We live in a multicloud world. A world where a multitude of offerings from Cloud Service Providers (CSPs) give us the potential to respond to business opportunities and challenges at a moment’s notice. According to IDC’s CloudView 2018 report, 85% of all businesses are evaluating or using public cloud, 87% of cloud users are moving towards hybrid cloud, and 94% of cloud users are using or plan to use a multicloud environment, an increase from 84% in 2017.
While the flexibility, productivity and cost savings benefits of cloud apps have fueled widespread adoption of multicloud across Asia Pacific, organizations are challenged to deal with its fragmented nature, increasing complexity, and lack of control when it comes to data, policy, and security.
It is crucial for businesses to have an end-to-end multicloud framework in place, or they may find themselves stuck supporting both their inefficient traditional data-center environments and inadequately planned cloud implementations that may not be as easy to manage or as affordable as they imagined.
Challenges and Opportunities in Securing the Multicloud Environment
Today’s multicloud world consists of Software-as-a-Service (SaaS) applications, private, public and hybrid clouds, hosting Infrastructure-as-a-Service (IaaS), and employees and branches accessing the cloud and internet from anywhere. This means that Chief Information Security Officers (CISOs) do not have the same level of control in a multicloud environment as they have with their on-premises infrastructure. It also means that there is no single tool to build a unified security policy across the environment, adding to the complexity that CISOs face. In Cisco’s 2019 CISO Benchmark Study, 70% of respondents in Asia Pacific said that defending cloud infrastructure was “very or extremely” challenging, higher than the global average of 52%.
While ease of use is still the number one driver for hosting infrastructure in the cloud, the potential for greater security is also high on the CISO agenda. In the same 2019 CISO Benchmark Study, 50% of CISOs cited “better data security” as a reason to move into a cloud environment. This shows that while securing the cloud is a concern, security leaders recognize the ability of the cloud to offer more security benefits, and this possibly stems from general levels of trust in cloud providers to get the basics right and to make it easy for the consumer of those services to add their own security layered on top.
So where should businesses start? To effectively enable the multicloud world that businesses live and breathe in, here are four key considerations that CISOs need to check to secure their multicloud environment.
Start with Gaining Visibility into the Modern Network
Organizations large and small are shifting IT resources to the public cloud such as Amazon Web Services, Microsoft Azure, Alibaba Cloud and Google Cloud at historic scale, driven by demands for greater capital efficiency, agility and scalability. Businesses need to understand that security in the cloud is not fully managed by either the customer or cloud provider; rather, it is a “shared responsibility model” where each party is responsible for different pieces.
The cloud provider is responsible for protecting the infrastructure that runs all the services offered in the cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run the cloud services.
The customer is responsible for security in the cloud, such as the management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, firewall or security group configuration. To do so, businesses need to think about how they are protecting their data; are their applications secure; have they configured their firewall correctly; have they managed identity and access correctly; and how to know if their data is secure or is being accessed by third parties. Failure to account for these responsibilities will create a greater risk of exposure and data exfiltration.
The first step to securing multicloud environments is gaining greater visibility at network and application layer. This can be achieved with solutions such as Cisco Stealthwatch Cloud, which delivers security visibility for the public cloud allowing organizations to detect abnormal behavior and threat activity, so they can quickly respond before a security incident becomes a devastating breach.
Protect SaaS Applications as Users Bypass Your Traditional Security Perimeter
Users are increasingly self-selecting which apps to use anytime and anywhere. In today’s multicloud world, SaaS application usage is frequently a blind spot for organizations as independent applications running on an organization’s hybrid and multicloud infrastructures are constantly evolving. Attackers can compromise cloud identities, gain access to information stored in the cloud through excessive file shares and public data exposures, and create malicious applications that connect to users’ cloud identities by exploiting the Open Authorization (OAuth) protocol.
Currently, the majority of data centers are designed with traditional perimeter-only security, which is insufficient, especially as the data center has become a multicloud environment. Providing a secure infrastructure for hundreds or even thousands of applications without compromising agility requires a new, multi-dimensional approach. As applications move from an on-premise data center, to a private cloud and a public cloud, security has to move with them.
This is why an application-first security model allows organizations to gain insight and control through greater visibility, achieve compliance with software guardrails and reduce risk with advanced threat prevention and detection across the environment. One example is how Cisco Tetration offers holistic workload protection for multicloud data centers by enabling a zero-trust model using segmentation. This approach allows an organization’s security team to identify security incidents faster, contain lateral movement, and reduce their attack surface. By investing in technologies that provide application segmentation for on-premises and multicloud environments, security teams can minimize lateral movement by an attacker that has already gained access to an organization’s application(s).
Optimize Networking and Security for Cloud with Segmentation
Cisco’s Ready, Steady, Unsure – A Technology Perspective into Asia-Pacific’s Digital Readiness for Digital Transformation report revealed that 63% of companies are adopting software-defined wide-area networking (SD-WAN), suggesting they may be optimizing their networks for cloud.
Today’s work environment allows employees to work from any device, anywhere and anytime. As remote users work directly in cloud apps, and as organizations enable applications and devices at branch sites to directly access the internet, they bypass the traditional centralized security perimeter. This results in exposing the branch and devices to all types of internet traffic, and in the process, increases the attack surface at the edge.
To solve the security and complexity problems at the cloud edge where networking, security and multicloud environments meet, Cisco is building security functionality into its SD-WAN software while boosting support for cloud services.
This extends branch segmentation into the data center and cloud by carrying the relevant identifying segmentation information to all relevant points in the network. By integrating security and networking into one platform, we are in a position to optimize and secure the network and deliver the traffic directly to the cloud provider in a simple and cost-effective way. In doing so, the network becomes more effective and the applications are adopted in a secure manner.
Balance Continuous Threat Detection with Continuous Trust Verification
By now we have established that we have users, devices and apps accessing the network like always but also accessing data beyond IT’s traditional control points. Application access decisions are often happening off-network when mobile users go straight to cloud apps. So, while a strong security posture begins with continuous threat detection that blocks attacks and malware outright and also continuously detects and remediates the most advanced threats, it has to be coupled with continuously verifying trust. This trust-centric approach enforces controls around access to sensitive data and apps and verifies trust in users, workloads and IoT devices.
By keeping these four considerations top of mind, businesses can adopt the cloud with confidence and protect their users, data, and applications, anywhere they are.
This article was first published by Computer Weekly.
To learn more about how Cisco can help protect your data, you can tune in to the video interview below, where Matthew Carling shares more.