Multi Cloud Security

Written by Madhukeshwar Bhat, Director, Chapter Development, CSA Bangalore, and Rob Aragao, Chief Security Strategist, CyberRes

“Computing may someday be organized as a public utility just as the telephone system is a public utility”- Prof. John McCarthy at MIT’s centennial celebration in 1961.

The idea of cloud computing isn’t new. Perhaps, it took several decades for cloud computing to become a commercial phenomenon. Today, cloud has become an integral part of enterprise business strategy. Research firm Gartner predicts that 85% of organizations will embrace a cloud-first principle by 2025 and estimates that over 95% of new digital workloads will be deployed on cloud-native platforms, up from 30% in 2021.

Organizations might start with either a private cloud or a single public cloud platform when they begin their cloud journey. As cloud adoption increases, organizations realize the need for multiple cloud vendors and start their journey towards a multi-cloud model. In the Cloud Security Alliance’s (CSA) recent research study, Cloud Security and Technology Maturity Survey, 61% of the organizations surveyed indicated that either they utilize hybrid cloud model (36%) or a combination of hybrid and multi-cloud (25%). In addition, organizations are adopting multi-cloud for several key reasons, such as to:

• Leverage best in class features from various Cloud Service Providers (CSP) (29%)
• Avoiding vendor lock-in (21%)
• Reducing cloud concentration risk (16%)

Multi-cloud approaches come with several benefits; though there are challenges as well. In order to realize the intended benefits, several challenges need to be addressed.

Misconfigurations and improper security settings

As per the study, 51% of respondents felt that cloud misconfiguration and improper security settings are one of the key concerns. Misconfigurations can easily make the cloud setup vulnerable to attacks. Hence, it is imperative to have a tight grip on the configurations across the cloud estate. A few ways to control cloud configurations and ensure security are:

• Create cloud policies, standards and security baseline: Before even embarking on the cloud journey, establish policies and standards specific to cloud environments. Baseline security configurations need to be established for every cloud platform the organization is intending to use. Ensure that these baselines are enforceable via an automated process to help reduce manual intervention, thereby reducing risk.
• Establish Visibility Across Your cloud Estate: When the organization has a mix of hybrid and multi-cloud models, unified visibility across all infrastructure, including on-premise and cloud becomes a challenge. Under the shared responsibility security model, make sure that you know what your organization’s responsibilities are. Establish tooling for the appropriate amount of visibility across the multi-cloud estate.
  
• Implement Automated Tooling capability to detect misconfigurations and auto-remediate via cloud Security Posture Management (CSPM). Automation in this area is key as the human-based approach is error-prone and not scalable.
• Drive Secure CI/CD Pipeline: Automation is a must-have when it comes to cloud deployments. This is not only for the ease of deployments but also for embedding security directly into the build stage. The application teams should not have direct access to the cloud assets to make deployments. Rather, everything needs to flow from the secure CI/CD pipeline. Everything that gets into the pipeline needs to be scanned from the security point of view before releasing into production.

Bridging Identities Across all Environments

Setting up an Identity and Access Management solution for on-premise assets itself is not an easy task; hybrid and multi-cloud IAM setups pose even greater challenges in this space. From a governance and access policy management point of view, having a single Identity Access Management platform is typically ideal. However, the challenge is to bring in the Identities of all cloud platforms into the overarching IAM platform. As per the CSA study, the most common methods for managing identities in multi-cloud environments are the following:

• Single Sign-on and Federation (81%)
• Legacy Solutions (60%)
• Centrally Managed Identities (56%)

While there are new methods such as Adaptive Access Management, privacy enabling data subject rights management and Dynamic User Recertification, they are still early in their use.

All systems including cloud services need privileged accounts. Some examples are administrative accounts used by cloud engineers, service reliability engineers or the ones having access to DevOps pipelines. These types of accounts require organizations to have a means of properly governing their access. These privileged accounts need to be vaulted and passwords need to be rotated at set intervals to ensure proper security. Additionally, along with all other accounts, these accounts also require the use of MFA (Multi-Factor Authentication), better securing the organization as a whole.

Data and cloud Governance

Managing data from multiple platforms becomes a daunting exercise in a multi-cloud environment. One aspect is regulatory compliance, while the other could be the sheer sensitivity of the information. In any case, stronger governance of data is a must. Organizations need to have a framework that classifies information aligned with the business needs and based on the sensitivity of the information.

Each Cloud Service Provider has offerings in this area.

As the organization expands its cloud usage, it is advisable to implement Cloud Access Security Brokers (CASB) for enforcing policies around data security, compliance as well as managing allowed services in an automated manner. CASBs are generally available both on-premise as well in the Security as a Service offering. Additionally, as organizations continue to shift to a multi-cloud model, leveraging data security solutions that protect their data no matter which Cloud Service Provider they use is critical. This ensures the organization’s data protection model is consistent while reducing the cost and complexities of having to re-design and implement specific tooling to support a particular cloud environment versus another.

Embarking on a cloud journey is exciting. While the cloud model was thought to bring in financial savings in the form of economies of scale, the benefits are many. The sheer pace at which it enables innovation is even more exciting. Multi-cloud models expand this even further. While this is all a good story and nice to hear, all it takes is just a piece of bad code or a misconfiguration to turn this into a horror show, potentially costing an organization millions. While many argue that the cloud platforms have inherent security controls and why bother, we need to remember cloud is all about shared security! Hence, it is time for organizations to take multi-cloud security seriously to protect themselves as they enjoy the benefits of the cloud era!

More Information

Get access to the CSA global research report “Cloud Security and Technology Maturity Evolution.” The report is sponsored by CyberRes, a Micro Focus line of business, in association with the CSA Bangalore Chapter.

Join us in the upcoming CSA CloudBytes webinar that covers diverse opinions of Chief Information Security Officers (CISO), Chief Privacy Officers (CPO), Security Strategists, and Solution Integrators around the technology evolution in the areas of cloud security and privacy.