The key to securing cloud environments is understanding that they are not the same as data center operations and that everything you see and manage is virtual. Cloud operations are managed primarily by APIs, dynamic and often serverless. In many cases, they are application-centric rather than infrastructure-centric, and they might be managed via code directly by DevOps or site reliability engineers. As IT teams accelerate cloud operations, cyber-criminals have also evolved their attack techniques to target vulnerabilities.
Public cloud environments are highly dynamic with auto-scale groups and the ability to define, manage and change infrastructure and applications programmatically. According to Gartner, 99% of cloud security failures will be the customer’s own fault. Thus, to understand the behavior of your environment, you must be able to monitor changes and scan code in an automated fashion. In addition, network diagrams are becoming increasingly obsolete. The real definition of how the network is intended to look and behave can be found within code. This has significant implications for how security professionals document, support and maintain audit readiness.
Finally, cloud-native applications take advantage of containers for compute, function-as-a-service and the hundreds of services that public cloud providers make available, and therefore never require a single server. Historically, security professionals have managed and monitored security with server and network-based technologies. In their absence, an alternative is required.
Given those dynamics, here are five steps organizations can take to simplify multi-cloud security:
- Utilize Cloud-Native Security Tools – Each provider has a suite of purpose-built security tools for analyzing security configuration, monitoring misconfigurations and compliance, protecting workloads and identifying events. In AWS this includes AWS Security Hub, Amazon GuardDuty and Amazon Macie. In Azure, it includes Security Center and Azure Defender. These tools are a great place to start to understand the security of your cloud infrastructure. Some providers also have integrated SIEM technology, such as Azure Sentinel and Google Chronicle, which extend the ability to maintain and correlate logs from both the cloud and data centers.
- Take Advantage of Automation – Automation is the key to good security hygiene in the cloud. Secure your VMs by building security configurations and applying them via terraform templates or other scripting mechanisms. If you choose not to use a scripting mechanism, build your VMs into base images. Automated scanning tools can also identify configuration or component library vulnerabilities. Next, build automation to respond to events from cloud-native security tools. Automated tools can be built into DevOps CI/CD pipelines to scan for code vulnerabilities and insecure third-party software components.
Automation can also be used to identify and respond to potential issues. If your servers are immutable (meaning they are never changed manually and never logged into) and someone or something attempts to log into them, it’s a security event, which automation can help respond to. You can also use cloud-native scaling and resiliency to your advantage by automatically snapshotting suspicious workloads within a container, server, or application for later analysis while also taking them offline, then spinning up a new, clean instance. No longer do you need to let a potential adversary do their thing while you investigate, significantly reducing your time to contain and respond.
- Make Identity Your New Perimeter – while virtual networking allows you to apply micro-segmentation and limit network traffic, the dynamic nature of the cloud means that identity has become the critical access enforcement mechanism and perimeter. This means utilizing strong authentication for administrators, developers, or anyone accessing your accounts. It also means utilizing certificates, SAML, and appropriate API authentication mechanisms to secure infrastructure and applications.
- Augment with Third-Party Tools – Some providers can help manage security across multiple clouds. Still, there are instances where layering a third-party tool to standardize security management across multiple cloud providers may make sense. For example, while cloud-native tools provide security and compliance configuration checks, a Cloud Security Posture Management (CSPM) tool enables you to apply policy and monitor compliance across multiple cloud providers from a single point. Further, you may want to standardize your edge security, including WAF, DDoS protection, and bot management within a single provider as you place application workload across multiple clouds.
- Monitor at Scale – Traditional security monitoring assumes that you have fixed IP addresses and that behavior is relatively predictable. But cloud security monitoring requires being able to monitor virtual, dynamic environments and identify breaches. This means a tremendous amount of security telemetry that you must consume and correlate. In many cases, this may take specialized tools and skillsets, and in all cases, it requires a significant amount of computing power, storage and monitoring tools.
As businesses working with multiple security providers and partners continue to face a growing execution and operations management gap, they must evolve security operations to break free of traditional reactive approaches to security. A multi-cloud security strategy that provides an agile, proactive and end-to-end framework for effective threat detection and incident response against increasingly sophisticated attacks is the answer.