Confusion over security “in” the cloud versus security “of” the cloud is common. It gets even more confusing when you’re using more than one cloud. Here’s what you need to know to secure your operations and assets in the multi-cloud.
Read on this article on multi-cloud security and learn:
- Why multi-cloud environments are now the norm.
- How to manage security in a multi-cloud environment.
- The benefits of a cloud access security broker (CASB).
Although cloud computing has been around long enough to become commonplace, many still fail to understand that cloud providers operate on a shared security model. Specifically, that means cloud providers generally share the responsibility for security with their customers. The responsibility for who secures what between provider and user is generally well-defined by providers but remains a point of confusion for some users, especially in light of public claims that the “cloud is safe.” To explain the difference between an accurate claim and a seemingly opposite reality, public cloud providers often preach a clear line between security “of” the cloud – meaning the provider’s responsibility to secure the cloud itself – and security “in” the cloud – meaning the user’s responsibility to secure everything they put “in” the cloud.
This distinction is not a matter of semantics used by cloud providers to dodge legal responsibility. U.S. law puts the onus on the user to secure data, apps and infrastructure placed in the cloud, with few exceptions. Many a company that has suffered a data breach has learned this legally-defined liability ownership the hard way.
In a cloud environment, under U.S. law (except HIPAA which places direct liability on a data holder) and standard contract terms, it is the data owner that faces liability for losses resulting from a data breach, even if the security failures are the fault of the data holder (cloud provider). – Thomson Reuters
Now new or extended privacy and compliance regulations are adding painful salt to data breach wounds. Given the global nature of commerce these days, nearly all regulations apply to most businesses, regardless of the jurisdictions that spun them up, or the headquarters’ address for the company now bound by them. Examples of such regulations are plentiful, and include the European Union’s General Data Protection Regulation (GDPR), the ePrivacy Regulation (ePR), the California Consumer Privacy Act (CCPA), the Federal Risk and Authorization Management Program (FedRAMP), and the PCI Data Security Standard (DSS), aka PCI.
It is no surprise that operating in a multi-cloud environment exacerbates all these problems. Especially considering that an average multi-cloud environment has five public and private clouds, according to a Rightscale study. It also doesn’t help matters that cloud providers inadvertently obscure the user’s view and thus hamper security efforts. Five clouds worth of fog banks is a lot of cloud cover for security pros to peer through.
From One Cloud to Many
At the base of the mushrooming problems with multi-cloud environments is the all too familiar silo effect, wherein information is not exchanged beyond a set boundary. While siloes sometimes exist intentionally as a means to create vendor lock-in, they also frequently happen as an unintended consequence of other initiatives.
In a multi-cloud data center, each provider is typically focused on solving problems within its own environment. Policies created using one provider’s tools will not be able to follow workloads as they migrate to different environments, putting the onus on the user to manage multiple policy solutions. Cloud provider tools also lack the flexibility to set policies to meet specific compliance requirements. – David Klein, Senior Director of Architecture & Engineering at Guardicore
While this common scenario in a multi-cloud environment can lead to general chaos and an expanding attack surface, these are not the only problems typically requiring the user’s attention.
The biggest threat to cloud security, 62%, was misconfiguration of cloud platforms, while 43% of security operation centers (SOCs) struggle with a lack of visibility in infrastructure security. 38% struggle with compliance. – Data from a 2018 Cloud Security Spotlight Report by Crowd Research Partners and commisssioned by AlertLogic
69% of enterprises will have multicloud/hybrid environments this year, but the increasing number of choices will bring excessive complexity – 451 Research
Despite these difficulties and increasing security threats, multi-cloud environments are now the norm. Dave Bartoletti, VP and Principal Analyst at Forrester Research said that “62% of public cloud adopters are using 2 or more unique cloud environments / platforms and 74% of enterprises describe their strategy as hybrid/multi-cloud today.” Even so, the multi-cloud surge has not yet reached its peak. Research powerhouse Gartner predicts that “by 2021 there will be an inflection point where more enterprise computing workloads reside with public cloud providers than in on-premises data centers.” Security vendors, too, are reporting much the same in terms of the ubiquity of multi-clouds and the increasing complexities.
Over 80% of companies have or are developing a multicloud design strategy. This multi-cloud strategy is often leveraging container-based micro-service technology, more specifically Kubernetes, as both AWS and GCP have announced Kubernetes as their de-facto automation and orchestration platform. – Andrew Howard, Global CTO at Kudelski Security
Adding to the security threats inherent in these cloud developments are overwhelmed IT departments and security teams. According to the FireMon State of Hybrid Cloud Security Survey, 60% of respondents said cloud business initiatives are speeding past the security teams’ ability to secure them. “Organizations are struggling to determine who has responsibility for multi-cloud security.
Is it the IT/security team? DevOps personnel and app owners? Business teams? We’re seeing more and more business and DevOps teams deploying apps where they implement their own data security controls, leaving security teams out of the process altogether,” said Kurt Mills, Vice President of Worldwide Channel Sales & Operations at FireMon.
56% of respondents said that network security, security operations or security compliance teams handle cloud security. 44% said cloud security is left to IT/cloud teams, application owners or other teams outside the security organizations. – Data based on a FireMon survey
Protecting the Multi-Cloud
While deciding who is in charge of securing an organization’s multi-cloud is a serious challenge, figuring out the best way to secure it is an even bigger task.
Many organizations simply don’t have strong, comprehensive IT security plans in place. To keep your data safe in a multi-cloud environment is to fully understand what data you have, where it’s located and who has permission to access it. – Trevor Bidle, VP or Information Security and Compliance at US Signal
But part of what makes managing security in a multi-cloud environment so difficult is the ease in getting wrapped up in multiple clouds to begin with. “Many organizations find that cloud computing is easy, so easy that they start migrating all manner of data into the cloud without evaluating it and considering whether it even belongs there. Eventually, really sensitive data ends up being stored in the cloud. Even worse, the IT people may not know this data exists, and it becomes a shadow IT problem,” says Mike Baker, founder and Managing Partner of Mosaic451, a managed cyber security service provider (MSSP).
Most experts recommend beginning with the fundamentals. “To raise the security level, promptly update infrastructure components and configure accesses within your – not a cloud provider’s – area of responsibility, for example, set up limited access to virtual machines you host in a cloud environment,” advises Dmitry Kurskov, IT Director at ScienceSoft, a software development company.
At least at this fundamental stage, the options tend to be more straightforward. “Organizations have a couple of options for cloud security: They can use an API within the cloud application itself to inspect the data, or they can use a cloud access security broker (CASB),” says Baker.
However, the very thing that attracts organizations to using APIs for security is also the main attraction for criminals: simplicity. Data in transit is also left unprotected in this approach which presents another opportunity for data thieves.
“CASBs emerged about five years ago and were readily embraced. A CASB solution is a security tool that sits between a cloud service application and its end users, enforcing organizational security policies and best practices, protecting against intrusions, and preventing data leakage,” Baker explained.
CASBs can run on physical premises or in the cloud, and they can be easily integrated into existing data loss prevention software (DLP) solutions. “Organizations don’t have to start over at square one; they simply extend their existing DLP to the cloud,” says Baker.
Essential to securing a multi-cloud environment is using tools suitable for managing issues across different types of clouds. Unfortunately, too many organizations are trying to just get by with a collection of existing tools.
36% are using native tools for each cloud or manual process. – Data based on the recent FireMon study
That means their approach to cloud security is to treat each cloud as a separate, standalone issue rather than taking a more effective holistic approach.
More than 80% are challenged with limitations and complexity or security tools for hybrid cloud environments. – Data based on the recent FireMon study
But security tools weren’t the only challenges security teams ran into. Almost half, 44.5%, said their top three challenges for securing public cloud environments are: lack of visibility, lack of training and lack of control.
With all these issues in mind, Martin Bos, VP of Consulting Services for TrustedSec, an IT Security Consulting firm, offered these tips:
- Testing should be done throughout the SDLC and service execution phase
- Know the provider vs. tenant responsibilities
- Make sure the provider offers complete visibility
- Opt for behavior-based monitoring over signature-based
- Switch focus from perimeter defense to internal network security
- Automate as much as possible
Last But Not Least
An organization’s security plans should be revisited and updated often as change is the infuriating constant in multi-cloud environments, including in the types of security threats, the complexities in multi-clouds, and the range of cloud options and tools, among other aspects.
“In the multi-cloud scenario, enterprises are not only dealing with a high volume of change but also an increased velocity and pace of change,” warns Caveonix’s VP of Product Management Chris Davis.