Leveraging cloud: enhanced security in a multi-cloud environment
Cloud security has the boardroom’s attention and is preventing some organizations from benefiting from the full power of cloud computing. Let’s explore how businesses can increase trust in cloud technologies as the threat landscape evolves.
Security in a multi-cloud environment Cloud computing sees your organizational data move beyond the traditional perimeter, expanding the attack surface. With cloud computing, you potentially share a platform with other organizations, and therefore potentially those intent on harm. While your cloud service provider has some security responsibilities, their native security controls cannot protect you against the risks fallind under your responsibility, including those posed by your own employees. You need to monitor your internal environment: shadow IT, your data, your on-premises servers and infrastructure, or your owned virtual networks and workloads inside the cloud, whether virtual machines, containers or applications. You must manage the security of all these things, along with user identity and access. Simply monitoring cloud services for any anomalies is not enough to secure your environment in a complex, multi-cloud world. A new hybrid cloud cybersecurity approach is needed that gives you visibility of everything that happens in your internal landscape.
Hybrid cloud security in a nutshell Enterprises’ hybrid security approach must integrate all security controls into one overall strategy that is managed centrally, as well as consistently over your on premise and cloud (single or multiple) environments. Central real-time monitoring and analytics provide global visibility into the consumption of IT resources inside and outside the organization and move quickly to close breaches of policies and regulations. They can identify any compromised accounts and threats such as unsanctioned devices, applications or users accessing or using cloud services or on the enterprise network. They also allow you to apply your security controls from a single console, consistently over your on premises IT and your cloud (IaaS, PaaS and SaaS) environments. Data is protected from inadvertent disclosure or unauthorized sharing from insiders, including data that belongs to a company’s intellectual property, whether that be proprietary software code or sensitive corporate information. An automated approach is essential; removing the potential for human error. Security audits, controls, patching and configuration management can all be automated, reducing the risk significantly.
Three steps to hybrid cloud security Addressing the cloud security challenges in today’s hybrid, multi-cloud environment requires a transformation of your security organization, policies and controls. At Atos, we propose a three-step security approach:
- Assess: identify the risk and requirements. Analyze the current situation. Identify where you store sensitive data and the scope of shadow IT. Take external regulations and internal constraints into account.
- Protect: implement and update security controls. Protect your networks, workloads and data. Adopt encryption, for instance, to prevent data from being accessed, understood or used if other security controls fail. Implement a strong Identity Access Management (IAM) control to ensure only entitled users have access to your data as well as your decryption keys.
- Detect & respond: ensure real-time detection of security deviations and incidents, along with the means to automate an immediate response.
Embedding security since the development phases
We’ve seen that cloud computing can bring new security threats, but it can also deliver powerful new ways of implementing security controls. Infrastructure as a code, immutable infrastructure and network micro and nano segmentation, provide us with opportunities to ensure security controls are deployed early and consistently through the DevOps cycle, are delivered in an automated way and orchestrated with each other. This enables security organizations to tackle challenges such as controls exhaustivity, speed of security or lack of visibility and/ or resources. It also makes it easier to respond to infrastructure security audits.
This ‘Shift left’ mentality helps by integrating security controls as early as possible in the development cycle but highlights how critical this cycle becomes.
Some early adopters are pioneering a new DevSecOps approach, introducing security early in the lifecycle by automating and embedding the appropriate controls into application development. DevSecOps encourages ‘secure by design’ approaches, in which source code is analyzed for flaws and vulnerabilities as it is developed, including open source libraries, and security controls are included the infrastructure deployment templates. As a consequence, it becomes mandatory to apply privileged access management principles to development environments, controlling the DevOps activities and the CICD (Continuous integration / Continuous Deployment) tools usage sensitive credentials.
As the threat landscape continues to change, the security strategies of all organizations can expect to experience severe tests. With a robust approach to cybersecurity based on a secure multi-cloud platform, protecting data that is shared across both public and private clouds, enterprises can benefit from the full power of cloud computing.