Maximising security and compliance within a hybrid cloud environment

Three essential due diligence questions for CIOs

Virtually every organisation is now running some form of hybrid cloud model. An estimated 96% of companies are expected to use public cloud services in 2025, typically for solutions such as Microsoft Office365 and Sage Intacct, alongside a mix of legacy on premise technologies and private cloud solutions for core applications including ERP and finance.

While many CIOs will admit that the current IT infrastructure has been created by chance rather than design, not least due to the pandemic and need to support remote staff, far too many companies have yet to address the significant compliance, security and operational risks associated with unplanned hybrid clouds.

James Bedford, Technical Director, CPiO, highlights the growing recognition that working with a hybrid cloud partner to bring the entire infrastructure together under one umbrella is key to creating a consistent approach to data and security that reduces operational risk and enables future innovation.

Introduction

For the majority of UK businesses, the IT infrastructure has changed beyond recognition over the past decade, with the use of cloud-based applications becoming the standard. in addition to the core business benefits, software vendors have accelerated their cloud-first strategies in recent years, offering easier, frequent upgrades and fast access to innovation.

For the vast majority of companies however, the process has been reactive rather than strategic, leading to a fragmented, piecemeal IT environment. The demands of the pandemic led to a significant increase in the use of multiple cloud platforms to run business operations with staff working from home. Between 2020 and 2022, the average number of clouds that an organisation relied on spiked from 1.3 to 2.2 public clouds, an increase of 69%.

While the shift to the cloud has facilitated essential business change, the piecemeal approach has created significant challenges. Companies have multiple different vendor relationships. They have diverse data stores and, in many cases, they are not 100% confident in which country the data is located. Security is inconsistent. Critically, they have handed over responsibility to multiple third parties without understanding exactly what they will receive in return.

From security risk to client compliance, fraud to litigation, poorly managed hybrid cloud models are adding significant operational risk and cost. So, what are the key questions a CIO must ask to regain control?

Question 1: Is the business indemnity insurance still valid?

Companies are at different stages in their cloud evolution. In addition to juggling a mix of public and private cloud with legacy on premise deployments, many are also looking to gain innovation, cost saving or competitive advantage through the addition of dedicated apps for solutions such as Direct Debits, payroll, MarTech or employee expenses.

Adding any cloud technology has an immediate impact on business indemnity insurance. As soon as any data is located in the cloud – private or public – essential cyber indemnity insurance will be invalid unless the business has implemented another level of security. Without the addition of Multi-Factor Authentication (MFA), companies are completely exposed to any security breach: there will be no help, no support and, crucially, no financial recompense.

The reason for the insurers’ insistence on another level of security is clear given the number of public cloud hacks in recent years. The spate of compromised Microsoft365 mailboxes, for example, has wreaked havoc for many companies. Hacker impersonations have resulted in demands for invoice payments from customers and changes to employees’ salary payment details. The costs are not only financial; the impact on business reputation and employee morale are also far reaching. Furthermore, if sensitive data is compromised, the business is at risk of breaching the UK Data Protection Act 2018 which expands the impact to informing the Information Commissioner’s Office and significant fines.

MFA not only ensures the business meets the demands of insurers to validate insurance policies but will also stop in excess of 90% of this sort of fraudulent activity. However, public cloud providers do not offer MFA as standard. Some providers, such as Sage, offer basic email- or text-based MFA as an add-on. But for any organisation operating a hybrid cloud model, the goal is to achieve a consistent approach to MFA across all deployments. Working with a dedicated hybrid cloud partner such as CPiO ensures the entire IT infrastructure, from Microsoft365 to ERP, payroll to banking, can be wrapped into a single managed desktop, with MFA then applied to provide secure access to all applications.

Creating a consistent approach to security across an entire hybrid cloud infrastructure is becoming increasingly essential. To move away from point solutions and consolidate the security model, CPiO advises investment in the enterprise networking and security solutions encompassed by Secure Access Service Edge (SASE) which can be used to lock down multi-cloud platforms, private cloud and / or on-premise solutions and cloud applications. SASE converges SD-WAN, a Cloud Network, and Security Service Edge (SSE) functions into a unified, cloud-native service. Leveraging SASE tools such as Cato reduces the risks associated with a fragmented infrastructure, while also enabling secure, anytime, anywhere access to applications on premise and in the cloud.

In addition, Microsoft’s Entra application proxy provides secure remote access to on-premises web applications. Included in some Microsoft365 plans, or purchased as a cost effective add on, Entra App Proxy provides remote access and single sign-on to Microsoft Remote Desktop, SharePoint, Teams, Tableau, Qlik, and line of business (LOB) applications.  

Question 2: Can the business respond to client compliance expectations?

In recent years, companies globally have placed increasing demands on business partners to demonstrate their levels of data security and compliance as a core part of the contract negotiation process. Businesses need to demonstrate how secure data handling and storage processes to ensure clients and prospects can confidently share their own data without fear of security breach or non-compliance with regulatory demands.

Running to 50 pages plus, these complex compliance documents demand information ranging from the frequency of data audits, the cyber security model and the processes used to collect, retain and delete personal data. For a company that has created a piecemeal hybrid cloud infrastructure, answering these in-depth questions can be almost impossible.

‘Where is the data located?’ is a standard question, but if the company is using one or more SaaS solutions in the public cloud, it is possible to answer the question with confidence? And, with most businesses juggling multiple public and private clouds as well as on premise systems, the process of responding is time-consuming and resource intensive. Yet failure to respond quickly and meet the client/ prospect expectations will compromise the business relationship and even lead to complete business loss.

No SaaS supplier is going to be interested in filling in the blanks. So where can a business turn for support? Again, this is where a hybrid cloud partner can play a key role. As a single managed services provider delivering the entire hybrid cloud solution, from managing public cloud relationships to hosting private clouds and overseeing on premise equipment, CPiO has complete oversight of the infrastructure and can work with the company to respond to compliance requests with confidence.

Question 3: Is the business ready to respond to litigation?

Understanding data storage, accessibility and security is not just about meeting client/ prospect compliance demands. Any business operating a hybrid cloud model should also be asking whether the current set up meets its own compliance requirements. From the location of back up data to the accessibility of old records or deleted emails from previous employees, far too many businesses have simply assumed ‘the cloud’ means data is always there, for ever. It isn’t.

This issue is becoming increasingly important with the rise in litigation, especially as a result of companies suffering data breaches. With the adoption of Artificial Intelligence also expected to increase Intellectual Property disputes, companies need urgently to consider their ability to respond. Can the business resurface deleted emails or access archived material to ascertain their legal position? If it is in a public cloud, the answer is typically, no. Once an Office365 email has been deleted and then fully purged (usually after 30 days max), it has gone. There is no way of retrieving that information unless the business has invested in or implemented extra services such an Office 365 supported backup solution. It is not part of the standard Service Level Agreement (SLA).

Public cloud SLAs include anytime access to current data. They often do not address the issues of data archive and backup, access to historic or, critically, deleted data. Attempting to recreate and rebuild essential evidence across a hybrid cloud will be, at best, painstaking and, at worse, utterly impossible. The business may be in the right but without the data, there will be no proof.

Which is why when CPiO works with a customer, either as part of the full CPiO cloud or hybrid solution, there is an upfront focus on back-up requirements and options, as well as archiving and data security. With these systems in place across the entire hybrid model, the data is always retrievable, allowing a business to quickly determine its position as and when a threat of litigation arises.

Conclusion

As organisations’ reliance upon the cloud increases, there is growing recognition of the need to move beyond piecemeal deployments and retain control. As a result, managed services provider (MSP) usage has increased year over year, with 60% of all organisations now using MSPs in some capacity for managing public cloud. Working with a single hybrid cloud provider addresses the major challenges created by piecemeal cloud strategies. It removes the need to manage multiple vendor relationships and provides clarity and consistency of data storage and security models. Hybrid cloud technology is the future and the foundation for essential innovation and competitive differentiation. But current deployments are not meeting operational compliance requirements. It is time vital to wrestle back control and create a single, managed hybrid cloud solution that delivers a consistent approach to data management and security.