environment and Azure virtual networks. This channel is encrypted using IPsec/IKEv1 and supports a wide range of cryptographic algorithms including AES 256/192/128, DES, and DES3, to name a few. Customers choose to configure these based on their organizational security requirements.

Azure ExpressRoute provides private connectivity from on-premises networks to Azure data centers so that the traffic does not traverse the internet. The data is encrypted at the MAC or network layer using MACsec standards. It helps encrypt the physical links between network devices on-premises and Azure data centers. The keys used for this encryption can be stored securely using Azure Key Vault.

Hybrid Deployment Data Security with Cloud Volumes ONTAP

Users who are looking to deploy a hybrid cloud architecture have another option to help protect their data: NetApp Cloud Volumes ONTAP.

Cloud Volumes ONTAP provides enterprise-class data management features in Azure built on NetApp’s trusted technologies. In addition to delivering cost-reducing storage efficiency and enhanced ROI, it also provides a unified data management solution for your distributed data estate across hybrid and multicloud architectures.

Cloud Volumes ONTAP helps address the hybrid cloud data protection and security challenges:

  • NetApp Snapshot™ copiesare efficiently created and stored backups.
  • Disaster recovery processes allow data to be restored quickly, with automatic failover and failback.
  • All data is encrypted by default to ensure security of data at rest.
  • Through SnapLock®, users can protect against ransomware by creating immutable write-once/read-many (WORM) storage in the cloud.
  • Vscan antivirus technology protects the data in Cloud Volumes ONTAP storage from infiltration and attacks.
  • Cloud Volumes ONTAP deployed in Azure integrates well with native security controls like NSG to prevent unauthorized access.
  • Cloud Data Sense allows you to gain a single-pane visibility and data governance capabilities across all environments, regardless of vendor.
  • Ransomware Protection offers a range of cyberstorage capabilities to help increase your security posture to protect against and recover from ransomware attacks.

Read more about enterprise security features of Cloud Volumes ONTAP to learn how it can boost your hybrid cloud security.

New call-to-action

Yifat Perry, Product Marketing Lead

Product Marketing Lead