Multi-cloud security: 7 issues to watch

Using multiple cloud providers is not riskier than using one: Each arrangement has its pros and cons. Prioritize these security areas in the multi-cloud environment
600 readers like this.
CIO Cloud 1

Many organizations grapple with security worries as they consider whether and how to take hybrid cloud deployments - running applications in the cloud and on-premises - to the next level. This is moving to  multi-cloud deployments, where applications are deployed on not just one cloud provider (and optionally on-premises), but across multiple cloud providers. Although this multi-cloud model might seem to bring extra complexity, there are real benefits: These include the ability to control costs by scheduling workloads based on geography and time, reducing risk by having a more heterogeneous computing base, and avoiding lock-in to a particular vendor.

It’s important to note, however, that moving to a multi-cloud deployment strategy is not inherently more or less secure than a single-cloud strategy: There are benefits and disadvantages to each. A number of issues bear careful consideration with multi-cloud deployments. Let’s examine some of the top candidates.

[ How do containers help manage risk? Get the related Red Hat whitepaper: Ten Layers of Container Security. ]

Multi-cloud security areas to prioritize

1. Authentication and authorization

Find a framework that can support the different models adopted by the various cloud providers, but is preferably decoupled from any one particular one.

Ensuring that the correct users, administrators, auditors and system components have appropriate access to the various parts of your applications can become more complex in a multi-cloud environment. First, it is important to find a framework that can support the different models adopted by the various cloud providers, but is preferably decoupled from any one particular one. There is no guarantee that cloud provider A’s solution will scale and work across cloud provider B or cloud provider C as your needs grow in the future, even if it currently seems to be a good fit for your application.

Different application components may also move around through the lifecycle of the application, and being able to apply policies based on the application’s need, rather than on just where it happens to be running at a particular time, means that you are designing to your requirements, rather than the expectations of any particular cloud provider’s infrastructure.

[ Why are more organizations using multiple cloud providers? Read also: Multi-cloud: 5 important trends. ]

2. Workload freshness

Workloads need to use the most recent version of any dependent libraries, middleware, or executables.

Whether you are running bare-metal workloads, virtual machines (VMs), containers or serverless, you need to ensure that your workloads are “fresh.” In other words, that they are using the most recent version of any dependent libraries, middleware, or executables available. For some workloads, this will mean upgrading or patching in place, for others restarting the workload with the latest image, and for others again, checking and reloading recent dependencies.

Why is this different in a multi-cloud environment? Well, in a multi-cloud deployment, the vulnerabilities and mitigations available from each cloud provider will be different. While this provides for a more heterogeneous environment, reducing some of the risks of a widespread infrastructure-dependent attack, you need to take more responsibility for ensuring that your applications are protected against various levels and freshness of possible infrastructure vulnerability.

3. Application hardening

What APIs are exposed? What controls do you have on them?

Beyond patching and upgrading, you need to ensure that your applications are hardened against attacks, and resilient to compromises. For an application with components across multiple clouds, or for deployments with applications talking to each other across multiple clouds, keeping track of these vulnerabilities just becomes more complex than before, when your environment was fairly static.

Knowing what APIs are exposed, what controls you have on them, and what mitigations you can apply if they come under attack are all areas that need careful management.

4. Monitoring

Monitoring is one of the more obvious areas where multi-cloud makes a difference. Whereas you may previously have relied on the tools from a particular cloud provider, or made do with a solution which was aimed solely at your on-premises deployment, any monitoring now needs to be fully aware of the scope of your deployment. Also, preferably it will have the ability to supplement and integrate with whatever tools are available across your broader environment.

Ensuring that you have a consistent and up-to-date view of data is vital, as if one set of data is mismatched or out-of-date, you will find that your ability to address attacks as they come in, or to perform forensic analysis on them at a later date, is reduced.

Mike Bursell joined Red Hat in August 2016, following previous roles at Intel and Citrix working on security, virtualisation, and networking. After training in software engineering, he specialised in distributed systems and security, and has worked in architecture and technical strategy for the past few years.