Cloud

Security in a Multicloud Environment

Heath AndersonTim Kelly
October 29, 2018
6 min read

Security in a Multicloud Environment

Multicloud strategies are often adopted with benefits such as enhanced reliability, access to vendor-specific solutions and the ability to avoid vendor lock-in in mind. These anticipated benefits of engaging with multiple cloud providers also create challenges in scaling and maintaining security and compliance across diverse environments. Three of the most frequently encountered challenges surrounding multicloud security and a few methods to address them are discussed below.

Challenges in a Multicloud Environment

Challenge #1 – Team Skill Sets

Maintaining multiple cloud environments requires a broad coverage of skills, both for infrastructure and security teams. One thing to avoid is the proverbial “jack of all trades, master of none” attitude that can occur when hiring new cloud-experienced employees or when transitioning existing skill sets to multiple cloud environments.

A team’s skill set can become a compounding problem when managing and deploying controls without sufficient automation, which is especially prevalent when a company is first migrating to the cloud. Not only is the team learning to deploy applications and infrastructure with minimal configuration templates and visibility, but this effort must also be repeated for each cloud environment.

Challenge #2 – Maintenance and Consistency of Cloud Native Security Tooling

Cloud vendors provide a variety of logging, analysis and reporting tools to increase insight into access, configuration and performance for cloud-native servers and applications. Security tooling is traditionally built on top of or beside these tools to drive insight into processes or security controls and how effective they are. Further, the tools for one cloud provider will be different from those provided by another. The outcomes are often aligned, but the particulars of how they can be most effectively configured and utilized are different.

These security-developed views, reports and processes must continuously be evaluated and updated for effectiveness and accuracy as new functionality and tools are added at a rapid pace by cloud vendors. This effort is compounded when evaluating and ensuring the alignment of these views and reports across multiple cloud environments.

Challenge #3 – Managing Security Compliance

A tenet of security compliance in the cloud is a shared-responsibility model between the company and the cloud provider. Shared responsibility establishes the relationship between a cloud vendor’s hardware and software and the end user or company’s data or service hosted on the cloud vendor’s software. Between the various cloud vendors, there are differences in the shared-responsibility model, regulations a cloud vendor has certified specific services against and evidence that they provide to document either of these aspects of their business.

When a company is managing the governance and documentation of this relationship in a multicloud environment, the change can quickly make governance more complex. Instead of a cloud vendor hosting a company’s data, the situation changes to “company’s data in cloud A goes to company’s software hosted in cloud B.” The additional party requires governance to be managed around this handoff as well as documentation to be gathered from both vendors’ systems to ensure that any controls or regulations are being sufficiently managed and stay aligned regardless of where the data or system is located.

Methods of Managing a Multicloud Environment

Align Different Cloud Environments to Specific Functions

Don’t let multicloud become any cloud. When designing for a multicloud environment, make it a priority to drive similarly functional development and infrastructure teams to stick to a single cloud environment that best meets their application’s needs and use cases. An example of this could be to align all back-office applications to Azure, while all customer-facing applications are required to be built and managed in AWS.

A benefit of this model is to keeps a team’s skill requirements very clear. For example, consider the company above, which is looking to hire a back-office automation engineer. Because the entire back-office team is on Azure, the hiring manager can focus on engineers with experience with PowerShell, the preferred scripting language for Azure, instead of looking for someone knowledgeable in several scripting languages to handle automation across both Azure and AWS.

Utilize Third-Party Security Tooling to Ensure Consistency Across Environments

Third-party security tooling can help alleviate the manual effort required to ensure that controls fit the specifics of a multicloud environment and are applied consistently.

At Protiviti, clients have successfully used tools such as evident.io and Dome9 security to ensure that security controls are aligned across all environments. These tools provide framework, alerting and reporting functionality that is continuously updated to ensure that reporting stays aligned and consistent either within a single cloud or across a multicloud environment.

In addition to security-specific tooling, using cloud-agnostic tools such as Terraform and the Serverless Framework can help scale automation, change management and roles across multiple environments.

For example, roles can be established in Terraform to support change-management approval workflows. When this role is established, a workflow can be implemented that ensures that this role signs off prior to any production change. When executed, this role would see all ready-for-production changes or code commits regardless of the production environment that change is being implemented in.

Automate and Use Security/Compliance as Code Where Applicable

When implementing a multicloud environment strategy, front-loading the tooling and automation helps ensure that rework is as limited as possible. Automation also helps ensure that human error, due either to unfamiliarity with a cloud environment or to scaling issues, is minimized. An example of automation that can help in a multicloud environment is monitoring and analyzing cost. While cloud vendors provide detailed reporting, adding automation to align these reports and make them consistent can have an immediate effect on a decision-maker’s ability to understand the ramifications of design decisions, regardless of the environment.

When evaluating opportunities to automate, one major security area to consider is Compliance as Code (CaC). When developing CaC early in the multicloud strategy rollout, artifact generation can be implemented to ensure that outputs are cloud-agnostic and consistent. This effort will help compliance teams and reviewers by minimizing cloud-specific compliance processes.

Conclusion

Security and compliance in a multicloud environment can present complex problems for your organization to solve. However, by utilizing the following methods, you can reduce future challenges and headaches and take full advantage of the features a multicloud strategy offers:

  • Ensuring that your multicloud approach is thoughtful and aligned with your organization
  • Utilizing third-party security and implementation tools where applicable
  • Front-loading automation and CaC effort

Heath Anderson

Senior Consultant
Technology Consulting

View all posts

Tim Kelly

Senior Manager
Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
2 Nov

Many often overlook the potential impact—both positive and negative—a #TechnModernization project can have on operational #resilience. #ProtivitiTech's Kim Bozzella shares her thoughts with #Forbes Technology Council. https://ow.ly/1FLA50TYIaE

Reply on Twitter 1852806697112187072 Retweet on Twitter 1852806697112187072 Like on Twitter 1852806697112187072 Twitter 1852806697112187072
protivititech Protiviti Technology @protivititech ·
1 Nov

Establishing a scalable #AI #governance framework is crucial for balancing innovation with #risk and #compliance. Dive into our latest ebook, co-authored with #OneTrust, to explore key steps and technologies that will elevate your AI governance strategy. https://ow.ly/QqKy50TVUx3

Reply on Twitter 1852320075530809735 Retweet on Twitter 1852320075530809735 Like on Twitter 1852320075530809735 Twitter 1852320075530809735
protivititech Protiviti Technology @protivititech ·
31 Oct

News reports implied that China has managed to break "military grade" encryption using quantum computers. But the truth is more complicated than that. Protiviti's #quantum expert Konstantinos Karagiannis explains it all to #VISIONbyProtiviti. https://ow.ly/Zb9z50TWNuh

Reply on Twitter 1852018952433549469 Retweet on Twitter 1852018952433549469 Like on Twitter 1852018952433549469 Twitter 1852018952433549469
protivititech Protiviti Technology @protivititech ·
31 Oct

The #IIoT can help organizations collect and analyze data to optimize operations and maximize resources. #ProtivitiTech's Kim Bozzella details how IIoT can yield benefits for businesses and the people they serve with #Forbes #Technology Council. https://ow.ly/V5I250TVLAj

Reply on Twitter 1851988257015226688 Retweet on Twitter 1851988257015226688 Like on Twitter 1851988257015226688 Twitter 1851988257015226688
protivititech Protiviti Technology @protivititech ·
31 Oct

Protiviti has earned the AWS DevOps Competency, which complements our existing Migration and Security Competencies. These competencies reflect Protiviti's ability to deliver comprehensive AWS system integration services. https://ow.ly/Baj550TWR9I

#AWSDevOps #AWSCloud #AWS

Reply on Twitter 1851821523918528853 Retweet on Twitter 1851821523918528853 Like on Twitter 1851821523918528853 1 Twitter 1851821523918528853
Load More