Security

Hybrid Cloud Security Challenges and How AI Can Help

Governance tools, automation and, increasingly, agentic AI can help standardize security policies across IT environments.

Nathan Eddy

Nathan Eddy works as an independent filmmaker and journalist based in Berlin, specializing in architecture, business technology and healthcare IT. He is a graduate of Northwestern University’s Medill School of Journalism.

Security fragmentation remains a significant challenge for departments managing hybrid cloud environments because their agencies often own independent on-premises and cloud infrastructure.

Failure to align this infrastructure results in inconsistent security policies, visibility gaps and access management issues.

These silos introduce vulnerabilities that cybercriminals can exploit, making it critical for agencies to adopt a comprehensive hybrid multicloud security strategy.

An effective strategy involves unified governance, interoperability, automation and emerging technologies including agentic artificial intelligence.

Click the banner below to begin developing a comprehensive cyber resilience strategy.

x-cyberresillience4-static-2024-na-desktop

x-cyberresillience4-static-2024-na-mobile

Security Fragmentation Poses Numerous Risks to Federal Systems

Agencies must balance security across diverse cloud providers while maintaining legacy on-premises systems, leading to operational inefficiencies and gaps in oversight. Managing these environments separately often results in conflicting security configurations.

“As soon as you leave your on-prem environment, you’re outside your firewall boundary and relying on third-party cloud providers,” says Dan Fallon, director for the intelligence community at Nutanix. “Each cloud provider has its own security policies, making it challenging to maintain a consistent security posture across multiple platforms.”

Agencies also frequently struggle to unify security tools across environments.

“Agencies are dealing with a patchwork of tools, and security teams are essentially forced to become integrators,” says Alice Fakir, senior partner for federal cybersecurity services at IBM. “This approach creates blind spots, where agencies may not even realize vulnerabilities exist until they are exploited.”

Such security gaps make federal systems more susceptible to attacks, particularly as agencies continue adopting cloud-first strategies without fully considering interoperability and governance.

MORE FROM FEDTECH: What Is FICAM?

Visibility and Access Challenges in Hybrid Multicloud Environments

Visibility issues further complicate security management, limiting an agency’s ability to detect and respond to threats.

“On-prem, you can see everything down to the hardware,” Fallon says. “But when you move to public cloud, you’re relying on the cloud provider’s compliance reports.”

While the Federal Risk and Authorization Management Program certification provides some assurances, agencies still don’t have deep visibility into the underlying cloud infrastructure, he says.

“If security teams don’t have a clear view across their entire infrastructure, it’s nearly impossible to maintain compliance and protect sensitive data,” Fakir says.

Without a unified security framework, agencies struggle to enforce consistent access controls across cloud and on-prem environments.

AI-powered automation can detect security drift, ensuring configurations remain secure over time.”

Dan Fallon Director for the Intelligence Community, Nutanix

“Identity is the first pillar of zero trust,” Fallon says. “Yet, many agencies still use multiple identity management solutions, which complicates authentication and access policies.”

Additionally, agencies’ identity and access management systems are often outdated and ineffective.

“Traditional access controls from on-prem environments don’t translate easily to the cloud,” Fakir says. “Agencies need to move toward more dynamic, AI-driven identity management that continuously validates user roles and access privileges.”

Stronger authentication measures are becoming standard practice.

“We’re seeing increased adoption of multifactor authentication for privileged accounts, which is critical because admin credentials are a prime target for attackers,” Fallon says. “MFA is now a necessity, not an option.”

DISCOVER: Is end-to-end encryption a defense against APTs such as Salt Typhoon?

Strategies for Unifying Security Operations

Agencies must take a centralized approach to security operations to mitigate fragmentation by integrating automation and governance tools to standardize policies across environments.

“Automation allows you to build once and deploy security controls across multiple cloud environments,” Fallon says. “This ensures security configurations remain consistent and reduces human errors that lead to vulnerabilities.”

Organizational structures must also evolve to better align with hybrid cloud realities.

“A lot of agencies have separate teams managing on-prem infrastructure and cloud environments,” Fallon says. “The more silos you create, the higher the risk of human error.”

On-prem and cloud teams must either unify or learn to work together, he says.

LEARN MORE: The Navy is improving its real-time threat analysis.

Using AI-Driven Security Analytics to Secure Multicloud Environments

AI-driven security analytics will play an increasingly important role in protecting multicloud environments, according to both experts. The capability has the potential to help agencies make sense of large volumes of security data, identifying risks before they become full-blown breaches.

“We’re seeing AI play a key role in sifting through massive amounts of security data, identifying anomalies and reducing the burden on security analysts,” Fallon says. “AI-powered automation can detect security drift, ensuring configurations remain secure over time.”

A more advanced form of the technology, agentic AI, continuously evaluates security policies and suggests improvements in real time. Agentic AI identifies relationships between users, data and access controls, allowing agencies to monitor environments dynamically and enforce compliance with both the National Institute of Standards and Technology’s Cybersecurity Framework and the federal zero-trust strategy.

“Instead of waiting for a compliance audit to uncover issues, AI can proactively identify security weaknesses,” Fallon says. “This helps agencies stay ahead of evolving threats rather than reacting to them after the fact.”

Marco VDM/Getty Images