Any organization that leverages both Software-as-a-Service and public cloud services is effectively operating in a multicloud environment and needs to adapt their security posture to account for this. Security managers don't often get a choice when it comes to their organization’s use of multicloud. Multicloud usage has evolved through use of public cloud services combined with the subscription to Software-as-a-Service (SaaS) offerings hosted on public cloud infrastructure. This past year, cloud services have been leveraged as a quick, cost-effective and scalable way to support remote working but unfortunately, the security of multiple clouds has been an afterthought. With hybrid working here to stay, it needs proper consideration.
Setting the multicloud context
Major Cloud Service Providers (CSPs) like Azure, Amazon Web Services (AWS) and Google Cloud Platform (GCP) offer Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Functions-as-a-Service (FaaS) otherwise known as Serverless, as well as Software-as-a-Service (SaaS).
SaaS is a standard delivery model for many of today's business applications, collaboration tools and developer tools, such as Microsoft 365 including Microsoft Teams, Zoom, Salesforce, ServiceNow, Dropbox and GitHub and more. SaaS services by their nature of being as a service, tend to be delivered as cloud services.
This means that the criteria to determine whether you’re using multicloud can be as simple as follows: do I use two or more cloud-delivered services from different cloud service providers?
It’s more than likely a yes. And rather than manage security for the individual services or clouds you are operating, its more effective, efficient and less risky to think about securing your multicloud holistically.
Threats to the cloud
The 2021 Global Threat Intelligence Report reinforced that accelerated cloud adoption has led to an increase in cybersecurity attacks.
The most common cloud threats and attacks include data breaches due to cloud misconfiguration as well as web and application attacks, which have been amplified when businesses hastily implemented work from home and remote access solutions.
Cybercriminals are also changing their tactics. Ransomware, one of the biggest threats of 2020, is also predicted to evolve into ‘ransomware within the cloud’ meaning ransomware will encrypt data associated with cloud services, essentially holding your cloud and the data within it hostage. We’ve also seen cybercriminals leveraging the power of the cloud in the form of Ransomware-as-a-Service (RaaS) to deliver scalable and more efficient attacks.
Securing the multi-cloud
Cloud transformation provides organizations with business value and agility but it requires requisite support in the form of network and security transformation.
So how do you manage risk when it comes to using public cloud and SaaS applications while you transform? It’s a question that must have answers across your data, users, applications, infrastructure/workloads and networks.
Here are our best practices for securing the multicloud.
Before you begin securing the multicloud, ensure you have a sound security strategy in place. Your strategy must support the organization’s short- and long-term goals and take into account risk management and compliance obligations so that security becomes an enabler for business outcomes. It’s also important to ascertain the role the organization expects cloud to take in its technology and business strategy (e.g., cloud-first approaches). Once the strategic business outcomes and the role of the cloud are understood, it will be clearer how to create a security program for the cloud that delivers value to the business while keeping it secure.
- Security program(s):
At the onset of developing your security program, it’s important to evaluate the current state of your information security, define your desired state and conduct a gap analysis against your desired state to understand the work you need to do to get to where you need to be.
Your desired state must tie back to the strategic objectives of your company and overarching security strategy.
Your program should also take into account your business’s risk appetite to strike the right balance between security, risk management and business performance. A sound risk assessment uses both quantitative and qualitative risk methods to determine your desired risk-profile.
And finally, critical security outcomes for your program can include:
- Supporting the businesses consumption of multicloud, SaaS and public cloud
- Ensuring legislative and regulatory compliance
- Protecting data and data privacy at rest, in motion and in use
- Protecting users, their identities and their devices
- Detecting attacks to prevent breaches
- Modernizing your security capabilities, including automation and DevSecOps
- Identifying opportunities for outsourcing vs building capability in-house
Within your organisation you should consider Enterprise Security Architecture frameworks and methodologies (such as SABSA or TOGAF) to help you design, plan, implement and govern IT architectures and ensure they tie back to the strategic objectives of your business. ESA is the vehicle through which a mature security roadmap is delivered.
- Create a Cloud Center of Excellence (CCOE)
Cloud and its usage will become an internal service offering within many organizations.
A CCOE brings together business, technology and security stakeholders under a single (agnostic) framework for cloud adoption and provides help with and best practices for use of the cloud.
The CCOE should also integrate your multicloud security policies, processes, and procedures into its framework.
By embedding security leadership in your CCOE, an organization can be assured that security compliance requirements are included in cloud programs from the beginning.
- Capabilities, components, and technologies
Identity is the primary component of security for cloud transformation. Getting identity right is a critical first step in a successful cloud migration. We recommend consolidating all identities into a single identity provider to make your transition to and between clouds manageable and less complex.
If migrating from on-premises to SaaS, the operational security overhead required by on-premises is reduced and the benefits of SaaS can be achieved quickly. Ensure you’re SaaS applications meet the organizational security requirements for data sovereignty, access to information and ownership, and be sure to review the security controls of any third parties you engage. Compliance can typically be measured with a Cloud Access Security Brokers (CASB) for SaaS.
Once your application strategy for refactoring in the cloud has been understood, plan your security to meet these requirements. It may be a case of lift-and-shift or updating user interfaces with a 3-tier backend, or completely rearchitecting for a cloud-native application approach using orchestrated microservices delivered using containers.
Your security technology and operations approach will depend on in-house capabilities as well as whether you’re try to deliver the security outcomes via CSP technology (i.e., Azure, AWS, GCP) or vendor technology. Be sure to understand the differences between CSP terminology and services. And manage your concentration risk, i.e., having all your eggs in one CSP basket. Since the CSP is also a third-party supplier; ensure you have a backout plan if you need it.
A move to/or the further uptake of SaaS and the public cloud involves the modernization of networks. The transition to hybrid networks using SD-WAN and broadband, and downsizing of WAN cost and complexity, and the move to Direct Internet Access (DIA) provides opportunities to refactor security approaches. Reducing the backhaul of internet-bound traffic to data centers, so it can be processed by the security appliances, will allow for modern cloud-delivered security strategies like Secure Access Service Edge (SASE). This will improve the web experience for your users and network performance. And be sure to inspect traffic using SSL inspection as the majority of threats are using encrypted channels for communication.
Web applications and application-specific attacks were the greatest attack type in 2021. Security of your applications, wherever they reside is paramount as we expect the number of attacks on applications only to continue growing in 2022.
To keep your applications secure you should:
- Connect your users to applications by using cloud-delivered security combined with a user (and device) identity such as a Zero Trust approach.
- Ensure that applications at all stages of the development lifecycle are protected using Software Composition Analysis (SCA), Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). This will require building capability in application security and development.
- Protect your public-facing applications and Application Programming Interfaces (APIs) with Web Application Firewalls (WAFs) and Web Application and API Protection (WAAP).
- Protect your infrastructure and workloads using cloud-native solutions where possible. Multicloud security solutions are offered mainly through third-party security vendors.
- Encrypt data-at-rest and data-in-motion.
Identify, protect, detect, respond and recover: these are the core functions of the NIST Cybersecurity Framework (CSF). Your security operations must evolve to perform all these tasks for multicloud in order to be effective.
It’s important to note that third-party security vendors presently offer more multicloud security solutions than CSPs. While most CSPs provide advanced in-cloud solutions and have the advantage of seeing deeper into the network where the third-party tools cannot operate, CSPs presently don’t offer mature multicloud security solutions.
Outsourcing operations to a cloud and/or Managed Security Services Provider should be considered to alleviate the operational overhead of maintaining and monitoring complex ecosystems and to improve your ability to detect and respond to threats across your multicloud environment.
Measuring compliance against industry standards such as NIST, Cloud Security Alliance (CSA), ISO, etc., can be achieved with tools such as:
- Cloud Security Posture Management (CSPM)
- Cloud Access Security Broker (CASB) for SaaS
- Cloud Workload Protection Platforms (CWPP)
These cloud-native tools provide out-of-the-box capability as well as the ability to create custom measurements which is important for reporting and demonstrating compliance.
Leadership, communication and education will be critical to success. A change of culture and cultivation of security awareness will be required as part of any multicloud security journey. Continue to deliver security education for all teams, including digital IT, security, developers and operations and employees that don’t work in technology disciplines
The multicloud and hybrid workplace will be inseparable in 2022. Most businesses are moving beyond keeping the lights on and into long-term and strategic thinking about digital transformation. Security should be considered at the outset, to ensure your hybrid workplace programs are secure be design. You don’t have to go it alone. Reach out to us today – we can help you from wherever you sit on your multicloud security journey.