In previous chapters, we covered hybrid cloud and how to connect your on-premises data centers to Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP), and how to create a hybrid cloud architecture. In this chapter, we will cover one of the most complex scenarios in the cloud – managing multi-cloud environments. Multi-cloud is about using more than one cloud or cloud provider to setup a common environment, infrastructure, or even an application layer.
Organizations taking their first steps using cloud services consider a multi-cloud approach as a solution for protecting themselves against a vendor lock-in scenario – a scenario where our entire infrastructure or applications rely on a single cloud provider's ecosystem.
One of the questions organizations ask themselves is, what do we do if the cloud provider goes out of business? How do we migrate our assets to another cloud provider? In theory, a multi-cloud approach might resolve the vendor lock-in risk; however, organizations need to be aware of the complexities that come with multi-cloud environments.
Business continuity is another major concern. A multi-cloud architecture allows us to deploy workloads on more than one cloud provider, which reduces the impact on a business that might happen with a single cloud provider (for example, an outage to an authentication service that blocks us from working with services deployed on the cloud).
A multi-cloud architecture allows us to create disaster recovery solutions, where one cloud provider is configured as a failover for another cloud provider. These architectures, based on containers, allow us portability between cloud providers while decreasing the dependencies on a specific cloud ecosystem (from Virtual Machines (VMs), storage services, managed databases, and so on). Multi-cloud allows us to have the benefits of each cloud provider's ecosystem, including the latest versions of Kubernetes, the most scalable NoSQL database, and the latest GPU processors.
In this chapter, we will cover the following topics:
For this chapter, you need to have a solid understanding of concepts such as identity management, network, compute, and how to secure cloud environments.
Prior to using a multi-cloud architecture, we need to ask ourselves, what are we trying to achieve through a multi-cloud strategy? Some of the most common use cases for choosing a multi-cloud strategy are discussed in the following sections.
Most cloud providers offer us the same fundamental services (such as compute, storage, and database). Having the freedom to select a cloud provider allows us to decide for each workload where we wish to deploy our resources (VMs, containers, database, and so on), in case one of the cloud providers changes its Service Level Agreement (SLA) or pricing model.
This freedom means that if one of the cloud providers offers a certain service that is not available on other cloud providers, such as data analytics for large datasets, or a Function-as-a-Service offering that supports a certain development language that is not supported by other cloud providers, you are free to select a multi-cloud strategy.
In most cases, spreading your workloads over several cloud providers will increase the cost, due to outbound (or egress) traffic costs over the internet and between cloud providers, and the knowledge required to train your staff to work with multiple cloud providers.
There are scenarios where you are able to consume the same service from multiple cloud providers, while the cost of using the service is cheaper with one of the cloud providers, in a region close to your customers.
Organizations need to take into consideration that spreading their workloads over multiple cloud providers will impact volume-based discounts, where they may not achieve economies of scale. In the context of this section, an organization must consider what capabilities it must establish in all cloud providers.
Even though most major cloud providers have data centers in central locations in US and Europe, there are cases where your organization is required by local laws or regulations to keep customer data locally in a specific country. There might be scenarios where a specific cloud provider has no local presence in one of your customer's origins, making a multi-cloud approach a suitable solution.
Storing data in multiple locations, with multiple cloud providers, will decrease the risk of your organization losing data or overcoming cloud provider service availability in a certain region or even overcoming global service availability issues.
Even though most major cloud providers offer Distributed Denial of Service (DDoS) protection services, there might be scenarios where one of the cloud providers is currently under a DDoS attack themselves, cloud providers might suffer from service outages, internet providers may encounter latency, or workloads may fail for various reasons.
To improve reliability, consider topics such as the following:
Having the ability to switch your workloads to another cloud provider (assuming you have already built an entire production environment on another cloud provider and synched data) will allow you to mitigate the risk of having your services unavailable.
A multi-cloud strategy must address identity management. Each cloud provider has its own Identity and Access Management (IAM) solution, which causes challenges and opportunities for a centralized identity life cycle (onboarding, access management, and offboarding) and credential management.
The aforementioned challenges increase the motivation to centralize on a single IAM solution that must be integrated with each cloud provider.
A multi-cloud strategy must address data security issues. Common examples of data security in a multi-cloud environment are as follows:
A multi-cloud strategy makes asset management a challenge for any organization. An organization must have visibility or a real-time, centralized inventory of its entire cloud environment – what assets it has, where its assets are located (which cloud provider and which account), who owns its assets, and who has access to its assets.
A multi-cloud strategy must address the fact that working with multiple cloud providers requires hands-on experience in architecture, development, and operations, working with multiple cloud solutions. An organization must invest in employee training as an ongoing process to allow employees the necessary knowledge to maintain multiple cloud platforms. An important topic to invest in is automation, to scale the impact of employees and to reduce the operational burden.
For more information, refer to the following resources:
How computing has evolved, and why you need a multi-cloud strategy:
https://cloud.google.com/blog/topics/hybrid-cloud/future-isnt-just-cloud-its-multi-cloud
The Multi-Cloud & How To Create A Multi-Cloud Strategy:
https://www.bmc.com/blogs/multi-cloud-strategy
A multi-cloud strategy helps organizations decide in which scenario to select a different cloud provider or different cloud service. Such a strategy must address data security topics (including data residency, availability, and protection mechanisms).
One important topic that organizations should consider is the fact that a multi-cloud approach demands highly experienced and trained employees, and as such, organizations must invest in employee training.
One of the first things to decide on, prior to using a multi-cloud strategy, is identity management. Organizations would like to keep their existing Identity Provider (IdP), have a single identity for each of their end users (while preserving existing credentials), and still be able to access resources in the cloud. If an organization is already using Office 365 for managing mailboxes and collaboration, consider using Azure Active Directory (AAD) and its central identity management service.
Azure AD is considered the most used IdP. It supports identity federation to most major cloud providers and is able to integrate with most Software as a Service (SaaS) solutions. Other popular identity management providers that are outside the scope of this book are Okta, Ping Identity, and OneLogin, which allow you a universal directory service for managing your users, groups, and devices, enforcement of Multi-Factor Authentication (MFA), and single sign-on for multiple cloud providers and SaaS applications.
AWS provides the following services to manage identity over multi-cloud environments:
Best practices are as follows:
For more information, refer to the following resources:
Automate SAML 2.0 federation for AWS multi-account environments that use Azure AD:
Adding SAML identity providers to a user pool:
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html
Adding multi-factor authentication (MFA) to a user pool:
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html
How to use G Suite as an external identity provider for AWS SSO:
https://aws.amazon.com/blogs/security/how-to-use-g-suite-as-external-identity-provider-aws-sso/
Azure provides the following services to manage identity over multi-cloud environments:
Best practices are as follows:
For more information, refer to the following resources:
Multi-cloud security and identity with Azure and Amazon Web Services (AWS):
https://docs.microsoft.com/en-us/azure/architecture/aws-professional/security-identity
Azure Active Directory integration with Amazon Web Services:
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/aws-multi-accounts-tutorial
Recommendations and best practices for Azure Active Directory B2C:
https://docs.microsoft.com/en-us/azure/active-directory-b2c/best-practices
Google provides Cloud IAM as a service that allows integration with other IdPs such as AWS or Azure AD.
Best practices are as follows:
For more information, refer to the following resources:
Configuring workload identity federation:
https://cloud.google.com/iam/docs/configuring-workload-identity-federation
Federating Google Cloud with Azure Active Directory:
https://cloud.google.com/architecture/identity/federating-gcp-with-azure-active-directory
Azure AD user provisioning and single sign-on:
Selecting an authentication and authorization method allows an organization to reuse its existing IdPs and to keep a single identity for each of its end users in a central repository.
When possible, it is recommended to manage user identities using a central Identity Management (IDM) system for provisioning and de-provisioning on your chosen cloud IdP.
The second important thing to consider when building a multi-cloud architecture is how to set up network connectivity between the various cloud providers, and between on-premises software and cloud providers.
The recommended way to connect to cloud environments is a secure and permanent network connection using dedicated interconnect (such as AWS Direct Connect or Azure ExpressRoute) for connecting from the on-premises to the cloud or using a site-to-site Virtual Private Network (VPN) (either from on-premises to the cloud or between cloud providers).
A secured and permanent connection will allow access control (layer 4 firewall rules) to be set between cloud providers and cloud segments, and keep access to resources in the cloud (or allowing access to cloud resources) according to business needs.
When considering network architecture, you need to consider the following:
Let's now proceed to look at how to create connectivity between AWS and GCP in the next section.
To create an IPsec VPN tunnel between AWS and GCP, follow these high-level guidelines:
Best practices are as follows:
For more information, refer to the following resources:
Connecting an AWS and GCP VPC using an IPSec VPN Tunnel with BGP:
Build HA VPN connections between Google Cloud and AWS:
https://cloud.google.com/architecture/build-ha-vpn-connections-google-cloud-aws
Multi-Cloud Architecture using VPN between GCP and AWS:
https://blog.searce.com/multi-cloud-architecture-using-vpn-between-gcp-and-aws-167a5e739079
To create an IPsec VPN tunnel between AWS and Azure, follow these high-level guidelines:
Important Note
For network redundancy, create two VPN tunnels.
Best practices are as follows:
For more information, refer to the following resource:
How to create a VPN between Azure and AWS using only managed solutions:
To create an IPsec VPN tunnel between Azure and GCP, follow these high-level guidelines:
Important Note
For network redundancy, create two VPN tunnels.
Best practices are as follows:
For more information, refer to the following resource:
Creating a Site to Site VPN Connection Between GCP and Azure with Google Private Access:
According to your business requirements, you can have a secured and redundant connection between cloud providers using a site-to-site VPN connection.
Data security in the cloud relates to protecting data as it transfers over the network, at rest, and in use.
To secure your cloud environment, make sure that all data traverses through secured protocols. Some alternatives to secured protocols are as follows:
All major cloud providers have their own Key Management Services (KMSes), for managing keys, secrets, credentials, and so on. Although the built-in KMSes can store, manage, retrieve, and rotate keys and secrets, they are integrated into their own cloud provider's ecosystem. When selecting a solution for handing encryption at rest, look for the following capabilities:
Important Note
Consider a Hardware Security Module (HSM)-based solution when you need to comply with regulations (such as PCI DDS), since HSM devices are tamper-resistant and tamper-proof.
The concept of encryption in use is to be able to protect data while running in memory on a VM or a container. The best-known concept for encryption in use is confidential computing. Common confidential computing alternatives are as follows:
To protect data in multi-cloud environments, combined with central provisioning solutions, aim to deploy VMs or containers that support one of the aforementioned confidential computing solutions.
In this section, we have reviewed various ways to protect data in cloud environments. Enforcing the use of encryption in all layers (at transit, at rest, and in use) will allow you to protect your cloud environment, even when working in multi-cloud environments.
Although cost management (also known as financial management or FinOps) may not seem directly related to security, it has implications on a multi-cloud environment.
Cost management is part of having visibility over your entire multi-cloud environment, from a cost point of view. All major cloud providers have their own built-in cost management services that allow you the necessary visibility of your cloud accounts, subscriptions, or projects.
When organizations are moving from a single cloud provider (in many cases, with multiple accounts at the same cloud provider, for different environments or business needs) to a multi-cloud setup, they begin to realize that they lack the necessary visibility regarding cloud cost.
Some of the concerns organizations often have are as follows:
The possible risks of not having cost visibility are as follows:
Best practices are as follows:
For more information, refer to the following resources:
The 2021 Guide to Multi-Cloud Billing and Cost Management:
https://www.meshcloud.io/2020/12/23/the-2021-guide-to-multi-cloud-billing-and-cost-management/
How to take control of your multi-cloud costs:
In this section, we have reviewed the importance of having visibility of your cloud costs over multi-cloud environments, as part of multi-cloud governance. Having visibility over costs in a multi-cloud environment will allow you to mitigate the risk of high payments or potential hidden bitcoin mining in one of your cloud accounts.
As part of having visibility in your multi-cloud environments, over the past couple of years, a new concept has emerged.
There are multiple offers from many third-party CSPM vendors, but the fundamental idea behind all CSPM solutions is to have visibility of misconfigurations – a crucial topic when working in a multi-cloud environment and managing multiple cloud accounts. When selecting a CSPM solution, look for the following capabilities:
For more information, refer to the following resources:
Cloud Security Posture Management (CSPM):
https://searchcloudsecurity.techtarget.com/definition/Cloud-Security-Posture-Management-CSPM
The Past, Present And Future Of Cloud Security And CSPM Solutions:
In this section, we have reviewed the concept of CSPM solutions to have visibility of our entire cloud environments. We have also reviewed the CSPM capabilities when selecting a CSPM solution.
A new concept developed in the past couple of years is CIEM. Some vendors offer a combined solution of both CSPM and CIEM into a single product, which factors in a multi-cloud partner strategy.
CIEM solutions allow us to monitor and manage identities (both human and machine) and access privileges in a multi-cloud environment, from a central console, while applying the principle of least privilege access to our cloud infrastructure. When selecting a CIEM solution, look for the following capabilities:
For more information, refer to the following resource:
What is CIEM and why should CISOs care?
https://searchcloudsecurity.techtarget.com/post/What-is-CIEM-and-why-should-CISOs-care
In this section, we have reviewed the concept of CIEM solutions for detecting and remediating misconfiguration regarding IAM. We have also reviewed the CIEM capabilities when selecting a CIEM solution.
One of the challenges in multi-cloud environments is controlling software updates and configuration changes from a central place. When selecting a patch management solution, look for the following capabilities:
Another topic that needs to be addressed when working with development teams is taking care of open source libraries, also known as Software Composition Analysis (SCA). When selecting an SCA solution, look for the following capabilities:
Configuration and change management are also crucial topics to take care of in multi-cloud environments. When selecting configuration and change management solutions, look for the following capabilities:
In this section, we have reviewed patch management and configuration/change management in a multi-cloud environment. Since multi-cloud environments face many challenges in these areas, we have reviewed important capabilities to look out for when searching for a solution to manage security patches and configuration management.
Monitoring is a crucial part of multi-cloud visibility. It can have multiple layers, such as the following:
In this section, we will focus on security monitoring. When selecting a security monitoring solution for multi-cloud environments, look for the following capabilities:
In this section, we have reviewed security monitoring and auditing in a multi-cloud environment. We have also reviewed the important capabilities to look for when searching for a solution for security monitoring in multi-cloud environments.
In this chapter, we have focused on multi-cloud environments. We have reviewed the importance of having a multi-cloud strategy to allow organizations to adopt multi-cloud environments. We have also discussed the various IAM solutions from AWS, Azure, and GCP that allow organizations to have a central directory service that can keep a single identity for each end user.
We looked at the various methods that AWS, Azure, and GCP allow organizations to connect between different cloud environments on different cloud providers using a site-to-site VPN tunnel. We also discussed the various data security mechanisms (encryption at transit, encryption at rest, and confidential computing). Then, we reviewed the importance of cost management in multi-cloud environments. We reviewed the concepts of CSPM and CIEM. Finally, we looked at patch management, configuration management, and monitoring in multi-cloud environments.
Understanding the topics mentioned in this chapter will provide organizations with the necessary tools when they build multi-cloud architectures.
In the final chapter of the book, we will review security in large-scale cloud environments (such as configuring governance and policies using infrastructure as code for automation, patch management, compliance, and vulnerability management).
18.219.162.138