ra2 studio - Fotolia
For a variety of reasons, many organizations often move beyond using one cloud provider and adopt a multi-cloud deployment model.
Most of the time, the move to multi-cloud is driven by business priorities and decisions that organizations must make regarding service cost, functionality or other priorities. Ease of use is also cited as a popular impetus for the transition to a multi-cloud deployment model.
In a Teradici survey of nearly 500 IT professionals, 81% of respondents agreed that multi-cloud models are valuable, regardless of whether they had implemented one at their organization.
To ensure a successful deployment, it is critical that multi-cloud security challenges stay top of mind for security and IT leaders. Here, learn more about these unique risks and how a well-crafted multi-cloud monitoring strategy can mitigate them.
Common multi-cloud security challenges
There are always potential risks in using cloud service environments, particularly when sensitive assets and data are deployed within them. This could be the case for any one cloud service provider (CSP). However, the risks are easily compounded when using multiple CSPs -- either parallel to or in conjunction with one another.
Here are some possible multi-cloud security challenges:
- Increase in attack surface due to system complexity. The cloud may well simplify some types of activities and deployments, but it also brings new technologies and creates additional surface area that must be locked down. With multiple clouds, this threat surface can grow immensely.
- Data privacy concerns due to multi-tenancy. In any multi-tenant arrangement, there are potential privacy risks due to other tenants' activities. This risk exists in all types of clouds.
- CSPs are not interoperable. There is a legitimate risk of vendor lock-in with each cloud provider used. For example, Azure is not compatible with Google Cloud Platform (GCP), which is not compatible with AWS. This same challenge holds true for third-party tools and products that may be integrated within any one cloud environment.
- Conflict in policies. All cloud providers have their own systems for identity and access management (IAM), network access controls and more. Creating uniform policies that work across multiple clouds may be challenging or even impossible.
- Loss of client control over resources and data due to asset migration. Depending on the types of cloud deployed -- as well as the individual provider policies and shared responsibility model -- organizations may find diminished control or complete loss of control over some parts of their deployments. For example, moving container services into a service such as AWS Fargate would reduce the configuration control over containers and orchestration capabilities.
- Management overhead. Every cloud environment requires a variety of skills to operate and employees' willingness to learn how to properly build and manage its infrastructure and assets. Additional skills and training are required with multiple providers in use.
Address challenges with a multi-cloud monitoring strategy
Multi-cloud deployments can easily become scattered from a security standpoint, so the most critical aspect of a sound security architecture and operations model is centralization.
Infosec teams should centralize security tools and controls whenever possible to improve monitoring and visibility. These initiatives may require some new tools and approaches. Security operations teams should consider incorporating the following three strategies to mitigate multi-cloud security challenges:
- Enable central logging in each cloud. First, AWS CloudTrail, Azure Activity Log and Azure Monitor, and GCP Operations must be enabled and commence logging. Next, security teams should centralize events from all clouds into a cloud-enabled SIEM or other monitoring platform. Cloud-focused SIEM services, like Azure Sentinel and Sumo Logic, are becoming more popular due to ease of integration and broad cloud support.
- Consider a cloud security posture management (CSPM) service. CSPM tools and services can monitor a wide variety of issues within any cloud environment. The idea is to create a policy dictating the desired state or configuration for the cloud infrastructure before monitoring the actual state of what is in place. Examples of cloud control plane issues CSPM can monitor include the following:
- no encryption enabled for cloud storage or databases;
- no encryption for sensitive data traffic in motion;
- lack of sound encryption key management, including old keys or stale keys;
- poorly defined IAM policies that do not adhere to least privilege principles;
- privileged accounts without multifactor authentication enabled;
- open or permissive network access controls;
- exposed data storage, such as accessible S3 buckets; and
- minimal or no logging enabled within the cloud environment.
- Centralize vulnerability scanning services and endpoint security products. To properly evaluate assets in multi-cloud environments, vendor tools that work in numerous cloud environments and report back to a central console are ideal for updating monitoring dashboards and processes. In recent years, a new category of cloud security controls and oversight has developed, known as cloud workload protection platforms (CWPPs). CWPP offerings protect the workload from attacks -- typically, using a combination of network segmentation, system integrity protection, application control, behavioral monitoring, host-based intrusion prevention and optional antimalware protection. In many cases, the vendors in this space may reference zero-trust and microsegmentation capabilities, as well as endpoint detection and response functionality.
By focusing on cloud service logging and centralized security scanning and monitoring services and tools, security teams can better enable a more cohesive and sustainable multi-cloud monitoring strategy. This strategy will help hasten detection and response of issues and incidents, as well as get more manageable over time as it is integrated in overall cloud security policies.