Security in a Multicloud Environment
Multicloud strategies are often adopted with benefits such as enhanced reliability, access to vendor-specific solutions and the ability to avoid vendor lock-in in mind. These anticipated benefits of engaging with multiple cloud providers also create challenges in scaling and maintaining security and compliance across diverse environments. Three of the most frequently encountered challenges surrounding multicloud security and a few methods to address them are discussed below.
Challenges in a Multicloud Environment
Challenge #1 – Team Skill Sets
Maintaining multiple cloud environments requires a broad coverage of skills, both for infrastructure and security teams. One thing to avoid is the proverbial “jack of all trades, master of none” attitude that can occur when hiring new cloud-experienced employees or when transitioning existing skill sets to multiple cloud environments.
A team’s skill set can become a compounding problem when managing and deploying controls without sufficient automation, which is especially prevalent when a company is first migrating to the cloud. Not only is the team learning to deploy applications and infrastructure with minimal configuration templates and visibility, but this effort must also be repeated for each cloud environment.
Challenge #2 – Maintenance and Consistency of Cloud Native Security Tooling
Cloud vendors provide a variety of logging, analysis and reporting tools to increase insight into access, configuration and performance for cloud-native servers and applications. Security tooling is traditionally built on top of or beside these tools to drive insight into processes or security controls and how effective they are. Further, the tools for one cloud provider will be different from those provided by another. The outcomes are often aligned, but the particulars of how they can be most effectively configured and utilized are different.
These security-developed views, reports and processes must continuously be evaluated and updated for effectiveness and accuracy as new functionality and tools are added at a rapid pace by cloud vendors. This effort is compounded when evaluating and ensuring the alignment of these views and reports across multiple cloud environments.
Challenge #3 – Managing Security Compliance
A tenet of security compliance in the cloud is a shared-responsibility model between the company and the cloud provider. Shared responsibility establishes the relationship between a cloud vendor’s hardware and software and the end user or company’s data or service hosted on the cloud vendor’s software. Between the various cloud vendors, there are differences in the shared-responsibility model, regulations a cloud vendor has certified specific services against and evidence that they provide to document either of these aspects of their business.
When a company is managing the governance and documentation of this relationship in a multicloud environment, the change can quickly make governance more complex. Instead of a cloud vendor hosting a company’s data, the situation changes to “company’s data in cloud A goes to company’s software hosted in cloud B.” The additional party requires governance to be managed around this handoff as well as documentation to be gathered from both vendors’ systems to ensure that any controls or regulations are being sufficiently managed and stay aligned regardless of where the data or system is located.
Methods of Managing a Multicloud Environment
Align Different Cloud Environments to Specific Functions
Don’t let multicloud become any cloud. When designing for a multicloud environment, make it a priority to drive similarly functional development and infrastructure teams to stick to a single cloud environment that best meets their application’s needs and use cases. An example of this could be to align all back-office applications to Azure, while all customer-facing applications are required to be built and managed in AWS.
A benefit of this model is to keeps a team’s skill requirements very clear. For example, consider the company above, which is looking to hire a back-office automation engineer. Because the entire back-office team is on Azure, the hiring manager can focus on engineers with experience with PowerShell, the preferred scripting language for Azure, instead of looking for someone knowledgeable in several scripting languages to handle automation across both Azure and AWS.
Utilize Third-Party Security Tooling to Ensure Consistency Across Environments
Third-party security tooling can help alleviate the manual effort required to ensure that controls fit the specifics of a multicloud environment and are applied consistently.
At Protiviti, clients have successfully used tools such as evident.io and Dome9 security to ensure that security controls are aligned across all environments. These tools provide framework, alerting and reporting functionality that is continuously updated to ensure that reporting stays aligned and consistent either within a single cloud or across a multicloud environment.
In addition to security-specific tooling, using cloud-agnostic tools such as Terraform and the Serverless Framework can help scale automation, change management and roles across multiple environments.
For example, roles can be established in Terraform to support change-management approval workflows. When this role is established, a workflow can be implemented that ensures that this role signs off prior to any production change. When executed, this role would see all ready-for-production changes or code commits regardless of the production environment that change is being implemented in.
Automate and Use Security/Compliance as Code Where Applicable
When implementing a multicloud environment strategy, front-loading the tooling and automation helps ensure that rework is as limited as possible. Automation also helps ensure that human error, due either to unfamiliarity with a cloud environment or to scaling issues, is minimized. An example of automation that can help in a multicloud environment is monitoring and analyzing cost. While cloud vendors provide detailed reporting, adding automation to align these reports and make them consistent can have an immediate effect on a decision-maker’s ability to understand the ramifications of design decisions, regardless of the environment.
When evaluating opportunities to automate, one major security area to consider is Compliance as Code (CaC). When developing CaC early in the multicloud strategy rollout, artifact generation can be implemented to ensure that outputs are cloud-agnostic and consistent. This effort will help compliance teams and reviewers by minimizing cloud-specific compliance processes.
Security and compliance in a multicloud environment can present complex problems for your organization to solve. However, by utilizing the following methods, you can reduce future challenges and headaches and take full advantage of the features a multicloud strategy offers:
- Ensuring that your multicloud approach is thoughtful and aligned with your organization
- Utilizing third-party security and implementation tools where applicable
- Front-loading automation and CaC effort