Securing Multiple Public Clouds
Companies large and small deployed in single cloud environments with on-prem components are beginning to realize the importance of multicloud and its possible configurations. Part of this realization is due to the lack of controls, people and processes required to adequately maintain, scale and properly secure their single cloud environments.
For companies in this situation, immediate action is needed to move away from single cloud environments to a more secure, multicloud posture that can defeat modern threats. In particular, companies should consider how adopting a multiple public cloud arrangement can strengthen their security posture.
Baking security into cloud strategy
Many organizations begin their cloud journey by engaging one of the major cloud service providers like Microsoft Azure, Amazon Web Services (AWS) or Google Cloud Platform (GCP). But as more workloads become established in the cloud, many large organizations are coming to the conclusion that a single-cloud model has many potential limitations relating to downtime, security and privacy over an extended attack surface.
The initial adoption of the single public cloud, and the recent emphasis on multiple public clouds, has unlocked transformative operational practices for organizations of all shapes and sizes as workloads migrate from centralized data centers to any number of cloud environments.
Organizations looking to take full advantage of the unlimited scale and flexibility of cloud will want to ensure security is their number one consideration. This is accomplished by maintaining and evolving corporate security processes and procedures as cloud is increasingly adopted across industries.
When an organization moves to an environment with multiple public clouds, almost everything changes, including security strategy. This is especially true for organizations that had been relying on cloud-native controls and traditional network platforms.
Another question to ask is where does the security perimeter exist in a multiple public cloud strategy? While the industry has shown us that security has evolved from a typical castle-and-moat strategy, multicloud deployments reveal numerous perimeters to consider across a larger cloud fabric and attack surface.
Does the perimeter still matter?
The idea of the perimeter must change when we're talking about multicloud environments. When workloads are distributed across the enterprise data center and one or more public cloud instances, the concept must expand from the traditional on-premises mindset to include the cloud.
Deploying secure routing at the cloud gateway is one way to ensure this objective. But the key to managing this transition well goes beyond merely deploying firewall capabilities in the cloud. If resources are to be fungible, security policy needs to be uniformly applied regardless of where the workload resides.
For example, Microsoft Azure offers more traditional, numbered firewall rulesets with its Network Security Groups (NSG). AWS, on the other hand, offers simple stateful Security Groups (SG) in addition to stateless, single-direction network access control lists (NACL) to direct traffic between subnets and instance workloads. While these tools inherently accomplish the same function, they're both managed differently and require trained personnel and tooling.
Simultaneously, network risk profiles can vary from one cloud environment to another. Every organization will want to adopt automation and orchestration platforms capable of setting security policy across the array of infrastructure that can exist within multicloud architectures.
To segment or not?
As we continue to develop security strategy around the use of multiple public clouds, we can't limit our focus to an expanded perimeter. The dynamic nature of cloud-native workloads adjust the focal point of multicloud security to segmentation and micro-segmentation, which offers the ability to isolate applications, tenants and devices should be design requirements for every mitigation and security strategy.
In the context of cloud, there are three additional challenges we should pay attention to:
- The first challenge is granularity, because taking the right action at the right time is important. In the case of security, the right action is reasonably straightforward to identify with straightforward options like block, redirect, log and so on. The tough part is identifying what components to target and take action against. That means segmentation needs to be enforceable on a link, port, virtual machine, container or cloud instance. If the segmentation solution is too broad, the cure may be worse than the disease. On the flip side, if the solution is too narrow, the threat may likely remain as the context was incorrectly identified.
- Operations are another challenge in a multiple public cloud environment. What should deployment processes look like for each cloud? Ideally, a single deployment model is created for all infrastructure using a unified pipeline and toolset. This can be particularly challenging to implement, however, as not all controls between clouds function the same or work with the same rulesets across cloud environments. The key is utilizing a common orchestration platform that hooks into a diverse underlying infrastructure, thereby granting visibility and control across the entire end-to-end environment.
- Most importantly, your entire security approach needs to be implemented across a heterogeneous environment. Diverse environments are typically serviced by multi-vendor solutions, and security teams should consider multi-vendor as a necessity in the initial planning stages of moving into a multiple public cloud environment.
A company's ultimate objective should be to adopt a defense-in-depth approach to multicloud security. It's not about different solutions each playing their individual roles, but rather the coordination of resources in a connected security ecosystem. Ultimately, the key to providing a connected security layer is operations. Enterprises should pay careful attention to the operational implications of point decisions they make, ensuring each one moves them one step closer to a secure and automated multiple public cloud environment.
WWT offers many different engagements for cloud strategy planning, migration, optimization and management in our Advanced Technology Center, plus a Cloud Security Tools Rationalization Workshop to help you discover and plan for the development of a secure cloud infrastructure.