Multi-cloud: 8 tactics for stronger security

Multi-cloud: 8 tactics for stronger security

How can you plan for strong security while using multiple cloud services? Experts share advice on planning, portability, tools, and other key multi-cloud security considerations

up
68 readers like this
multicloud

5. Augment with third-party tools for consistency

Consistency across environments is fundamental, security pros say, especially as your systems grow and change. This may require third-party tools so that you’re not playing Whac-a-Mole in the cloud.

“Where available controls differ, organizations should look to third-party security solutions to achieve consistency in implementation, policies, and processes across multi-cloud environments,” Dang says. “Look for these solutions to provide automation and programmability to make multi-cloud security scalable and to minimize operational complexity.”

6. Factor in portability between environments

Here’s a good example of connecting your use cases to your security tactics. If portability and flexibility are among your key reasons for running multiple clouds, you’ll want to bake that into your security strategy. This is also another example of the importance of consistency.

Containers prove useful in multi-cloud settings, from both a portability and a security standpoint.

“Another critical aspect [of multi-cloud security] is that multi-cloud means that an organization will want to be able to move workloads between clouds, and when that happens, not be required to reconfigure the entire security toolset,” says Amir Jerbi, co-founder and CTO at Aqua Security. “One factor to consider is that cloud-provider-specific settings should be made as generic as possible so they are easy to ‘translate’ between clouds – for example, role-based access control (RBAC) policies.”

Jerbi also points out that this is another utility of containers in multi-cloud settings, from both a portability and a security standpoint.

“Another approach is to place security controls as close as possible to the workloads – for example, organizations running containers can implement security controls around container image scanning, trusted image policies, and runtime protection measures that are completely cloud-agnostic.”

7. Consider orchestration as a security tool

When a team starts deploying containers in production, orchestration is probably not far behind. While container and Kubernetes security is a hot topic unto itself, Kubernetes and other orchestration tools can function as a tool that enables and enforces consistency across environments, Dang notes.

“Companies should also consider how platforms such as Kubernetes further multi-cloud security by providing a single, extensible architecture that applications can run on, making it easier to implement a single set of security controls for key parts of their infrastructure,” Dang says.

[ How fast is Kubernetes gaining popularity? Check out Kubernetes by the numbers: 13 compelling stats. ]

Red Hat security strategist Kirsten Newcomer advises a ten-layer approach to container security. This includes both the container stack layers (such as the container host and registries) and container lifecycle issues (such as API management). You can learn more from Newcomer about the ten layers of container security in this podcast or this whitepaper.

8. Don’t take shortcuts in your security audits

It may be tempting for some teams or individuals to place a little too much trust in their cloud providers: Moving workloads out to a public cloud, for example, doesn’t mean you’re offloading all of the responsibility for the security of those workloads.

Yes, reputable providers invest heavily in the security of their platforms, but that doesn’t mean you should be checking up on them.

Burch from NetEnrich is a proponent of regularly scheduled audits as a security best practice, for example, and says your cloud environments shouldn’t be exceptions in that process: “If you aren’t already performing scheduled audits, you should be – and you should include all of your cloud environments.” 

[ Learn the do’s and don’ts of cloud migration: Get the free eBook, Hybrid Cloud for Dummies. ]

Pages

7 New CIO Rules of Road

CIOs: We welcome you to join the conversation

Related Topics

Submitted By Stephanie Overby
October 16, 2019

You may think everyone knows what big data is by now, but misconceptions remain. Get expert advice for discussing big data in plain terms with colleagues, customers, or any audience.

Submitted By Abbas Faiq
October 16, 2019

IT chief Abbas Faiq shares DevOps lessons learned, from change management to training, on PTC's road to faster software releases

Submitted By Carla Rudder
October 15, 2019

Leaders know that every person on a team has different motivators and pain points. Learn how to work with - and bring out the best in - everyone on your team with these books.

x

Email Capture

Keep up with the latest thoughts, strategies, and insights from CIOs & IT leaders.