Multi-Cloud Security Checklist: 8 Things CISOs Need to Remember
By John Madisson, Senior Vice President - Products and Solutions at Fortinet
Cloud computing is an inherently dynamic and rapidly changing space. With the vast majority of organizations now adopting multi-cloud environments, the breadth and depth of the attack surface have expanded rapidly. This has increased the complexity of both deploying and managing security — from orchestrating policy controls, to transparent visibility, to tracking and reporting on security postures, standards, and regulatory compliance.
For organizations facing this challenge, here are eight security issues that CISOs should consider when implementing a multi-cloud strategy:
Multi-Cloud Computing Is the New Normal
Recent market research indicates 95% of all organizations use some form of the cloud-based computing resource. Furthermore, 85% of these enterprises have a hybrid cloud infrastructure that leverages multiple private and public cloud resources, with the average enterprise using as many as 91 different cloud applications.
The agility conferred by being able to immediately add and/or drop services to a cloud portfolio, or dynamically scale to meet shifting resource demands, are some of the key reasons why enterprises have turned to cloud computing in a big way. These same issues, however, have complicated the creation and maintenance of a consistent security strategy.
Cloud Security Is Often an Ambiguously Shared Responsibility
While Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) cloud vendors are responsible for securing their cloud infrastructures, customers are responsible for protecting the applications, websites, environments, and services they run on those cloud environments. Things are a bit different for Software-as-a-Service (SaaS) and Applications-as-a-Service (AaaS) offerings, where the service provider retains the primary responsibility for the security of the software and applications they offer to their customers.
However, SaaS and AaaS subscribers should know that infections and intrusions originating in those services can easily spread to other infrastructures. Complicating things further, SaaS vendors often run their offerings on third-party IaaS clouds. When considering AaaS or SaaS solutions, look for vendors that have ways for you to integrate your security policies into their services, including such things as authentication, monitoring, and inspection.
Private and Public Clouds are the Same, But Different When it Comes to Security
As noted, the vast majority of organizations access both private and public cloud resources through a hybrid cloud strategy. The challenge lies in creating security consistency between these environments. For example, security tools an organization uses internally may not be available as part of a cloud vendor’s security options, which adds another layer of complexity when trying to manage an extended security infrastructure.
Ideally, end-users should be able to deploy, view, and orchestrate security for both their private and public cloud resources using a common set of tools and single pane of glass management. Achieving this, however, requires a security architecture able to function seamlessly across multiple private and public cloud environments.
Transparency and Centralization Are Essential Virtues
The ability to seamlessly manage security across your traditional network environments as well as all private and public cloud assets should be the goal of any security team. Instead, many organizations are forced to view their security portfolio through different and isolated consoles, which leads to degraded situational awareness through visibility gaps, perceptual ambiguities, and the wasted motion involved in hand-correlating information between tool A and solution B. What’s needed is a holistic, fabric-based security architecture that can overcome these silo-generated visibility and control gaps.
Security Vendor-Cloud Service Provider Relationships Are Very Important
The last thing any cloud end-user wants are “over-the-wall” relationships between their cloud service and cybersecurity vendors. Many leading cloud service providers work closely with a handful of cybersecurity vendors to expand security transparency and interoperability to their customers. Therefore, it is not only important to look into the relationships between your preferred security vendors and the cloud providers you are considering when making buying decisions but to also maintain a close watch on how these relationships evolve over the course of a solution lifecycle.
Managed Security Service Providers Have a Strong Role to Play
Managed Security Service Providers (MSSP) has moved swiftly to build value propositions and practices for multi-cloud environments. The MSSP value-add for multi-cloud security covers most traditional customer benefit areas, including vendor consolidation, bridging skills gaps, augmenting staff, and enacting pay-as-you-go/pay-for-results business models. MSSPs are also a good choice for organizations that anticipate frequent changes in their cloud solution portfolios. MSSPs can bring stability to the security dynamics of a solutions portfolio change by offering a “you buy it, and we’ll secure it” approach to multi-cloud security services delivery.
Select Security Vendors Who Know the Cloud
Nearly every security vendor has slapped a “cloud-enabled” sticker on their solutions. But the truth is, not all vendors are the same when it comes to cloud security. You need to look for vendors that are truly multi-cloud ready, with a portfolio of solutions including:
- Cloud-based versions of their traditional solutions, including advanced threat detection such as Sandboxing
- Centralized security management, logging, and reporting, as well as support for multiple hypervisors
- Centralized security information and event management (SIEM)
- The use of connectors, cloud access security brokers (CASB), and APIs to create a single, consistent cloud security strategy
Also look for vendors actively engaged with as many of the leading cloud service vendors as possible, especially the big five – Amazon Web Services (AWS), Microsoft Azure, IBM Cloud, Google Cloud Platform, and Oracle Cloud – to ensure you have the flexibility to take your cloud strategy wherever it needs to go, without worrying about how you will secure it.
Change is a Constant
Agility is one of the main reasons customers choose cloud-based solutions. With agility, however, comes a state of constant change in terms of the services, applications, and resources they need. Likewise, the global threat environment is constantly changing. As a result, security solutions for multi-cloud environments need to be able to enable organizations to stay ahead of the changing threat landscape.
Cloud computing has taken the world by storm for a very good reason. It’s the most cost-effective and agile way for organizations of all sizes to access the advanced, transformational computing services and technologies needed to compete in the new digital marketplace. Security needs to be adaptable and flexible enough to enable that transformation.