Top four considerations when securing the multi-cloud environment
This is a guest post by Stephen Dane, managing director for cyber security at Cisco Asia-Pacific, Japan and Greater China
We live in a multi-cloud world. A world where a multitude of offerings from cloud service providers (CSPs) gives us the potential to respond to business opportunities and challenges at a moment’s notice.
According to IDC’s CloudView 2018 report, 85% of all businesses are evaluating or using public cloud, 87% of cloud users are moving towards hybrid cloud, and 94% are using or plan to use a multi-cloud environment, an increase from 84% in 2017.
While the flexibility, productivity and cost savings benefits of cloud apps have fueled widespread adoption of multi-cloud across Asia-Pacific, organisations are challenged to deal with its fragmented nature, increasing complexity and lack of control when it comes to data, policy and security.
It is crucial for businesses to have an end-to-end multi-cloud framework in place or they may find themselves supporting inefficient traditional datacentre environments and inadequately planned cloud implementations that may not be as easy to manage or as affordable as they imagined.
Securing the multi-cloud environment
Today’s multi-cloud world consists of software-as-a-service (SaaS) applications, private, public and hybrid clouds, hosting infrastructure-as-a-service (IaaS), and employees and branches accessing the cloud and internet from anywhere.
This means that chief information security officers (CISOs) do not have the same level of control in a multi-cloud environment as they have with their on-premises infrastructure. It also means that there is no single tool to build a unified security policy across the environment, adding to the complexity that CISOs face.
In Cisco’s 2019 CISO benchmark study, 70% of respondents in Asia-Pacific said that defending cloud infrastructure was “very or extremely” challenging, higher than the global average of 52%.
While ease of use is still the top driver for hosting infrastructure in the cloud, the potential for greater security is also high on the CISO agenda. In the same study, 50% of CISOs cited “better data security” as a reason to move into a cloud environment. This shows that while securing the cloud is a concern, security leaders recognise the ability of the cloud to offer more security benefits, and this possibly stems from general levels of trust in cloud providers to get the basics right and to make it easy for the consumer of those services to add their own security layered on top.
So where should businesses start? Here are four key considerations:
Gaining visibility into the network
Organisations are shifting IT resources to the public cloud such as Amazon Web Services, Microsoft Azure, Alibaba Cloud and Google Cloud at historic scale, driven by demands for greater capital efficiency, agility and scalability. Businesses need to understand that security in the cloud is not fully managed by either the customer or cloud provider; rather, it is a “shared responsibility model” where each party is responsible for different pieces.
The cloud provider is responsible for protecting the infrastructure that runs all the services offered in the cloud. This infrastructure is composed of the hardware, software, networking and facilities that run the cloud services.
The customer is responsible for security in the cloud, such as the management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, firewall or security group configuration.
To do so, businesses need to think about how they are protecting their data: Are their applications secure? Have they configured their firewall correctly? Have they managed identity and access correctly? Is their data is secure or is it being accessed by third parties? Failure to account for these responsibilities will create a greater risk of exposure and data exfiltration.
The first step to securing multi-cloud environments is gaining greater visibility at the network and application layer. This can be achieved with solutions such as Cisco Stealthwatch Cloud, which delivers security visibility for the public cloud, allowing organisations to detect abnormal behavior and threat activity, so they can quickly respond before a security incident becomes a devastating breach.
Protect SaaS apps as users bypass security perimeter
Users are increasingly self-selecting which apps to use anytime and anywhere. In today’s multi-cloud world, SaaS application usage is frequently a blind spot as independent applications running on an organisation’s hybrid and multi-cloud infrastructures are constantly evolving.
Attackers can compromise cloud identities, gain access to information stored in the cloud through excessive file shares and public data exposures, and create malicious applications that connect to users’ cloud identities by exploiting the Open Authorisation (OAuth) protocol.
Currently, the majority of datacentres are designed with traditional perimeter-only security, which is insufficient, especially as the datacentre has become a multi-cloud environment. Providing a secure infrastructure for hundreds or even thousands of applications without compromising agility requires a new, multi-dimensional approach. As applications move from an on-premise datacentre, to a private cloud and a public cloud, security has to move with them.
This is why an application-first security model allows organisations to gain insight and control through greater visibility, achieve compliance with software guardrails and reduce risk with advanced threat prevention and detection across the environment.
Optimise networking and security with segmentation
A Cisco study revealed that 63% of companies are adopting software-defined wide-area networking (SD-WAN), suggesting that they may be optimising their networks for cloud.
Today’s work environment allows employees to work from any device, anywhere and anytime. As remote users work directly in cloud apps, and as organisations enable applications and devices at branch sites to directly access the internet, they bypass the traditional centralised security perimeter. This exposes the branch and devices to all types of internet traffic, and in the process, increases the attack surface at the edge.
To solve the security and complexity problems at the cloud edge where networking, security and multi-cloud environments meet, Cisco is building security functionality into its SD-WAN software while boosting support for cloud services.
This extends branch segmentation into the datacentre and cloud by carrying the relevant identifying segmentation information to all relevant points in the network. By integrating security and networking into one platform, we are in a position to optimise and secure the network and deliver the traffic directly to the cloud provider in a simple and cost-effective way.
Balance threat detection with trust verification
By now we have established that we have users, devices and apps accessing the network like always but also accessing data beyond IT’s traditional control points.
Application access decisions are often happening off-network when mobile users go straight to cloud apps. So, while a strong security posture begins with continuous threat detection that blocks attacks and malware outright and also continuously detects and remediates the most advanced threats, it has to be coupled with continuously verifying trust. This trust-centric approach enforces controls around access to sensitive data and apps and verifies trust in users, workloads and IoT devices.
By keeping these four considerations top of mind, businesses can adopt the cloud with confidence and protect their users, data, and applications, anywhere they are.