Multi-cloud: 8 tactics for stronger security

Multi-cloud: 8 tactics for stronger security

How can you plan for strong security while using multiple cloud services? Experts share advice on planning, portability, tools, and other key multi-cloud security considerations

up
23 readers like this

on

August 05, 2019
CIO Cloud 1

5. Augment with third-party tools for consistency

Consistency across environments is fundamental, security pros say, especially as your systems grow and change. This may require third-party tools so that you’re not playing Whac-a-Mole in the cloud.

“Where available controls differ, organizations should look to third-party security solutions to achieve consistency in implementation, policies, and processes across multi-cloud environments,” Dang says. “Look for these solutions to provide automation and programmability to make multi-cloud security scalable and to minimize operational complexity.”

6. Factor in portability between environments

Here’s a good example of connecting your use cases to your security tactics. If portability and flexibility are among your key reasons for running multiple clouds, you’ll want to bake that into your security strategy. This is also another example of the importance of consistency.

Containers prove useful in multi-cloud settings, from both a portability and a security standpoint.

“Another critical aspect [of multi-cloud security] is that multi-cloud means that an organization will want to be able to move workloads between clouds, and when that happens, not be required to reconfigure the entire security toolset,” says Amir Jerbi, co-founder and CTO at Aqua Security. “One factor to consider is that cloud-provider-specific settings should be made as generic as possible so they are easy to ‘translate’ between clouds – for example, role-based access control (RBAC) policies.”

Jerbi also points out that this is another utility of containers in multi-cloud settings, from both a portability and a security standpoint.

“Another approach is to place security controls as close as possible to the workloads – for example, organizations running containers can implement security controls around container image scanning, trusted image policies, and runtime protection measures that are completely cloud-agnostic.”

7. Consider orchestration as a security tool

When a team starts deploying containers in production, orchestration is probably not far behind. While container and Kubernetes security is a hot topic unto itself, Kubernetes and other orchestration tools can function as a tool that enables and enforces consistency across environments, Dang notes.

“Companies should also consider how platforms such as Kubernetes further multi-cloud security by providing a single, extensible architecture that applications can run on, making it easier to implement a single set of security controls for key parts of their infrastructure,” Dang says.

[ How fast is Kubernetes gaining popularity? Check out Kubernetes by the numbers: 13 compelling stats. ]

Red Hat security strategist Kirsten Newcomer advises a ten-layer approach to container security. This includes both the container stack layers (such as the container host and registries) and container lifecycle issues (such as API management). You can learn more from Newcomer about the ten layers of container security in this podcast or this whitepaper.

8. Don’t take shortcuts in your security audits

It may be tempting for some teams or individuals to place a little too much trust in their cloud providers: Moving workloads out to a public cloud, for example, doesn’t mean you’re offloading all of the responsibility for the security of those workloads.

Yes, reputable providers invest heavily in the security of their platforms, but that doesn’t mean you should be checking up on them.

Burch from NetEnrich is a proponent of regularly scheduled audits as a security best practice, for example, and says your cloud environments shouldn’t be exceptions in that process: “If you aren’t already performing scheduled audits, you should be – and you should include all of your cloud environments.” 

[ Learn the do’s and don’ts of cloud migration: Get the free eBook, Hybrid Cloud for Dummies. ]

Pages

No comments yet, Add yours below

Comment Now

7 New CIO Rules of Road

CIOs: We welcome you to join the conversation

Related Topics

Submitted By Anil Somani
August 23, 2019

Sweeping transformations aren't the only area where organizations need change agents. Here's how to find and nurture people who are eager to make incremental changes every day. 

Submitted By Michael Crones
August 22, 2019

If IT has become disconnected from the business, it may be time to rethink your org chart. Draper's CIO shares how his team forged a tighter business relationship using a new IT role.

Submitted By Jason Lasseigne
August 22, 2019

Balancing high starting salaries for new graduates with those of IT veterans may feel challenging – but it doesn’t have to be. Are you truly taking care of your stars?

x

Email Capture

Keep up with the latest thoughts, strategies, and insights from CIOs & IT leaders.