Prioritizing Security in a Multi-Cloud World
February 2019 by Marc Jacob
Cloud awareness and adoption continues to grow, as more enterprises take advantage of the benefits that come with multiple cloud platforms. In fact, in a recent Voice of the Enterprise (VotE): Cloud Hosting and Managed Services study, conducted by 451 Research, 90% of respondents indicated they have some type of cloud services in place and several are already using multi cloud environments. Closer to home in the Middle East, research by MarketsandMarkets predicts that the cloud market in the region will triple to $2.4 billion by 2020, driven in large part by adoption of multi cloud.
But on the flip side, we’re seeing an increase in cloud related security incidents. According to research from the October 2018 McAfee Cloud Adoption and Risk report, the average organization generates over 3.2 billion events per month in the cloud, of which 3,217 are anomalous, and 31.3 are actual threat events. This is cause for alarm given that 21% of all files in the cloud contain sensitive data (up17% over the past two years).
Against this backdrop, whether you are switching up your multi-cloud strategy or starting from scratch, here are a few things your organization needs to know first about multi-cloud.
Determine what features will either make or break your multi-cloud strategy When picking the best multi-cloud structure for your business, be bold. Build a vision for what you need cloud services to do for your company―worry less about “how” and more about the “why” and “what” you need from your providers. The reality is that top cloud providers in IaaS/PaaS and, separately, SaaS spaces, are offering extremely versatile capabilities and compelling value. It is important to understand what features are critical and which ones change the way your organization works when it comes to selecting vendors.
Outside of single requests for a new or different capability, your organization needs to rationalize the different needs for each, down to “collections” of related needs. For example, consider SaaS for well-known, repeatable needs first, then look to move or re-deploy capability into IaaS or build natively in PaaS for efficient applications.
Security measurements are important when architecting a multi-cloud structure First and foremost, avoid looking at your new cloud infrastructure as a separate environment. It’s not merely a new data center, so an organization also needs to consider how switching to a cloud infrastructure will shift how the organization secures assets. Consider looking to resources like the MITRE ATT&CK matrix and the Center for Internet Security’s Basic and Foundational Controls list as a guide for answering this question: “In the future, how do I maintain unified visibility and security when I incorporate new cloud providers?”
For a successful multi-cloud migration, use your cloud access security layer and a platform that ultimately unifies your policy and threat identification approaches. Identity is another common challenge area. Moving to the cloud at scale often requires your organization to “clean up” your identity directory to be ready and accommodating of shared sign-on. By using an identity management and/or aggregation platform to expose identity to well-known cloud services, you will be able to ease the cloud implementation burden and threat exposure of any given provider.
It’s important to know that your organization’s compliance requirements are not mitigated or transmuted simply because the data has left your internal environment and entered the one your cloud provider(s) uses. As your organization matures, the way you manage and align your cloud provider’s capabilities to your compliance requirements should evolve accordingly.
Initially, ensure that your company requires business unit executives to apply or accept the risk of compliance obligations where service providers may not have every requirement. Your legal team should be a part of the initial purchase decisions, armed with technical knowledge to help identify potential “rogue” cloud services and policy guidelines that dissuade employees from adding services “on a credit card” without appropriate oversight.
As your organization gains more experience with the cloud, request that providers share copies of the SSAE16 attestations / audits. This, together with more formal due diligence processes, should become commonplace. Organizations looking to advance in this space would be well-advised to look at the Cloud Security Alliance’s STAR attestation and the associated Cloud Controls Matrix as a ready accelerator to benchmark cloud providers.
Secure buy-in from exec/C-level on a multi-cloud strategy Use of cloud services should reflect the strategic focus of the business. Technology leaders can leverage the benefits of these services to underpin initiatives in efficiency, bringing innovation to market and controlling costs. To strengthen this message, technology department heads should consider the metrics and operations adjustments that will allow them to demonstrate the enhanced value of the cloud beyond just the bottom line. If you are trying to get exec/C-level buy in, consider the following:
• How will you measure the speed of introducing new capabilities?
• Are new areas of value or product enhancement made possible through cloud services?
• How will the organization measure and control usage to hit your cost targets?
• How do you know whether your organization is getting what you have contracted for from cloud providers?
• Do you have a mechanism for commercial coverage of the organization when things go wrong?
Protect your organization and secure the cloud
Organizations will often “upgrade” in some areas of basic security (perimeter, basic request hygiene) when making the move to well-known cloud providers. How the overall security posture is affected depends heavily on the level of diligence that goes into onboarding new cloud providers. Implementing critical technical measures like the Cloud Access Security layer and policy around how the cloud is procured and technically implemented should drive basic control requirements.
As the number of cloud providers scales in the environment, your organization needs to assess and document them based on how much your organization depends on a given service and the sensitivity of the data those services will hold. Services that are prioritized higher on these two fronts should have increased organizational scrutiny and technical logging integration in order to maintain the overall defensive posture of the company.
Finally, as with any other technology trend, the missteps in making the transition to business and consumer cloud services have received outsized coverage. Take the time to dive into the “hows” and “whys” of early cloud breaches to avoid becoming a potential victim—after all, when it comes to security, it is better to learn from someone else’s (unpleasant) experiences!