Security considerations for multi-cloud environments
The cloud has become the most important component in driving an organization’s digital strategy. Many organizations are increasingly looking at cloud-first deployments. This can also be seen from research firm, Gartner’s forecast which predicts that end-userspending on public cloud services in India is forecast to total $7.3 billion in 2022, an increase of29.6% from 2021. To cut down risk of dependence on a single service provider, many organizations are also increasingly looking at adopting a multi-cloud strategy.
That said, any organization that is looking at leveraging a multi-cloud strategy needs to adapt its security posture. This includes public cloud services and the subscription to Software-as-a-Service (SaaS) offerings hosted on a public cloud infrastructure. As cloud-based business models grow in scale, there is a huge need to address key security issues. The Cloud Security Alliance (CSA), a leading industry body that is dedicated to defining standards, certifications and best practices, has highlighted some of the top security threats to cloud computing in its recent report, Top Threats to Cloud Computing.
The top threats include: Insufficient Identity, Credentials, Access and Key Management; Insecure Interfaces and APIs; Misconfiguration and Inadequate Change Control; Lack of Cloud Security Architecture and Strategy; Insecure Software Development; Unsecured Third-Party Resources; System Vulnerabilities; Accidental Cloud Data Disclosure; Misconfiguration and Exploitation of Serverless and Container Workloads; Organized Crime/Hackers/APT and Cloud Storage Data Exfiltration.
Best practices for improving security in multi-cloud environments
The first and most important best practice in improving security in a multi-cloud environment is to ensure a sound security strategy. This strategy must support the organization’s short- and long-term goals and take into account risk management and compliance obligations so that security becomes an enabler for business outcomes. Once the strategic business outcomes and the role of the cloud are understood, it will be clearer how to create a security program for the cloud that delivers value to the business while keeping it secure. The CSA recommends that organizations must consider business objectives, risk, security threats, and legal compliance in cloud services and infrastructure design and decisions
This must be followed by undertaking a comprehensive program to evaluate the current state of the information security posture, define the desired state and conduct a gap analysis against the desired state to understand the work that an organization needs to do to get to where it needs to be. The desired state must tie back to the strategic objectives of the company and overarching security strategy. This approach should also take into account the organization’s risk appetite to strike the right balance between security, risk management and business performance. A sound risk assessment uses both quantitative and qualitative risk methods to determine the desired risk-profile.
As identity is one of the most important components in multi-cloud environments, it is vital that organizations secure and authenticate users adequately. Getting identity right is a critical first step in a successful cloud migration. We recommend consolidating all identities into a single identity provider to make your transition to and between clouds manageable and less complex. The CSA also recommends that privileged accounts must be de-provisioned in a precise and immediate manner in order to avoid personnel access after off-boarding or role change. This reduces the data exfiltration or the likelihood of compromise.
For SaaS applications, organizations must ensure that these applications meet the organizational security requirements for data sovereignty, access to information and ownership, and be sure to review the security controls of any third parties that they engage. Compliance can typically be measured with a Cloud Access Security Brokers (CASB) for SaaS. The CSA recommends undertaking a periodic review of the third-party resources. If organizations find products that they do not need, they must remove them and revoke any access or permissions that may have granted them permission to access the code repository, infrastructure, or application.
For public cloud deployments, once the application strategy for refactoring in the cloud has been understood, then organizations can plan their security to meet these requirements. It may be a case of lift-and-shift or updating user interfaces with a 3-tier backend, or completely re-architecting for a cloud-native application approach using orchestrated micro-services delivered using containers.Security in multi-cloud environments must also be strengthened by modernizing networks. The transition to hybrid networks using SD-WAN and broadband, and downsizing of WAN cost and complexity, and the move to Direct Internet Access (DIA) provides opportunities to refactor security approaches. Reducing the backhaul of internet-bound traffic to data centers, so it can be processed by the security appliances, will allow for modern cloud-delivered security strategies like Secure Access Service Edge (SASE). Organizations must also inspect traffic using SSL inspection as the majority of threats are using encrypted channels for communication. Security can be further strengthened by using encryption to ensure security of data in rest and in transition.
To reduce the risk of public cloud data or compliance breaches, configuration on Multi-cloud management can be done using CSPM (Cloud Security Posture management tool). CSPM tools can be used to identify and recognize misconfiguration issues and compliance deviations from stated policies and regulations. By using CSPM tools, organizations can reduce cloud-based security incidents due to misconfigurations by a significant percentage.
As API usage is growing exponentially, APIs need to be checked for possible vulnerabilities which can happen due to misconfiguration errors, poor coding practices or lack of authentication techniques. The CSA recommends that the attack surface provided by APIs should be tracked, configured, and secured. In addition, traditional controls need to be updated to keep pace with cloud-based API growth and change. It is recommended that organizations use embrace automation and deploy technologies that monitor continuously for malicious API traffic.
As application-based attacks are still increasing at a fast pace, organizations must ensure security of their applications by connecting users to applications by using cloud-delivered security combined with a user (and device) identity such as a Zero Trust approach. They must also ensure that applications at all stages of the development lifecycle are protected using Software Composition Analysis (SCA), Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). This will require building capability in application security and development. Public-facing applications and Application Programming Interfaces (APIs) must be protected with Web Application Firewalls (WAFs) and Web Application and API Protection (WAAP). Infrastructure and workloads must be protected using cloud-native solutions wherever possible. Data must be encryptedat rest and in motion. Security risks due to vulnerabilities can be significantly minimized using automated vulnerability detection and patch deployment approaches.
Finally, outsourcing operations to a cloud and/or Managed Security Services Provider must be considered to alleviate the operational overhead of maintaining and monitoring complex ecosystems and to improve an organization’s ability to detect and respond to threats across a multi-cloud environment. We’ve spoken about the security capabilities to be integrated with on premise security monitoring and management. However, the framework for monitoring the multi-cloud environment should not be different than the security monitoring and management for on premise infrastructure on which the business depends. Keeping this unification and common framework with tools and processes improves the end client experience irrespective of the end client being internal or external. Hence outsourcing this to a platform centric Managed Security Services provider helps a lot.In addition Global Threat intelligence requires us to upkeep this environment secure to a level which business warrants to safely comply and continue in business
The multi-cloud environment is a reality today, and organizations can consider some or all of the best practices recommended above to ensure that their multi-cloud strategies are secure by design.
(The author is Mr. Murtaza Bhatia, Sales Director, Cyber-security, NTT Ltd. in India and the views expressed in this article are his own)