Forrester predicted that the global public cloud market will increase to $178 billion this year, up from $146 billion in 2017. The firm also predicted that by the end of 2018, more than half of global enterprises will rely on at least one public cloud platform for digital transformation. Clearly, the future of IT is multi-cloud and hybrid.
More organizations are choosing the multi-cloud option for a number of reasons. Enterprises might use Office 365 and Salesforce.com, and smaller businesses might be using Google Apps and all the plugins that come with it. Other Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) offerings are also common. The ease of use and attractive consumption model offered by cloud providers have made its adoption almost a technological and business given.
Most of those opting for a multi-cloud approach fall into one of two camps. One camp is made up of cloud-native, cloud-heavy organizations — either startups or “born in the cloud” enterprises like Netflix. These organizations consume multiple cloud services from multiple cloud providers; they live in the cloud and are staying in the cloud. They need to develop different security approaches for each cloud provider.
Traditional organizations that are moving some of their digital assets to the cloud, but are not cloud-native, comprise the second camp. The cloud holds only part of their data. These companies are typically making decisions about what kinds of SaaS and IaaS solutions to use from a business perspective, and more commonly, these decisions are driven by business units, often without considering the security implications. These decisions effectively force IT and security teams to run after them and try to retroactively secure it all.
Each of these groups, then, has its own cloud security considerations and challenges.
Separate and Joint Concerns
The cloud-native camp’s determining factor in which security technologies to use is the ability to integrate into their automation frameworks, DevOps functions, and operational models. The DevOps and SecDevOps teams are focused on being able to automate and streamline security operations with the overall continuous integration methodologies these organizations use. They want to ensure that security measures do not slow down their ability to innovate and release new technology, versions, and software to their customers.
This group has the hard task of finding one operational model and streamlined security policy that can be applied to many different cloud infrastructures and applications, which don’t necessarily offer the same operational capabilities for managing security. As a result, SecDevOps teams have the challenge of the uniformity of security – including the ability to streamline security operations across all types of platforms.
They also need a trustworthy, unified, consistent set of security controls. To get to that point, the organization must find a way to abstract the security services that are offered by the different platforms into a unified set of tools that commonly prescribe how to apply security throughout the infrastructure.
Since they don’t want to be reliant on one cloud vendor, they are looking to find more sources for building their cloud infrastructure. That only adds greater complexity and exacerbates the problem, making it even more labor-intensive.
The more traditional group of enterprises has a different challenge. These enterprises need to offer a consistent level of security between their on-premises and cloud infrastructures. “Shadow IT” is a serious issue for this group, as business leaders inside the organization may get excited about the functionality of a new application and then forget to tell the security team that they’ve started to use it. So, for them, the challenge is how to quickly integrate the existing security controls into a variety of platforms without needing to reinvent the wheel every time.
There are fewer DevOps staff and more traditional IT staff in this group that need easy-to-use, GUI-driven applications to manage a single infrastructure. The security staff tends to get pretty overwhelmed with the constant changes and needs to find a way to keep it all secure and compliant. Dealing ad-hoc with the ongoing, internal shadow IT initiatives is one aspect driving the team activities; the other is more planned build-outs of cloud security infrastructures to be ready to rapidly accept requests from different business units. In these cases, the global placement and elastic nature of cloud becomes important, as you only want to pay for the services when you use them, anywhere across the globe, and only for the amount you use.
Ultimately, both types of organizations need to deploy a unified security infrastructure across multiple cloud infrastructures. For some, this means only a mix of public clouds, and for others this means a mix of public and private clouds.
Security Best Practices in the Cloud
Regardless of specific security differences, both groups can benefit from implementing these best practices for securing multi-cloud environments:
This byline originally appeared in SDxCentral.
Read more about how Fortinet secures multi-cloud environments with our Security Fabric.