Security in multi-cloud

For enterprises embarking on digital transformation journey, developing a multi-cloud strategy is key to achieving substantial business benefits as it allows IT leaders to adopt the best available infrastructure, platforms, and software services.

While there is no doubt that organisations moving to the cloud will work with multiple service providers to avoid vendor lock-in and optimise costs, it comes with additional challenges in terms of security.

Cloud in itself changes how we think about security, and multi-cloud is yet another challenge. The primary issue is that when we move to cloud, we may not be able to provision the same security controls as we had on-premises- and for multi-cloud, the controls may also differ,” says Nicolai Solling, CTO of Help AG.

Therefore, today we see many security vendors focusing on being available in all cloud environments, being on all the major public cloud offerings, as well as private and on-premises deployments. The whole purpose is to be able to provision identical security across all environments, he adds.

Ross Jackson, VP, Trust Office at Mimecast, says failing to manage complexity at scale is the biggest risk for a multi-cloud approach. Disparate systems require tight identity and access management, authentication and encryption controls. “This was highlighted in the recent multi-factor authentication (MFA) problem that affected Microsoft Azure services for organisations around the world. Organisations using a variety of SaaS services realised they were susceptible to a single point of failure that they could not control,” he says.

Lack of visibility is another key challenge as employees often buy software services or other cloud-based services on their own, circumventing IT organisations.

“Poor visibility of what is happening with your application across a multicloud environment is a major security risk. Applications are more and more distributed, delivered through a combination of micro-services that are designed to deliver very specific tasks and in this architecture, it can become quite difficult to visualise what is a “normal” application behaviour. Being able to identify deviations from normal is imperative to identify exploitations on the system,” says Paulo Pereira, director of systems engineering – emerging markets at Nutanix.

Mohammed Muneer, regional director at A10 Networks, says users need to take three specific steps to address visibility when moving workload across multi clouds. “Security, in terms of functionality and enforcement need to operate seamlessly regardless of the environments in which they have been deployed. To undertake this approach, the ability to define and classify information and workloads must comply with each of the various cloud infrastructures being used, while security functionality must be similarly delivered over each cloud infrastructure.”

He adds security solutions under consideration must not only be able to apply consistent enforcement and controls across clouds but do so with the same proven features and functions used to protect the traditional network.

What are some of the critical steps enterprises should take as they develop their multi-cloud strategies?

As a basic principle, companies need to think beyond cost, says Pereira from Nutanix. “The costs of a security breach, at best can easily take back any potentials saving you made with a cloud supplier selection, and at worst can put you out of business. Beyond cost, companies need to make sure they have the right expertise to work with these cloud environments, they need to have the expertise to be able to build but also operate and react in case of a security breach.”

Solling from Help AG says it is a good idea to start by mapping out detailed data flows and then testing ‘what if’ scenarios for continuity and resilience. Data is exploding across your universe and you need to build a threat intelligence system that can respond to this new multi-cloud landscape.

“You probably have data leaks that you are not aware of, they contain data that you may not know about. It’s going to be critical for you all to figure out where that is because you can’t derive where your risks are to drive the data that you need to collect to drive to drive to intelligence if you don’t know even what you’re collecting, to begin with,” he adds.

Security experts say security policies and practices in the region are not keeping pace with cloud adoption and solutions such as cloud access security brokers aren’t very common yet. “Perceptions around security and risks related to cloud in the Middle East are different to the US and Europe. The economic factors of cloud will continue to drive adoption, and there’s an opportunity for organisations in the region to learn from the mistakes that have already been made elsewhere. Skills and training are a constant need for all organisations looking to tackle these agile new IT approaches,” says Jackson from Mimecast.

Solling echoes a similar opinion: “The region is in the early days of cloud, and more so when it comes to cloud security. I am often surprised when talking to clients as they either think that cloud is secure by default, or that the native controls delivered by the cloud provider are good enough.

“The fact is that security in the cloud is as complex and as much of a requirement as in any classic data centre infrastructure and the forms of attacks are often very different. As example, the cloud will ultimately cause attackers to focus more intently on client-side attacks and phishing. This means endpoint security, identity control and user awareness are becoming very important elements of any robust security strategy.”

For enterprises in the region looking to spread their workloads around different cloud service providers, it would be imperative to deploy emerging technologies to secure these environments as traditional security controls are not enough to do the job.