Managing Cloud Security in a Multicloud Environment (Part 1)

Written by Sandeep Shilawat, Cloud and IT Modernization Strategist, ManTech.

Originally published by Forbes.

Cloud computing has become mainstream. The challenge for companies is how best to manage operations and security in a multicloud environment.

Most large enterprises now use anywhere from three to five cloud vendors to assist with IaaS, PaaS, SaaS or their variants. And yet only about 20% to 30% of the world’s production workloads are running in the cloud, many of which are not mission-critical. The cloud computing market is primed for significant expansion over the next few years. While this expansion will lead to groundbreaking business innovations, it will also increase security threats.

The State Of Cloud Security

The growing complexity of cloud operations may have increased the attack surface. An enterprise’s risk posture is directly affected by its chosen cloud adoption model (CAM) — whether it be a single cloud, multicloud or hybrid cloud. Each CAM has different security ramifications, which leads to different risk postures.

The recent rise in security breaches in cloud environments makes a discussion of effective security models paramount.

The Uneven Handshake — Cloud’s Shared Security Model

Cloud service providers (CSPs) use a shared security model to segregate security responsibilities between customers and themselves. Researchers at Forrester refer to this security model as “the uneven handshake.” This model mandates consumers share responsibility for cybersecurity with their cloud service providers.

Per Gartner, “Through 2022, at least 95% of cloud security failures will be the customer’s fault.”

This assessment has proven to be fairly accurate, as to date, nearly all cyber failures in the cloud have proven to be the fault of the customer.

The shared responsibility model has not been standardized and may lead to different conclusions based on different services in question. This model assumes that customers are well versed with all the services and security features of a given cloud infrastructure, even as these services evolve on a daily basis.

Global regulators are advancing the cloud dialog, but it hasn't been very helpful. Regulations like GDPR put the responsibility for data security on the “data controller.” Recent judgments have concluded that CSPs are the “data processors.” Furthermore, the data controllers must ensure appropriate controls are implemented for compliance. This puts the security responsibility squarely on the users’ shoulders. As data owners, users are responsible for monitoring architecture of their CSP.

Under the shared security model, the segregation of data ownership may make or break FedRAMP authorization for CSPs with worldwide access.

FedRAMP, on the other hand, provides direct interpretation of technology controls for various services. This enables customers to pick the cloud services of their choice, and the responsibility of obtaining authorization to operate stays with the customers. Program managers and the chief information security officer must ensure all controls are met since the burden of proof remains with the customer.

To put this in context, CSPs release thousands of changes and security features every year. It is almost impossible for a single customer to keep track of all of them. Clearly, the shared security model is designed to work better for the CSP than for its customers.

The CSP As Cloud Security Provider

Cloud services promise elasticity, availability and resiliency by design.

To deliver this, major cloud vendors have built extensive infrastructures, and some have invested billions of dollars. Achieving these features requires special networking arrangements among vastly distributed data center facilities and agreements with various telecom providers. This intellectual property and the related arrangements make CSPs unique.

Every CSP, therefore, has an opaque infrastructure ecosystem by design. Intrusive activities tend to break the trust of hyper-scale CSPs. Activities like Layer-2 network access, network scans and simulating malware attacks are discouraged.

CSPs have a lot of security expertise and spend billions on ensuring their cloud infrastructure remains opaque to customers and stays secure. CSPs rightfully argue that they are best suited to protect their infrastructure, often via vendor-native security.

However, these security arguments become more complex in hybrid or multicloud models with open-source applications.

Due to the complex nature of the cloud ecosystem, is it wise to depend on one CSP to act as the sole cloud security provider in a multicloud environment? How should customers balance potential conflicts of interest in a multicloud model?

The cloud security ecosystem so far lags behind that of the CSPs because security companies cannot protect that to which they don’t have full access. While security companies have formed road map partnerships with CSPs, there is a natural tension with CSPs themselves competing in that space.

As cloud markets mature, major third-party security providers may be better suited to provide multicloud security than the CSPs themselves.

Cloud Security Complexity

The Cloud Security Alliance recently released a report (registration required) on “Cloud Security Complexity.” The CSA’s key findings included that organizations jumping into cloud computing may lack full visibility into their cloud resources, may not understand cloud computing complexity, may lack security expertise and are generally very concerned about compliance.

These findings make clear that complexity of the cloud ecosystem can lead customers to have a misplaced sense of risk and compliance regarding their cloud systems.

This lack of proper understanding could have disproportionate responses, including full cloud repatriation — a return to on-premise computing.

The Zero Trust Solution

Given the aforementioned challenges with network transparency, customers could significantly improve cloud security posture by adopting a zero trust model.

Under zero trust, organizations adopt a principle of “least privilege,” whereby every user is presumed to be a stranger, and access is granted on a need-to-know basis. Zero trust can be implemented with secure gateways, a micro-segmentation of networks and identity proxies to grant only authorized users access to data, even within the organization itself.

By establishing micro-perimeters and communities of trust within an organization, cloud customers can achieve both a stronger safety net from breaches, regardless of their origins, and increased protection against insider threats.

In part two of this series, we will discuss the most common types of cloud security issues and potential paths to prevent or mitigate them.