TODAY’S THREAT LANDSCAPE CAN BE A CHALLENGE FOR ENTERPRISES. In the first half of 2018 alone, 47 new cryptocurrency-mining malware families and 118 new ransomware families were seen. Threats are also diversifying into infrastructures that are critical to enterprises, from web servers and application development platforms to mobile devices. In 2017, for instance, the Erebus Linux ransomware hit a South Korean web development company and affected 153 Linux servers and more than 3,400 businesses. The impact: over US$1 million in losses as well as damaged reputation and a costly remediation process. Indeed, Amazon EC2 workloads require a security strategy that can navigate today’s evolving and ever-increasing threats. For customer’s security teams, exposure to vulnerabilities and threats translates to adverse impact to their organizations’ bottom lines. The impact is exacerbated when stacked up with stringent compliance requirements, such as the implementation of privacy by design as mandated by the European Union (EU) General Data Protection and Regulation (GDPR). For enterprises already adopting DevOps, an unsecure or vulnerable application or software can mean wasted resources, as they have to constantly rework and rebuild them to meet security and compliance requirements. Integrating security early into the development life cycle significantly reduces disruptions while helping IT and DevOps teams address security gaps or misconfigurations faster. What’s Needed? Defense-in-depth security capabilities are needed and must have visibility across the application or software’s life cycle — from pre-deployment to runtime. For example, security mechanisms such as intrusion detection and prevention systems (IDS/IPS) and firewalls help thwart network-based threats and exploits, while application control deters anomalous executables and scripts from running. In fact, it’s projected that by 2022, application control will be employed in 60 percent of server workloads. For DevOps teams, baking in security into the development life cycle means security as code. This can be achieved through scalable application programming interfaces (APIs) and scripts designed with security from the first build in order to minimize superfluous work. 3 | Addressing Security Challenges in Hybrid Cloud Environments SILOED SECURITY CAN CREATE UNNECESSARY COMPLEXITIES AND BOTTLENECKS. It’s projected that by 2020, more than 90 percent of enterprises will be employing a multi-cloud strategy (i.e., using multiple cloud services) for their workloads. And despite the increasing popularity of containers (e.g., Docker) in application development, organizations still use other virtualization technologies and computing platforms, like on-premises or physical software and servers, virtual machines, and even serverless infrastructures. Many enterprises actually still use a combination of traditional and cloud-based services for their operations — from networking and storage and data centers to software. Surveyed organizations in 2018, for instance, used an average of 16 software-as-a-service (SaaS) applications in the workplace. Developers must consider the various environments where the applications they create are deployed. The hybrid environment itself exemplifies the best of both worlds: using and orchestrating private and public cloud environments to host or run Amazon EC2 workloads. Indeed, a challenge for many organizations is incorporating security across these multiple computing platforms. IT teams have to juggle different and incompatible security tools, which unnecessarily create convolution in their management. This unwanted complexity can also mean higher overhead in that it can slow down incident response, as siloed and disparate platforms will drive security teams to manually monitor each of them. This, in turn, creates bottlenecks in incident and compliance reporting. From a DevOps perspective, siloed teams (and tools) create blind spots, as security may tend to be neglected (such as overlooking vulnerabilities in the code) as they rush to deploy applications faster. 4 | Addressing Security Challenges in Hybrid Cloud Environments