Sep 18 2023

State and Local Agencies Can Adopt a Layered Approach to Hybrid Cloud Security

CrowdStrike recommends implementing physical, technical and administrative controls.

State and local governments began moving workloads to the cloud years ago, but the pace accelerated during to the pandemic. While more than 40 percent of city and county IT executives have now moved on-premises infrastructure to private clouds, and the same percentage has moved to public clouds, an overwhelming 89 percent of state CIOs say that a hybrid cloud system is their desired technical operating environment.

In the hybrid cloud scenario, applications run in a combination of private and public cloud environments, on-premises data centers and edge locations. The benefits of reducing cost, minimizing risk and easily extending existing capabilities can be outweighed by the risks. The unprecedented amount of sensitive data held by state and local governments allows citizens to access services yet creates a prime target for hackers. To ensure security in a hybrid cloud environment, agencies must shore up defenses sufficiently to face any emerging threat.

Security in the hybrid cloud can be challenging, because every element of the infrastructure has its own complex set of security tools and procedures yet each needs to transmit data securely. CrowdStrike has shared insights into how best to secure the hybrid cloud, outlining three components to hybrid cloud security along with specific nuances and recommendations specifically for the state and local government arena.

Click the banner to learn if your cloud environment is meeting your agency’s needs.

Having the Right Controls for Your Cloud Environment

Hybrid clouds span one or more public cloud environments as well as private cloud hardware. Physical security is the responsibility of the public cloud provider, while for private clouds, it is the agency’s responsibility.

For private clouds, agencies should perform a thorough review of network topology to spot any weaknesses; use segmentation; and employ physical controls such as biometrics, locks and other mechanisms to keep employee access to a bare minimum. For public clouds, each provider should be asked to describe the steps taken to isolate the most crucial infrastructure. Service-level agreements should spell out how a zero-trust approach is being implemented, with strong authentication, authorization and step-up mechanisms if fraudulent access is suspected.

EXPLORE: How state and local governments are addressing threats with zero trust.

A Look at Technical Controls for the Cloud

Technical controls typically fall into three categories: networking, encryption and authentication. State and local governments should expand the focus from authentication to identity and access management, supported by continuous monitoring.

Networking controls govern the way in which various cloud services communicate and transmit data. Direct network connections are optimal, but not always available; in that case, many state and local governments rely on virtual private networks as a fallback, to ensure secure connections among various components.

Encryption is the primary method used to keep data safe, both at rest and in transit. Make sure agency security policies address encryption at every level of the infrastructure to protect confidential records, social security numbers, financial information and other sensitive data. For data at rest, use full-disk encryption; for data in transit, look to network session encryption and incorporate backups transmitted to other data centers or third-party sites. Some public cloud vendors provide encryption services that can be used across the hybrid environment.

Hybrid Cloud Sidebar


Identity and access management can help when dealing with the challenges posed by a hybrid cloud environment. Workloads and services need to communicate across diverse locations, authenticating via credentials. When not protected adequately, credentials can leak or be stolen, leading to data breaches.

IAM best practices require careful management of credentials and certificates, rotating them regularly. Consider a unified, hybrid-aware IAM solution such as ForgeRock that can eliminate the problems associated with multiple identity stores and duplicate identities. This type of approach allows administrators to not only monitor and manage credentials but also identify and monitor high-risk access across public and private clouds.

Continuous monitoring can uncover vulnerabilities and abnormal behavior, but it is challenging in a hybrid environment that includes physical servers, virtual machines and containers. Continuous monitoring best practices entail scanning container images for vulnerabilities and deploying only those that are secure. Perform continuous auditing to check for compliance and changes that undermine security. Look to technologies such as the Broadcom AIOps monitoring tool for a bird’s-eye view of the entire hybrid environment. Such a tool can provide meaningful insights, spot anomalous behavior and even explore root causes in the event of a security incident.

LEARN MORE: How Backup as a Service boosts data protection.

Why You Need Administrative Controls for Proper Recovery

Disaster preparedness is key to maintaining a functioning, secure and accessible hybrid cloud environment. This involves assessing risks and implementing a disaster recovery plan.

Administrative controls best practices require understanding the value of a thorough disaster preparedness plan and familiarity with the recommendations on disaster recovery planning for state and local governments. Test and practice the plan so each member of the team is ready to hit the ground running when needed. The plan should include the multiple backups of databases, files and code that are necessary for security, but should also note that these increase the attack surface dramatically.

The hybrid cloud brings countless benefits to state and local governments, yet security issues can become extraordinarily complex. To protect the wealth of sensitive, confidential government information, agencies should expand security measures beyond the basics to address the unique challenges of managing such crucial information across multiple cloud environments.

Getty Images: pressureUA (pattern), CasarsaGuru (woman), gorodenkoff (couple), Wavebreakmedia (sitting figure)

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.