Achieving Cloud Security Through Gray Skies
Nearly a year ago, Judith Hurwitz, president and CEO of Hurwitz & Associates, made a cloud security prediction.
“Things will only get more challenging as businesses continue to move to multi-cloud environments,” said Hurwitz. “Businesses need the ability to manage a collection of different cloud-based services as a single unified environment.”
Despite the tentative position many companies took about transitioning applications, most organizations have gotten on board with embracing cloud computing — and what many are discovering is that they need more than one cloud.
“To further complicate this situation, many organizations faced with deciding where best to run their applications and store their data are now debating whether to work with a single CSP [cloud service provider] or to spread their workloads across multiple clouds,” said Peter Galvin, vice president of strategy at Thales eSecurity, to SC Media UK. “It’s not uncommon, for example, for medium and large enterprises to run SaaS [software-as-a-service], PaaS [platform-as-a-service] and IaaS [infrastructure-as-a-service] with different providers, in parallel with their own on-premise systems.”
As CSO pointed out, these hybrid and multi-cloud environments are often rife with risk, particularly because of poor visibility and lack of coordination.
The Roots of Compromised Records
Of all the compromised records tracked by X-Force in 2017, more than 2 billion were exposed because of misconfigured cloud servers, network-based backup incidents or other improperly configured systems. Many organizations lack a centralized view of all workloads across all of their environments — so it’s a challenge to manage and enforce security policies effectively.
Visibility is compromised when data is moved over to the cloud at a rapid pace. The increased workload creates a growing amount of unmanaged information security risk.
According to a 2017 report from RightScale, the percentage of enterprises that have to use multiple clouds grew to a large majority (85 percent). The report also reflects an increase in the number of enterprises planning for multiple public clouds (up from 16 percent to 20 percent). All signs indicate that skies are getting cloudier — which makes multi-cloud management seem hazier.
It’s no surprise that 39 percent of those who participated in the 2017 Fugue survey, State of Cloud Infrastructure Operations, reported that security compliance slows them down. Trying to implement a comprehensive management platform manually is complicated by the many components of on-premises systems, public cloud services, data services, software services, security components, networks and other connected devices.
Another security risk comes from fickle application programming interfaces (APIs), said Robin Schmitt, general manager at APAC at Neustar, in DatacenterDynamics. “Exposed APIs can leave enterprises vulnerable to breaches as they open the floodgate to DoS [denial-of-service]/DDoS [distributed denial-of-service] attacks. Consequently, poor management of multiple API networks on multiple clouds exponentially increases the risk of cyberattacks for businesses.”
Let the Next Generation Shine
Security is the top challenge related to managing multi-cloud environments. IBM and IDG research showed that the majority of organizations (77 percent) now view security through a different lens. A management platform that incorporates cognitive computing creates a framework that continues to learn and change as the overall environment evolves.
“Organisations operating in a multi-cloud environment will derive the most benefit from a consistent, integrated solution that will offer comprehensive data security along with the ability to effectively manage encryption keys across a range of diverse environments,” said Galvin.
They demand a multi-layered approach, which can very easily start to consume and constrain in-house IT resources. “Current policies that specify using a particular encryption technology or network security technology won’t fly” in a decentralized, multi-cloud environment said Nataraj Nagaratnam, engineer, CTO and director of Cloud Security at IBM.
Fortunately, technology innovators continue to develop tools to help customers meet the security challenges in multi-cloud. One example is the IBM Cloud Private platform, according to ZDNet, which includes the Cloud Automation Manager that scans applications and helps deploy them either on-premises or in a cloud.
One last key consideration when trying to determine the right security solutions for your multi-cloud environment is interoperability. Software-defined networks — along with multi-cloud data encryption and other next-generation technologies that defend across platforms — are layers that you can add on when designing a multi-cloud security strategy. Also, a cloud integration platform provides a single control point for several different technologies, including API management and secure gateway.
A business can certainly benefit from sharing security responsibility via a multiple-cloud-vendor relationship. However, it is critical you carefully evaluate third-party vendors. Everyone wants their tech to be agile and user-friendly — but no one will be able to get anything accomplished if your security is compromised.