Agility, collaboration, and accountability are essential to an innovative culture, but they must work in balance. Here’s how to make that happen
Multi-cloud: 8 tactics for stronger security
How can you plan for strong security while using multiple cloud services? Experts share advice on planning, portability, tools, and other key multi-cloud security considerations
5. Augment with third-party tools for consistency
Consistency across environments is fundamental, security pros say, especially as your systems grow and change. This may require third-party tools so that you’re not playing Whac-a-Mole in the cloud.
“Where available controls differ, organizations should look to third-party security solutions to achieve consistency in implementation, policies, and processes across multi-cloud environments,” Dang says. “Look for these solutions to provide automation and programmability to make multi-cloud security scalable and to minimize operational complexity.”
6. Factor in portability between environments
Here’s a good example of connecting your use cases to your security tactics. If portability and flexibility are among your key reasons for running multiple clouds, you’ll want to bake that into your security strategy. This is also another example of the importance of consistency.
“Another critical aspect [of multi-cloud security] is that multi-cloud means that an organization will want to be able to move workloads between clouds, and when that happens, not be required to reconfigure the entire security toolset,” says Amir Jerbi, co-founder and CTO at Aqua Security. “One factor to consider is that cloud-provider-specific settings should be made as generic as possible so they are easy to ‘translate’ between clouds – for example, role-based access control (RBAC) policies.”
Jerbi also points out that this is another utility of containers in multi-cloud settings, from both a portability and a security standpoint.
“Another approach is to place security controls as close as possible to the workloads – for example, organizations running containers can implement security controls around container image scanning, trusted image policies, and runtime protection measures that are completely cloud-agnostic.”
7. Consider orchestration as a security tool
When a team starts deploying containers in production, orchestration is probably not far behind. While container and Kubernetes security is a hot topic unto itself, Kubernetes and other orchestration tools can function as a tool that enables and enforces consistency across environments, Dang notes.
“Companies should also consider how platforms such as Kubernetes further multi-cloud security by providing a single, extensible architecture that applications can run on, making it easier to implement a single set of security controls for key parts of their infrastructure,” Dang says.
[ How fast is Kubernetes gaining popularity? Check out Kubernetes by the numbers: 13 compelling stats. ]
Red Hat security strategist Kirsten Newcomer advises a ten-layer approach to container security. This includes both the container stack layers (such as the container host and registries) and container lifecycle issues (such as API management). You can learn more from Newcomer about the ten layers of container security in this podcast or this whitepaper.
8. Don’t take shortcuts in your security audits
It may be tempting for some teams or individuals to place a little too much trust in their cloud providers: Moving workloads out to a public cloud, for example, doesn’t mean you’re offloading all of the responsibility for the security of those workloads.
Yes, reputable providers invest heavily in the security of their platforms, but that doesn’t mean you should be checking up on them.
Burch from NetEnrich is a proponent of regularly scheduled audits as a security best practice, for example, and says your cloud environments shouldn’t be exceptions in that process: “If you aren’t already performing scheduled audits, you should be – and you should include all of your cloud environments.”
[ Learn the do’s and don’ts of cloud migration: Get the free eBook, Hybrid Cloud for Dummies. ]