Security in Multi-Cloud Environments

According to recent research, it’s expected that the hybrid cloud market will be worth $97.64 billion by 2023 — and in 2018, RightScale found that 81% of enterprises are already participating in a multi-cloud strategy. This surge in multi-cloud adoption is due to its many benefits, such as avoiding vendor lock-in, geographical compliance, the ability to derive better capabilities than from a single cloud provider, freedom to select offerings that suit specific needs, cost savings, and improved reliability.

However, multi-cloud security, design, deployment, and maintenance are still challenging tasks that require in-depth knowledge about business and technical requirements — and how to meet them.

In this article, we will dive into multi-cloud’s security challenges and design considerations.

Multi-Cloud Security Challenges

While a multi-cloud strategy offers many benefits, these benefits increase the complexity of security and management. When designing a multi-cloud architecture, the security team needs a holistic strategy to secure the multi-cloud environment.

Each cloud provider offers a suite of security services and features, but they don’t fit multi-cloud’s security requirements, as they don’t scale beyond a single cloud provider. Below are some of the critical security challenges that organizations encounter while building a multi-cloud architecture.

Governance and Visibility

Each cloud provider offers some degree of governance and visibility capabilities. For example, AWS CloudTrail provides user audit log information, and AWS Config provides a configuration history of AWS resources. However, these controls are not sufficient for the multi-cloud environment because AWS CloudTrail won’t work with Microsoft Azure or data center environments.

This is challenging for the security team, as they also need to monitor and manage similar services in Microsoft Azure. While the team can still manage multiple services across cloud providers, they may not offer the same functionality or granular controls, which leads to a mismatch in capabilities. On top of that, any governance policy change has to be replicated across the cloud provider’s different services, which will be painful and problematic.

Security Design

With a single cloud provider, it is straightforward to architect and design the security and governance architecture, but this is much more complex when developing a multi-cloud security architecture. Think through all of the key security aspects, such as data protection, identity and access management, network protection, host protection, threat management, and encryption. Covering these layers across multiple cloud providers becomes a complicated affair, and it’s important to ensure there is a single control panel to manage all of these security controls across all the cloud providers.

Selection of Tools and Services

Selecting security tools and services is a challenging task, as they need to be compatible with various cloud providers and on-premise data centers. It is difficult to find a tool which is easy to deploy and can scale with the emerging requirements. The challenge increases when cloud providers provide the same information in a different format. The tools and services you choose should be able to digest and transform data in a meaningful way and make it easy to correlate with other information. On top of that, they should be continuously evolving to meet the pace of the growing threat landscape.

Security Team Skill Sets

Despite years of cloud adoption, the skill sets of many security teams are still lacking. With multi-cloud architecture, it is essential to have a team who knows the security practices of all the cloud providers and data centers in order to effectively secure and manage the environment.

Multi-Cloud Security Design Considerations

Now that we’ve reviewed the challenges organizations face while building secure multi-cloud environments, let’s discuss some security design considerations for effective and secure multi-cloud architectures.

Build a Complete Security Governance Framework

Focus on building a full governance framework which provides visibility into the environment. This starts with outlining the regulations for the protection of confidential information, data retention, disaster recovery, identity management, and more. The governance framework should meet internal and external requirements to implement best practices and controls. With the multi-cloud environment, focus on building a visibility and governance platform where the information from all cloud platforms is visible and any changes/deviations are immediately known.

For example, you can either leverage third-party products like Splunk or Sumo Logic (which both integrate with all the key cloud providers) or build your own framework leveraging an ELK or other solution where the information from various cloud providers can flow in. The integration should capture operating system logs, CSP governance logs (like AWS CloudTrail, Stackdriver, Azure Log Analytics, etc.), CSP inventory history logs from AWS Config and comparable services across other cloud providers, load balancer logs, and others. Once the logs are captured and normalized, they can be used for event correlation and to identify any threat to the system.

Create a Centralized Logging, Monitoring, and Alerting Strategy

A successful logging, monitoring, and alerting strategy is the key to building a secure multi-cloud environment. Focus on making integrations for all layers across the multi-cloud environment and ensure the events follow centralized logging, monitoring, and alerting solutions. Once all events are aggregated, they can be used for event correlation, optimizations, and alerting. The monitoring platform should be flexible enough to support any type of integration — from switches/routers to a virtualization layer for the on-premises environment, to the ability to monitor the serverless and containers environment running on the cloud providers.

Again, for these centralized logging solutions, you can use third-party products like Stackify, Logz.io, Splunk, Elastic, and others, or set up your own open-source log management solution using Graylog, ELK Stack, Fluentd, etc. on any public cloud provider or on-premises. Third-party providers also provide similar capabilities (for example, Amazon CloudWatch Logs, Google Stackdriver, and Azure Monitor), but are not as rich in features as the other above-mentioned products. Once the logs are captured, the necessary log alerting can be created and the security team can be notified.

Build a Centralized Network and Application Traffic Management System

The number of entry and exit network traffic points defines how complex it is to manage the security of the environment. With more entry/exit points, it’s important to ensure each point is guarded adequately by network monitoring tools like firewalls, NATs, WAFs, and others.

To minimize management complexity, build a network entry point for the entire architecture so that all network and application traffic can come through the same gateway. Once the architecture is designed in this way, the security team can guard the gateway by enforcing proper security controls, gaining complete visibility of the environment. If there is a malicious threat for any application, the team can block the traffic at the gateway for all applications.

The United States Defense Information Systems Agency’s (DISA) Security Cloud Computing Architecture recommends building a Cloud Access Point and Virtual Datacenter Security Stack layer for the entire architecture to protect applications and data. You can also leverage AWS or other cloud providers to build your Cloud Access Points, and the traffic can be routed back to respective cloud architectures hosted across different cloud providers or on-premises data centers. On AWS, the combination of AWS Shield, AWS WAF, Amazon GuardDuty, and VPC Flow Logs can help you build a (partial) security layer, while Reblaze can convert this layer into a complete, automated web security solution.

Leverage Standard SSO Capabilities for User Access Management Across Multiple Tools

Identity management is another challenging aspect for organizations hosting numerous applications on the cloud. Various teams can choose different cloud providers for their applications based on which one(s) meets their requirements. In such cases, it is recommended to use a centralized single sign-on solution, which will allow the security team to effectively manage user access across various cloud providers, the operating system layer (SSH/RDP access), the application layer, and more. A centralized single sign-on solution provides the security team with a complete user activity history, and any malicious activity can be immediately recorded, alerted, and acted upon.

There are many third-party products which provide these capabilities, including Okta, Ping, Centrify, and more. Azure Active Directory is also widely used; Google provides Cloud Identity solutions, and AWS has released SSO, which is still maturing.

Train Your Teams on the Multi-Cloud Environment and Integrated Platform

As we already discussed, the skill sets of many security teams can be a challenge. The best way to handle this is by building a strong learning program for your internal team (not just the security team, but extended to all relevant IT departments). Also, while adopting multi-cloud architectures, focus on continuous DevSecOps education for the entire organization. After every user mistake, relevant teams should be required to read through the security and compliance policy. As more team members are educated about security controls and procedures, the probability of mistakes will decrease significantly.

Conclusion

A multi-cloud architecture provides great value and helps organizations produce the best architecture for their business requirements. However, the success of the entire multi-cloud approach depends on well-designed architecture with a strong emphasis on security. Each cloud provider offers native security services and features, but they aren’t enough. Every cloud-native mechanism has certain limitations.

Reblaze can help secure your environment completely. Reblaze offers extra value by providing a next-generation WAF/IPS with machine learning capabilities, advanced bot detection, and all-layer DDoS protection. Reblaze supports all the top-tier cloud platforms, so your security team can benefit from the same level of consistency, features, and capabilities across numerous vendors.

For more information, you can contact us here.

image credit: Markus Spiske