Download the entire new issue of InformationWeek Tech Digest, distributed in an all-digital format (free registration required).

It's early days, and you can be forgiven for believing that connecting private and public clouds using a VPN is a reasonable practice for building a hybrid cloud. You can be forgiven, but you won't be correct. In fact, you will have fallen into a common trap.

It all starts with great intentions: "We want a hybrid cloud!" Then reality hits. Standards are still in flux, and platform selection isn't easy. VMware is slugging it out with Microsoft's Azure Cloud OS, and both are worried about OpenStack, which is championed by Hewlett-Packard, IBM SoftLayer, Rackspace, and others. You figure, let's work this OS mess out first, then worry about securing it all.

Let me be clear: Building now and adding security later isn't a plan. You can't separate securing a hybrid cloud from how you structure your architecture. Securing a hybrid cloud requires tweaking long-standing foundational elements, such as risk assessments, while addressing entirely new capabilities such as cloudbursting, where a service that hits maximum internal capacity shuttles new demand to a public cloud.

In fact, a security review might well reveal that you have no business calling your cloud setup "hybrid," in the same way IT has no business calling a box of tapes in the stockroom a "disaster recovery strategy."

Among 383 respondents to InformationWeek's Hybrid Cloud Survey, 36% have implemented or are pilot-testing private clouds, with an additional 44% actively planning or considering. Of those with functional private clouds, 30% have working hybrid systems, with the ability to deploy workloads on either public or private clouds. Just 18% of them split their workloads fairly evenly.

No matter how you figure, for now, hybrid is an exclusive club.

The cloud changes everything

Security and architecture are the areas most affected by our embrace of all things cloud. That is because if you simply apply the best security and architectural practices from the on-premises world to the cloud world, you will have a suboptimal -- and potentially failed -- deployment. IT professionals are only gradually waking up to this realization, so it's still somewhat acceptable to lack cloud-specific plans. However, soon organizations that fail to understand the differences that the cloud brings will be pilloried in the same way that today we shake our heads at those that lose a laptop with tens of thousands of unencrypted customers' identities.

Connecting public and private clouds securely depends on some core concepts.

First, the idea of least user privilege is more relevant now than ever. All connections between public and private clouds should be limited and granular, as opposed to making more general network-to-network connections, even with a VPN.

One phrase -- "identity is the new perimeter" -- captures the essential elements. I make a detailed case in this InformationWeek cloud security and risk report, but in a nutshell, the traditional model of IT security follows the concepts of physical security fairly closely. We draw a perimeter around the physical bounds of an organization and assume that people within the wall should be granted access to all information and services by default, while those outside the perimeter should be kept out of everything.

Both of these assumptions are unworkable today. We've learned the hard way that individuals within the perimeter are very likely to cause security breaches, by downloading malware and falling for phishing schemes. And to take advantage of mobile devices and the cloud, we need to grant access to many people and services outside of the perimeter.

However, many, many organizations still cling to a perimeter-like security model -- they've just made an ever-broader perimeter (say, connecting clouds by VPN) while severely restricting what any user can do anywhere. Plenty of knowledge workers aren't allowed to install new software on any device; they must have IT do it by calling 1-800-WASTED TIME.

This is a losing plan for a number of reasons. Clearly, one problem is that it severely hurts the productivity of your employees and contractors. But second, you need to treat the public cloud with much more skepticism and concern than you should your own hardware, since many more third parties have access to the physical machines. That's clear from 2014 Strategic Security Survey results; "unauthorized access and defects in the technology itself" has led the cloud concerns hit parade in our survey for as long as we've asked the question. Building an ever-expanding perimeter will create no end of risk in a hybrid setup.

The solution, embraced by many leading security experts, is an island-centric view, where very thin back channels allow each "island" to verify identity and access parameters with a centralized server, but otherwise, networks and hardware stay completely separate. This is the "identity is the new perimeter" security model, and in a post-Target-breach world, it should be fairly clear that it offers the right way to go.

Read the rest of the story in the new issue of
InformationWeek Tech Digest (free registration required).