You may have heard the phrase multi-cloud environment and wondered what it was, do you have it and maybe even thought: whoa, that sounds like a security nightmare. Put simply, multi-cloud environments are those that consist of more than one cloud platform in use to perform normal business operations. For example, large enterprises might turn to Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) in the cloud, such as AWS, Azure or Google, to fulfill business demands in a reliable and scalable way.
While some organizations will have jumped in feet first with a stated end goal of adopting 100 percent cloud, with a “cloud first” mentality, others are experimenting with a hybrid approach of on-premise and cloud infrastructure. This flexibility is a great option for meeting evolving business requirements, but it can also present a logistical headache for those responsible for securing these environments.
A multi-cloud environment could have many faces; it could be different cloud IaaS and PaaS providers, or a single provider with multiple accounts; for example, one for development, one for testing and one for production applications – which is generally considered best practice.
With the rapid adoption of cloud infrastructure, ensuring security and compliance in these environments is one of the biggest challenges modern CISOs face. While generally the CIOs are tasked with developing a digital transformation strategy, the CISO is responsible for ensuring this strategy does not introduce risks or new threats to the organization. Thus, the CISO is often facing an uphill battle with pressure to go in blindly. The challenges can be attributed to changes in ownership of technology, reduced overall visibility and new gaps in governance.
To overcome these security hurdles and maintain a consistent approach to defense and monitoring, there are a number of actions organizations should take in order to make the digital transformation run much more smoothly.
Include the CISO
From the outset, the CISO and security teams need to be aware of plans for moving infrastructure to the cloud, not just to be able to assess the risks and forget about it, but also to be involved with the security architecture in these environments. Once the security measures are established, there needs to be effective and consistent monitoring to maintain the organization’s security posture.
Make it a team effort
A lot of times the security team gets a bad reputation for just saying “no.” A more effective approach is setting standards that enable IT and infrastructure teams and help to set boundaries so that each party wins. If the security team is seen as a hindrance to innovation and productivity, it will just end up being bypassed altogether. That is a much more dangerous situation.
Often application and infrastructure teams have significantly more experience working in cloud infrastructure environments. Therefore, in many cases, security teams could take advantage of the application team’s experience and instead of taking an operational role, assume a role of governance. In all cases, clear definitions of responsibility should be established between security and application teams.
Technology can help
With complex and diverse environments, it can be worthwhile to invest in security management technology that helps organizations get a holistic view, from risk to compliance and threat monitoring. For example, FireMon’s 40Cloud solution covers multi-cloud environments and benefits large enterprises in particular by helping maintain a consistent security posture while still being able to take advantage of all the cloud has to offer.
No matter what an organization’s cloud journey looks like, establishing consistency in security defense and threat monitoring and upholding a good security posture will always be the number one challenge. It is not a transition that will happen overnight, but by following the advice above, organizations can take a less bumpy route to digital transformation and use the cloud to its full advantage more securely.