February 25, 2021
A Security Plan for Multicloud Environments
Getting started with managing policies and practices of multiple cloud providers.
It can be frustrating when you ask if an IT system is safe, and your expert resource responds, “It depends,” followed by a quip that the only secure system is one that’s powered off. Not so helpful.
Most IT teams are proficient in working with one cloud service provider (CSP) or on one facet of cloud computing, but increasingly, they are being asked to manage multiple cloud environments. The shift is substantial, especially because when it comes to security, the devil is in the details.
We know that risks are involved with multicloud Infrastructure as a Service implementations. It’s critical to know what they are and how to manage them. Let’s start by examining how we got here, and why there’s no turning back now.
Multicloud Is the New Reality
Business needs often outweigh certain risks. For example, when one organization acquires another, it may be too costly to migrate all systems from both entities to the same CSP. It’s also common for teams to use different CSPs, choosing the one that best meets certain requirements. In other cases, organizational divisions have contracts that require a specific CSP (for example, GovCloud consumers).
We also shouldn’t overlook a common problem that we’ve all had to support: shadow IT, which may be deemed necessary to circumvent the limitations of enterprise IT.
If your organization is in a position to pledge allegiance to only one CSP, you can sidestep some integration and security pitfalls, such as navigating multiple approaches to data security and access control. However, it’s probably inevitable that your organization will at some point have to develop a multicloud environment.
Fortunately, the major CSPs have embraced well-designed frameworks. While they may agree on the tenets of cloud security, each one implements these differently. There’s already a steep learning curve to securing an environment that involves one CSP, and it’s challenging to enforce a unified security policy across two or more — especially if you must stitch together trust relationships among different CSPs, which can be an identity and access management nightmare.
Another important factor is how to secure application programming interfaces — the pathways that communicate instructions between applications — across CSPs. It’s a new frontier for enterprising cybercriminals.
Centralize Your Cloud Security
Now that IT professionals must become as fluent in Microsoft Azure and Google Cloud Platform as they are in Amazon Web Services, they need a common language for security that will guide how they secure a multicloud environment. Governance, risk and compliance (GRC) will help you enforce best practices while adhering to security frameworks (such as guidance from the National Institute of Standards and Technology) and meeting compliance mandates such as the European Union’s General Data Protection Regulation or HIPAA. GRC and a security framework are powerful tools for making sense of a complex multicloud world.
Gathering all stakeholders and getting their buy-in on corralling these systems to one standard is the sanest way to move forward, because it is the first step toward centralized security.
Agreeing on a framework and a standard measure of compliance is an accomplishment. But putting that policy into action requires tools, and the built-in tools provided by each CSP will only get you so far. You need visibility across all cloud environments.
Fortunately, there are some excellent cloud security posture management (CSPM) tools that use common rule sets based on the language of predominant security frameworks. These can help IT teams uncover misconfigurations and poor access controls, the most common cloud vulnerabilities that are exploited by cybercriminals.
To help organizations determine which CSPM is the best fit, CDW offers a complimentary assessment that lets you test-drive a CSPM with read-only access to your cloud’s configurations and policies. Without exposing your data, we can see your configurations and help you prioritize high-risk issues that you may not be aware of.
The essential attributes of the cloud — its dynamic nature and ongoing innovation — provide powerful incentives for organizations to embrace it. IT leaders must take steps to ensure these same qualities don’t lead to unnecessary risk.