Defense in Breadth

Securing the Multi-Cloud Hydra

multi cloud hydra3
Dell EMC

New Architecture, Roles, and Clouds

For many of us using public cloud services, security remains one of our biggest concerns. It’s not that cloud services are generally viewed as insecure; it’s that many organizations may not be completely prepared or staffed properly to deal with widespread cloud adoption. With the fast-paced adoption of cloud-native application architectures to support digital transformation, this problem is becoming further compounded. The economics of public cloud are one of the primary drivers for adoption, yet the long-term challenge with such decisions being made solely on the possibility of savings can come back to haunt those who fail to take a risk-based view and factor in additional impacts that can arise.

As an organization continues to adopt a cloud operating model, there must be expansion of team roles such as Cloud Admin, Cloud Application Architect, Cloud Architect, and so on, but we can’t forget about the Cloud Security Professional. This person will play an integral role in all phases of the cloud journey. They’ll vet potential cloud services to verify they meet regulatory compliance, ensure processes adhere to IT’s governance policy, and that proper procedures are in place to protect data if there is an intrusion, such as an Advanced Persistent Threat (APT).

For those that wonder how to get started developing a secure cloud strategy, the Cloud Security Alliance publishes a reference to a conceptual design of a security infrastructure and related security mechanisms, policies, and procedures. It’s called the CSA Enterprise Architecture.

Security Must Be Agile

In today’s multi-cloud world, the proliferation of data across a wide array of cloud services– ranging from Infrastructure as a Service, Platform as a Service, and Software as a Service– exponentially increases the size and scope of the threat vector as the number of intercommunication paths are created. The network perimeter takes on a completely new meaning at this point. For many public cloud networks, the perimeter is clearly the demarcation point. For some services, the perimeter transforms into a series of highly dynamic “micro-borders,” while with others, there is no clear border at all.

As hybrid cloud management platforms mature and organizations extend their private clouds onto compatible platforms, supporting network and security policies must extend seamlessly as well. Generally, once an attack successfully gets past the outer perimeter, there are few lateral controls to prevent them from traversing the network. The best way to solve this is to adopt a stricter, micro-granular security model with the ability to tie security to individual workloads and the agility to provision policies automatically.

In addressing the subject of workloads, we need to recognize that traditional and cloud-native applications have many of the same– but, also some very different– security needs. These must be taken into account to ensure an organization’s digital transformation success isn’t interrupted by a newsworthy security event. One intrusion resulting in exfiltrated customer data or intellectual property is all it takes to bring your new initiatives– and their anticipated gains for the organization– to a screeching halt.

Many recent and notable data breaches have occurred at the application layer, yet only a very small portion of an organization’s annual security spend is in this area. While many organizations practice a defense-in-depth security model, it must have breadth as well to ensure that the ever-expanding “perimeter” is protected. In a cloud-native, microservices architecture, security must be embedded at the application layer and automated in the development pipeline to enable development velocity, not impede it. The upfront cost of this automation pales in comparison to the cost of a data breach that results in exposure of sensitive customer data or intellectual property.

Confidentiality, Integrity, and Availability

Regardless of if it’s a traditional or cloud-native application, running on or off-premises, you’ll need to ensure you can verify the identity of any individual accessing your data or systems, provide an authentication mechanism and ensure those who access also have authorization. Data created in cloud-native applications, just like their traditional counterparts, should have a well-defined and managed lifecycle across the following key stages – Create, Store, Use, Share, Archive, and Destroy. With the short-term nature of some cloud-based services, you must keep these stages in mind to ensure that there is zero risk of exposure after the service is no longer being utilized. Also, if the application is deployed in certain regions around the globe, data sovereignty and data residency regulations must be taken into account to ensure local laws are complied with as well as that the customer data is at all times protected.

While we’ve been addressing cloud-native applications, we can’t ignore the large number of traditional application workloads still in use today. Many organizations can’t re-factor these applications fast enough. If traditional applications are not scheduled for retirement any time soon, they must continue to be protected as they are migrated to, or created in, a cloud-based service. With multi-cloud becoming more of a reality, the need to protect sensitive workloads significantly increases. One effective method would be to use encryption to encapsulate the workload, so an organization must adopt a technology that is compatible both on and off-premises.

As the incidence of cyber threats like cybercrimes such as APTs, malware, and ransomware continues to increase, every organization must consider how they’re going to address threat detection and mitigation on a broad scale. They’ll need an early-warning system that delivers insights and deploys countermeasures derived from analytics and applied intelligence.

Regardless of the services being used and their security posture, the organization is ultimately responsible for keeping their data safe and will be held accountable in the case of an event. The Cloud Security Alliance Cloud Controls Matrix strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardized security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.

We’ve Only Just Begun

Security itself is a broad and a deep topic. This is just the beginning of the discussion as to how we best secure and protect data assets in a multi-cloud world. If I had just one piece of advice to leave you, it would be to build in a solid security framework from the ground up rather than trying to bolt it on, or weave it in, after. Not only will this save a great deal of time and money, it may just save your business.

In addition to being a Certified Information Systems Security Professional (CISSP), Chris Cicotte is the Director of Strategic Cloud Messaging for Dell Technologies, focused on telling the story of our customers’ success as they execute against cloud strategies to power digital transformation. When he’s not cycling on the road or driving his Jeep off-road, he’s enjoying time with his wife and three children. You can follow him on Twitter at @Chris_Cicotte.

Copyright © 2017 IDG Communications, Inc.