The “multi” in multi-cloud should make clear from the outset that your security plans will need an update for this modern IT paradigm. You’re no longer protecting a single environment or network, but multiple threat surfaces.
That’s not a cause for panic. Rather, it’s an impetus for incorporating new tools and tactics into your security strategy – and reinforcing some existing processes.
“With the rise of IoT, public clouds, and hybrid cloud, the typical network perimeter has been pulled, stretched, and started to fade,” says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. “As more enterprises prepare to implement multi-cloud strategies, ensuring security across diverse environments is of the utmost importance.”
[ Why are more organizations using multiple cloud providers? Read also: Multi-cloud: 5 important trends. ]
As multi-cloud environments become the norm, often as part of hybrid cloud architectures that also include on-premises infrastructure, securing those environments will indeed need to be a priority. We asked Hahad and other security pros to share their best current advice for ensuring a strong posture in multi-cloud settings. Consider these eight to-do items:
1. Make multi-cloud security an upfront consideration
As multi-cloud strategies become more intentional, security needs to be an early part of this more deliberate planning. Hahad notes that moving from a single cloud to multiple clouds doesn’t come without significant operational considerations, security among them.
“For example, ensuring security across multiple environments demands consistent policy application and enforcement throughout the workloads and applications running on every cloud,” Hahad says. “When security is considered before implementing a multi-cloud strategy, potential inconsistency and interoperability problems can be avoided or tackled early.”
If that sounds like table-stakes advice, too many organizations aren’t ante-ing up. In the most recent edition of StackRox’s State of Containers and Kubernetes Security Report, for example, 34 percent of respondents said they have no container security strategy or are only in the beginning stages of developing one, even as adoption skyrockets. (Container security and multi-cloud security aren’t perfectly synonymous, but they are increasingly interrelated.)
One possible explanation, the report says, is that container adoption has outpaced investments in formulating a security strategy.
2. Map security to current and future use cases
A disconnect between your reasons for operating multiple clouds and your approaches to securing your distributed environments increases the likelihood of weak links.
“The starting point for effectively securing multi-cloud environments should always begin with understanding why [your] company has opted to use multiple clouds and what types of workloads are running on each of them,” says Wei Lien Dang, co-founder and VP of product at StackRox. “This allows security practitioners to determine what controls are warranted across each cloud and how these requirements might differ, especially in the context of the shared responsibility model.”
Moreover, the nature of multi-cloud environments means change is a given – in fact, that flexibility might have been one of the appeals for your organization. So factor that into your long-term security planning.
“Your enterprise may be launching a multi-cloud environment for specific workloads now, but what do use cases look like down the road? Will workload and application needs change?” Hahad says. “The more you can anticipate these changes and prepare, the stronger your security posture will be.”
3. Determine the right cloud service for each workload
As Red Hat chief security architect Mike Bursell points out, with any workload you deploy to a cloud service, some of the data and processes will be sensitive. So how should you decide where to place workloads, and how should you protect them once they’re there? “This question of how to find the right home for a workload is one you hear IT leaders voice over and over again,” Bursell notes.
Bursell recommends you start by considering the particular data and processes involved in the workload: For example, do you need to protect confidentiality, integrity, availability, correctness, or other factors?
“There is a spectrum of requirements, from ‘air-gapped systems in a locked room with an armed guard standing outside’ to ‘commodity public cloud.’ Options such as ‘a pool of machines which only authorized, security-checked staff may administer” stand somewhere in the middle,” Bursell says.
For more details on five factors to consider in choosing, read Bursell’s full article: How to find the right home for a hybrid cloud workload: 5 security questions.
4. Use native security controls effectively and efficiently
Do a deep dive on the embedded security controls and tools your providers offer.
Evaluate security functionality that cloud providers turn on by default or make available natively – some examples include data encryption, virtual isolation via VPCs – to provide foundational security across these environments, Dang says.
Another good example is federated identity with SAML, a tactic that enables IT teams to get out of the risky business of managing multiple identities across distributed environments.
“Most public cloud providers support SAML for identity federation, allowing for a single representation of a user account across providers,” says Michael Burch, cloud architect at NetEnrich. “Manual duplication of identities in a non-federated environment is complex and creates significant risk by requiring maintenance of multiple identities.”
As Brian Wilson, CISO at SAS, told us about the importance of identity federation when evaluating cloud platforms: “If you can’t federate with SAML, then we’re not doing business with you.”