Securing hybrid IT environments spread across multiple clouds can be complex and challenging. But get it right and your organization will be more robust than ever. Fujitsu’s technical lead for multi-cloud security, John Wilson, describes how.
Hybrid IT and multi-vendor cloud have now become the norm for a growing majority of organizations. And their experience, in most cases, contradicts many early warnings about the security of cloud environments.
Recent research conducted for Fujitsu by analyst group Pierre Audoin Consultants (PAC) found that seven out of 10 organizations operating a mix of on-premise and cloud systems believe their current hybrid environment is actually more secure than the exclusively in-house systems they ran previously. Indeed, most see improved security as a key driver for increasing their use of cloud services.
Of course, early caution was not without justification — until recently, many cloud service providers didn’t have the kind of controls or guarantees of security and compliance that large organizations expect. But the obstacles to cloud adoption have fallen away, says John Wilson, technical lead on multi-cloud security at Fujitsu.
“Even five years ago, security was a huge barrier to cloud. Cloud vendors listened to customers’ concerns, invested heavily in security expertise and, as a result, can now justifiably show certification and independent accreditation, assuring organizations of the security of their infrastructures.”Of course, the challenge is not just about delivering an application or data from a single cloud service. It is also about integrating an array of clouds seamlessly and orchestrating the delivery of business services from a heterogeneous set of clouds — securely and without users perceiving they are drawing on a network of services.Indeed, Wilson thinks one reason that some organizations still cite security as a barrier to cloud adoption may not be down to any residual belief in cloud as inherently insecure, but rather a recognition that multi-cloud requires a different set of security skills — not one that many organizations yet possess.“There’s a huge deficit in skills for cloud security. Fortunately, that maturity gap can be closed, which is where the help of an experienced systems integrator is often invaluable,” he says.Another international survey by Fujitsu, ‘The state of orchestration 2018/19,’ found that two-thirds of organizations now have a cloud-first policy. But as the number of cloud vendors they use has grown to an average of nine, more than half (54%) say their cloud estate is now too complex to properly manage or audit.Given that, how does an IT team ensure multi-cloud delivers not just secure multivendor cloud environments by enhanced overall security?As organizations move to hybrid environments, they find they have to approach security in a fundamentally different way, on both a strategic and practical level. As Wilson outlines: “Their boundary now extends well beyond the data center. Data is stored in multiple locations — in public clouds, SaaS platforms, private clouds and on premise, and that has greatly expanded the threat landscape. All large cloud users have had to face this complexity, which fundamentally changes their strategic security considerations and the controls they put in place.” When they use cloud providers, security essentially becomes a shared responsibility.He explains: “Protecting the cloud infrastructure is incumbent on the cloud provider, but it’s an organization’s responsibility to protect any data it puts into the cloud. So ultimately it’s down to cloud users to carry out due diligence when selecting providers in order to ensure they meet their security and regulatory requirements.“Because of the broader threat and the organization’s duty to protect its data, the emphasis in a multi-cloud environment shifts from securing the perimeter of the network to securing data wherever it is, at rest or on the move. In a multi-cloud environment, you need to fully understand your data flows and protect them according to their sensitivity,” says Wilson.At a strategic level, multi-cloud security involves a far sharper focus on risk management. “Organizations using cloud need to understand the risks they face, whether they accept those or try to mitigate them,” says Wilson.In many cases, organizations also need to actively police their cloud providers’ adherence to the broad-based and industry-specific regulations that are already applied internally, such as GDPR, PCI-DSS, HIPAA and Sarbanes-Oxley. “The good news is leading cloud providers now provide independent attestation for most, if not all, of those,” says Wilson.From policy to implementationBecause of the change in emphasis from protecting the perimeter to protecting data, traditional security solutions may not be up to the new task in hand. To securely manage multi-cloud environments, organizations need a different set of tools, argues Andras Cser, a principal analyst covering security and risk at Forrester Research — tools such as cloud console and configuration monitors and identity data integration and access managers.“Many organizations are trying to use old-school, on-premise security tooling,” says Cser. “But when a company embraces cloud-specific tools, security actually improves for cloud workloads compared to on-premise workloads.”All the major cloud providers are aggressively launching more sophisticated solutions but Wilson warns that adopting a specific set of vendor security controls is not always the best approach. “Organizations needs to be aware that cloud providers will actively push their native controls with a view to tying a customer into their cloud environment and charging them for access to those controls. Sometimes that might be the most economical solution, but in a multi-cloud world it’s often better to use central controls to ensure security policies can be consistently applied across the estate.”
|John Wilson, technical lead for multi-cloud security, Fujitsu|
A prime example of that relates to an organization’s critical need to protect its data. “All the cloud providers offer encryption services using key managers native to their platform,” Wilson says. “To move a workload from AWS to Azure, for instance, you’d have to decrypt it, move it, then re-encrypt it, which also means the data is unprotected during the transition.
“In that case, organizations would be better off using a third-party security provider of centralized key management. This would let them shift workloads between clouds without having to decrypt them. Organizations need to be aware of such issues so they know when to use native controls and when to use centralized, cloud-agnostic solutions. Otherwise they could end up creating cloud silos, which increase the complexity of security management and possibly result in the inconsistent application of security controls.”Tackling challenges, keeling control
Another big challenge is protecting data flows between clouds. “Previously, organizations would encrypt data outside the perimeter, but inside their trusted networks it could travel unencrypted. That hard exterior/soft interior model no longer works, because once your environment has been breached, hackers can move laterally inside your network. Experts can help you understand your data flows and control lateral flows within your environment by using technologies such as micro-segmentation and zero-trust networks,” says Wilson.
But experts are thin on the ground. “There just aren’t enough security analysts to deal with the deluge of challenges,” says Wilson. Fortunately, technology is on hand to help. “A lot can be done to automate the management and response to security events using so-called Security Orchestration, Automation and Response (SOAR) tooling.”
But steps towards automation should not lead to complacency — nor have CISOs looking for a new career. Security in a multi-cloud environment still needs close human oversight, says Wilson. After all, “hackers’ next target may well be your automation capability itself.”
• Download the State of Orchestration report here