Migration to cloud-based compute and services platforms has allowed organizations to quickly adapt to the global transition to a digital economy. The ability to quickly spin up resources, adopt new applications, and respond in real time to end user and consumer demands allows organizations to compete effectively in today’s new digital marketplace. The result has been astounding. In just a few years, over 80% of enterprises have adopted two or more public cloud infrastructure providers, and nearly two-thirds are using three or more.
Growing Cloud Challenges
While the business advantages are significant, this rapid migration is also introducing complexities and risks that few organizations have adequately prepared for—right at a time when the cybersecurity skills gap is dangerously wide, and cybercriminals are more capable of exploiting vulnerabilities than ever before. Here are a few of the challenges that unchecked cloud adoption has introduced:
- New Cloud services are being adopted and used every day. However, it turns out that it is much easier to deploy a cloud application than to decommission it, so organizations are finding that cloud-based applications and services are piling up, making them increasingly difficult to manage and secure.
- The adoption of cloud-based applications and services is remarkably easy. Literally anyone across the organization can source a new cloud service. The challenge is that service creation is often not funneled through the central IT department, resulting in the creation of shadow IT. As a result, the organization has little idea of what services are being used, where corporate information is being stored, who has access to it, or what security strategies are in place to protect it.
- Complicating this further, adoption of these services is heterogeneous. Employees use different cloud services from different providers, and these different providers all offer different security tools, different native security controls, and different levels of security. This can make it extremely difficult to impose any sort of consistency to security policy distribution, orchestration, or enforcement.
What many organizations may not realize when moving to a cloud environment is to what extent they are responsible for securing their own cloud environment. Cloud providers secure the infrastructure, such as storage and compute resources shared by everyone, but securing data, content, and applications are all the responsibility of the cloud customer. And those security controls need to be built separately inside each cloud environment that has been adopted. If those security solutions aren’t fully integrated and interoperable across multiple environments, then the number and variety of security tools that need to be implemented can compound, quickly overwhelming the resources available to manage them.
Part of the challenge is that the cloud has become so large and so complex that the word itself has lost much of its meaning. Even the term multi-cloud isn’t much better. So, to build an effective, consistent, and manageable cloud strategy we need to start by clearly defining what we mean when we talk about the cloud.
Defining Cloud Options
Cloud solutions can be broken down into three categories: deployment models, delivery models, and service providers.
Deployment Models: While most people only think of private or public cloud environments, or even hybrid models, a new model is beginning to emerge—the community cloud.
Public: This is a publicly accessible cloud environment owned by a third-party cloud provider. In this deployment model, the cloud provider is responsible for the creation and on-going maintenance of the public cloud and its IT resources, while the consumer is responsible for the implementation and security of virtual devices, applications, and data.
Private: In a private cloud model, the same organization is both the cloud consumer and cloud provider. Private clouds enable an organization to use cloud computing technology to centralize access to IT resources, usually across a geographically distributed enterprise, and to do so they require a change in how organizational and trust boundaries are defined and applied.
Hybrid: This cloud model is built using two or more different cloud deployment models. For example, an organization may choose to process sensitive data is their private cloud while distributing other, less sensitive cloud services to a public cloud.
Community: A community cloud provides a cloud computing solution to a limited number of individuals or organizations that is governed, managed, and secured commonly by all the participating organizations or by a third party managed service provider. AWS GovCloud is a good example for this.
Delivery Models: Organizations have a variety of options for how much of their services they want to implement, from simply adopting specific applications or services to a full-blown infrastructure.
IaaS: Infrastructure-as-a-Service provides a self-contained IT environment that includes infrastructure resources that can be accessed and managed using cloud-based interfaces. It can include hardware, network devices, connectivity tools, operating systems, and other “raw” IT resources. These virtualized IT resources enable real-time scaling and infrastructure customization. However, they are not pre-configured, which makes your IT team responsible for their configuration, management, and security.
PaaS: The Platform-as-a-Service delivery model provides a “ready-to-use” environment generally comprised of pre-configured IT resources that developers can leverage to write code. This relieves IT of the responsibility to set up and maintain a bare infrastructure of IT resources, but the trade-off is that the customer has less control over those underlying IT resources.
SaaS: Software-as-a-Service makes applications and other services widely available to a range of cloud customers. The prime drivers for such services, such as Salesforce.com or DropBox, are ease of use and minimal need to develop anything but customizable interfaces that can be easily adapted to specific organizational and business needs. SaaS is typically combined with dynamic scalability and ubiquitous access. However, a cloud consumer is generally granted very limited administrative control over a SaaS implementation.
Service Providers: A variety of service providers are also available. Each include their own native controls and marketplaces for buying technologies and services—either their own or from a third-party vendor—and different environments provide distinct advantages to customers, such as compatibility with existing infrastructures or business objectives.
Major Providers: The primary cloud providers include Amazon AWS, Microsoft Azure, Google CloudPlatform, Oracle Cloud, IBM Cloud, and Alibaba Cloud. The challenge for many organizations using multiple providers is establishing consistent policies and controls across different environments. Finding security vendors that can operate natively across all major cloud platforms provides maximum flexibility in terms of adoption and control.
Minor Providers: In addition to the major providers, a growing number of smaller cloud shops, regional telecom companies, and even partners (for community cloud environments) are joining the marketplace. They typically provide more flexibility in pricing and more personalized attention.
Multi-Cloud Environments Introduce New Risks
Eventually, all organizations will end up having deployed some combination of the cloud solutions described above. However, adopting multi-cloud environments not only expands the attack surface and complicates the ability to deploy, manage, and orchestrate security with consistent visibility and control, but it also increases other cyber risks, including:
- Data breaches
- Insufficient identity, credentials and access management
- Insecure interfaces and APIs
- System vulnerabilities
- Account hijacking
- Increased opportunities for malicious insiders
- An increased footprint for Advanced Persistent Threats
- Data loss and insufficient due diligence due to an exponential increase in network complexity
- The hijacking and abuse of cloud services by cybercriminals.
Addressing these challenges, however, needs to be handled delicately. Performance cannot be sacrificed for security. Instead, organizations need to strike a balance between ubiquitous, on-demand cloud services and establishing consistent controls, policies, and processes. This requires looking for security solutions that help you move from a model where security inhibits business agility, to a model where security can be combined with cloud and automation to help business move faster and more securely.
Organizations not only need to deploy security solutions that can function consistently across cloud ecosystems. They also need to be able to push automation into templates so security can be consistently applied simultaneously across every cloud provider’s environment, especially when compensating for critical differences in native controls. This includes automating the entire data chain so security can dynamically adapt as workloads and information move within and between different cloud environments. The cloud enables these capabilities.
Rethinking Security for the Cloud
All of this requires a new approach to security. Legacy security solutions will need to be replaced with security tools that can function natively and consistent across any environment, whether physical or cloud. Solutions that operate natively in cloud environments need to also be aware of cloud based resources as well as leverage native cloud services in order to better support the scale and dynamic nature of cloud workloads. Ultimately, organizations should also strive to fully decouple security management from data classification in order to classify resources on any infrastructure in the most natural way possible, while consistently referring to these objects when defining the multi-cloud security policy.
The more security solutions natively integrate with cloud based services, the more secure the enterprise. By leveraging the threat feeds and native security capabilities of all clouds, and integrating these into the multi-cloud security framework, organizations can turn the risk multiplication effect into a security multiplication effect. Layering the ability to automate security operations on top of the native integration and threat intelligence integration aspects allows organizations to automatically coordinate a threat response that includes isolating infected devices, identifying and shutting down malware, and extending protections across the entire multi-cloud environment, thereby significantly mitigating risk and confidently deploying applications anywhere that makes the most business sense.
Read more about how Fortinet secures multi-cloud environments with our Security Fabric.
Read and update yourself on “What to Seek in a Security Architecture to Address Multi-Cloud Challenges”