The growing need for on-demand network and compute resources is outpacing available internal resources, even in private cloud environments, and is driving organizations to the public cloud. According to IDC, 75% of organizations are currently implementing or considering the implementation of public cloud resources, and they predict that 50% of enterprise workloads will migrate to the public cloud by 2018.
This new shared infrastructure approach comes with significant security challenges, including creating and maintaining a consistent security posture across multiple domains, establishing single pane of glass visibility and control, sharing threat intelligence and orchestrating a coordinated response to detected threats. The recent advent of multi-cloud architectures, where organizations are moving their software, platform, and even infrastructure to multiple cloud vendors to address issues such as redundancy and efficiency has complicated issues around visibility and control even further.
In fact, according to Fortinet’s Threat Landscape Report, enterprises use a median of 62 different cloud applications or services in their networks, with IaaS reaching an all-time high. This represents nearly a third of all applications and services used, and spans everything from data storage and file sharing, to meeting spaces and collaborative workspaces, to on-demand infrastructure for data centers and computing needs. The challenge is that data visibility can drop dramatically within the cloud. Add the growth of Shadow IT, where individuals and teams subscribe to and use cloud-based services without telling the IT team, the ability to protect critical data and defend the growing potential attack surface can quickly become nearly impossible.
Part of the problem is that the design of data centers is now flatter. Which means that once the network is breached, threats can remain hidden for weeks or even months. To help you tackle this challenge, we have outlined several elements to consider when selecting and deploying a cloud security strategy. Central to this approach is to not do everything possible to prevent a breach, but to also assume there will be one. IT teams need to ask the question, “what happens after a cybercriminal manages to break into our network?” This changes the design paradigm from hardening the edge to one of detection and response to ensure that critical resources both in the cloud and the local network remain resilient and secured in spite of any network compromise.
Security concerns have been the single greatest gating factor to the adoption of the public cloud, especially when considering IaaS or PaaS services. To address this concern, cloud providers have implemented a wide range of security solutions designed to protect and secure data and resources being processed and stored in the cloud.
The challenge is that this can easily result in IT teams having to build and manage yet another completely separate and isolated set of security tools. This sort of segmented approach to security can quickly overwhelm limited IT resources, as we have already seen in local networks where SDN and physical networks already require different security tools. The reality is, IT teams already have to manage their security tools through an average of 14 different security consoles, making threat correlation and response complicated and less effective. Adding additional complexity is hardly the right approach.
What is needed is a shared security model. A growing number of security vendors now offer cloud-based solutions that mirror tools available for local networks. Standardizing on a single set of solutions can reduce complexity and enable the establishment of a single, consistent security posture. Make sure that these tools, whether local or in the cloud, can be seen and managed through a single management interface in order to facilitate the collection and correlation of threat intelligence and the ability to track and orchestrate universal security policies.
For SaaS solutions, it is essential that organizations adopt cloud-focused security tools, such as cloud access security brokers (CASBs), that can be deployed either on-premises or in the cloud to establish security policy enforcement points between cloud users and cloud service providers to maintain security and inspect and secure data moving to cloud domains. These tools should also be selected based on their ability to be integrated into a single, unified security management platform.
The foundation of the private cloud is virtualization. This allows data and resources to be dynamically spun up and applied as needed in order to meet shifting network demands. The shift from a physical to a software-based security solution strategy has its own unique challenges.
The first is very similar to the challenges faced in the public cloud. Support for such things as multiple hypervisors and microsegmentation has meant that many of the security tools used in the physical network can’t be applied in a virtual environment. Decisions about infrastructure design are often made in isolation, which often means that security teams are left to build an entirely separate security architecture for their SDN or private cloud network. Again, the challenge is unnecessary complexity.
Just as with the public cloud, it is critical that security solutions are selected that can move seamlessly between different network ecosystems in order to consolidate control and expand visibility across the distributed network.
In addition, private cloud environments have unique security challenges. Every time a virtual machine or new workload is deployed, for example, an entire set of security policies need to be populated simultaneously. What devices, applications, and services is this new resource allowed to talk to? What data is it allowed to access? And what happens when this resource is decommissioned? Any cloud-based security solution must be able to isolate data and applications as the virtualized data center expands and contracts. And as east-west traffic increases in software-defined environments, the ability to segment specific types of traffic through such things as microsegmentation and containers also becomes critical.
The biggest issue with securing a hybrid cloud is ensuring single pane of glass management across disparate cloud environments to maintain deep visibility, centralized policy orchestration, integrated event correlation, and consistent controls and response. Integration is key. Tools must be selected that are either natively designed to operate together across different environments, or that are built around open standards and APIs so you can design a central security operations solution.
Another issue is secure connectivity. Hybrid solutions must support robust VPN functionality to enable secure temporary access to resources when needed while protecting the rest of the network. In addition, migrating data, accessing large data sets, or using third party cloud based analytics services all require secure connections to external networks. Any security solution, therefore, must be able to provide protection based for these essential network connections.
Security solutions for the cloud not only need to be able to integrate with other security solutions deployed across the network. In addition to being able to maintain consistency in terms of policy enforcement, visibility, and protection across all networked environments, they also need to meet the unique demands of cloud-based environments.
Security teams need to consider whether the solutions being considered are able to match the elasticity and dynamic growth of a cloud or multi-cloud environment. And they need to be able to easily and dynamically separate and segment critical systems, workloads, and applications based on unique risk profiles.
Cloud computing and digital transformation have changed the paradigm for IT and security professionals. The days of networks having well-defined perimeters, where protection was focused solely on external threats pounding at the firewall door, are over. Cloud security solutions today must address the unique requirements of each variant of cloud computing, whether public, private, or hybrid, including new and increasingly complex multi-cloud environments, while weaving them together into a single, integrated security framework that enables and maintains centralized visibility and control across the entire distributed and highly elastic attack surface.
Original article published in CSO and can be found here.
Read about Fortinet customers who have transitioned to the cloud and maintained control.
Download our guide to learn more about how to maintain control when moving to the cloud.