Cloud-Native and Hybrid Cloud Organizations Need Security Best Practices

Forrester predicted that the global public cloud market will increase to $178 billion this year, up from $146 billion in 2017. The firm also predicted that by the end of 2018, more than half of global enterprises will rely on at least one public cloud platform for digital transformation. Clearly, the future of IT is multi-cloud and hybrid.

More organizations are choosing the multi-cloud option for a number of reasons. Enterprises might use Office 365 and Salesforce.com, and smaller businesses might be using Google Apps and all the plugins that come with it. Other Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) offerings are also common. The ease of use and attractive consumption model offered by cloud providers have made its adoption almost a technological and business given.

Most of those opting for a multi-cloud approach fall into one of two camps. One camp is made up of cloud-native, cloud-heavy organizations — either startups or “born in the cloud” enterprises like Netflix. These organizations consume multiple cloud services from multiple cloud providers; they live in the cloud and are staying in the cloud. They need to develop different security approaches for each cloud provider.

Traditional organizations that are moving some of their digital assets to the cloud, but are not cloud-native, comprise the second camp. The cloud holds only part of their data. These companies are typically making decisions about what kinds of SaaS and IaaS solutions to use from a business perspective, and more commonly, these decisions are driven by business units, often without considering the security implications. These decisions effectively force IT and security teams to run after them and try to retroactively secure it all.

Each of these groups, then, has its own cloud security considerations and challenges.

Separate and Joint Concerns

The cloud-native camp’s determining factor in which security technologies to use is the ability to integrate into their automation frameworks, DevOps functions, and operational models. The DevOps and SecDevOps teams are focused on being able to automate and streamline security operations with the overall continuous integration methodologies these organizations use. They want to ensure that security measures do not slow down their ability to innovate and release new technology, versions, and software to their customers.

This group has the hard task of finding one operational model and streamlined security policy that can be applied to many different cloud infrastructures and applications, which don’t necessarily offer the same operational capabilities for managing security. As a result, SecDevOps teams have the challenge of the uniformity of security – including the ability to streamline security operations across all types of platforms.

They also need a trustworthy, unified, consistent set of security controls. To get to that point, the organization must find a way to abstract the security services that are offered by the different platforms into a unified set of tools that commonly prescribe how to apply security throughout the infrastructure.

Since they don’t want to be reliant on one cloud vendor, they are looking to find more sources for building their cloud infrastructure. That only adds greater complexity and exacerbates the problem, making it even more labor-intensive.

The more traditional group of enterprises has a different challenge. These enterprises need to offer a consistent level of security between their on-premises and cloud infrastructures. “Shadow IT” is a serious issue for this group, as business leaders inside the organization may get excited about the functionality of a new application and then forget to tell the security team that they’ve started to use it. So, for them, the challenge is how to quickly integrate the existing security controls into a variety of platforms without needing to reinvent the wheel every time.

There are fewer DevOps staff and more traditional IT staff in this group that need easy-to-use, GUI-driven applications to manage a single infrastructure. The security staff tends to get pretty overwhelmed with the constant changes and needs to find a way to keep it all secure and compliant. Dealing ad-hoc with the ongoing, internal shadow IT initiatives is one aspect driving the team activities; the other is more planned build-outs of cloud security infrastructures to be ready to rapidly accept requests from different business units. In these cases, the global placement and elastic nature of cloud becomes important, as you only want to pay for the services when you use them, anywhere across the globe, and only for the amount you use.

Ultimately, both types of organizations need to deploy a unified security infrastructure across multiple cloud infrastructures. For some, this means only a mix of public clouds, and for others this means a mix of public and private clouds.

Security Best Practices in the Cloud

Regardless of specific security differences, both groups can benefit from implementing these best practices for securing multi-cloud environments:

• Automate: The ability to automate security and integrate automation flows into the development cycle allows application developers to continue developing applications as fast as they can while enjoying the benefit of security compliance without requiring any additional effort.
• Abstract: The abstraction of security policy into a unified language from a central management is needed, such that regardless of the underlying technologies — whether it’s a private data center or a public cloud infrastructure — the company defines security in a single, standardized fashion. Firewalls need to provide logical abstraction to support both physical and virtual segmentation across private and public clouds.
• Flexibility: Similar to the automation argument, when applications grow or more applications are deployed, security should grow and expand with them. And organizations should be able to pay only for the amount of protection they are deploying.
• Application-aware: Security must be application-aware today to remain relevant for the different applications that are being built and delivered from different infrastructures. Security must also be consistent across SaaS and home-grown applications that are built over a variety of infrastructures leveraging a variety of services. Security posture is improved by the ability to deploy various application security tools best suited to the application being protected while applying a consistent security policy across all infrastructures.
• Visibility: Because incidents can potentially initiate across the entire attack surface, visibility across the entire hybrid, multi-cloud infrastructure is an important requirement. A correlated view of threats and risk throughout the infrastructure becomes a significant advantage. Organizations that move to a single-pane-of-glass approach get visibility across multiple private clouds, public clouds, and SaaS applications.

This byline originally appeared in SDxCentral.

Read more about how Fortinet secures multi-cloud environments with our Security Fabric.