Strategy 4: Enable Consistent Security Policies Everywhere
As your cloud operations expand to encompass multiple private and public clouds, security challenges can increase exponentially. When the Flexera 2020 State of the Cloud survey asked about top cloud challenges, security ranked number one (chosen by 83% of responders). Compliance also ranked high (76%).
This strategy explores why the challenges around security and compliance are growing, and it suggests an approach for simplifying security management for hybrid cloud.
Hybrid Cloud Amplifies Security Challenges
As with infrastructure management in general, the default for hybrid cloud security is a siloed approach that increases complexity and risk.
Security Silos
Each cloud has its own security model and tools. To ensure security, you therefore need people on your team skilled in the security tools for each cloud. This gets complicated quickly:
With different tools in each cloud, there’s no standard approach to security monitoring or remediation.
With no global view of security across your hybrid cloud environment, applying the same security policies everywhere is a manual process.
Changing security policies globally becomes complicated and error-prone.
Increased Compliance Demands
The lines between security and compliance can sometimes seem blurry, so it’s useful to think of security as internally driven, based on your organization’s own assessment of its digital protection needs. Compliance, on the other hand, is usually driven externally by government regulations or contractual obligations.
No matter what industry you are in, it’s likely that your business is subject to regulatory compliance. For example, all companies that operate in Europe have to comply with the European GDPR regulations, which took effect in 2018.
If you’re in a highly regulated industry such as finance or healthcare, compliance is probably something you factor into all IT decisions. You may need to ensure compliance with well-known regulations such as HIPAA in healthcare or PCI-DSS and GLBA in financial services.
Proving that your business complies with applicable regulations has become a complicated task and requires significant attention. And it becomes more challenging with every new cloud environment you support.
Growing Risks of Human Error
As your hybrid cloud environment becomes more complex and security needs more stringent, continued reliance on manual security configuration only adds to the risks. As already noted, one of the biggest causes of data breaches is human error.
Every vendor and cloud has unique security controls—with no established guidelines for secure integration among them. This makes it difficult or impossible to apply security policy in a consistent way everywhere and contributes to configuration errors.
Increased Threats
A final consideration where security and compliance are concerned is that threats continue to mount. With a large percentage of employees now working from home—and accessing resources across your hybrid cloud—the number of possible attack vectors has increased dramatically. How do you protect at-home systems from phishing attacks or ensure endpoint security, version control, or anti-malware protections? Research firm Cybersecurity Ventures estimates that the global costs of ransomware alone will reach $20 billion by 2021.
And yet according to the CyberArk 2020 Remote Work survey, “40% of organizations have not increased their security protocols despite the significant change in the way employees connect to corporate systems and the addition of new productivity applications.”
Plan of Action: Implement Global, Policy-Based Security
Security silos are just as bad for hybrid cloud operations as management silos are—and potentially even riskier for your company. Your goal should be to find solutions that abstract the differences between various cloud security models to provide global visibility of your company’s security posture, as shown in Figure 4-1.
Figure 4-1. The right multicloud security solution should provide global visibility of vulnerabilities.
The capabilities of multicloud security management tools vary widely, and each has its own strengths and limitations, so it’s important to understand your requirements before picking a solution.
Identify Your Goals
When choosing security and/or compliance tools, it’s important to assess your environment and think about what your goals and priorities are. Your goals may include some or all of the following:
- Unified view
- Visibility of your company’s security posture across all private and public clouds, including the ability to drill down into particular locations and issues.
- Policy and controls
- Ability to manage and enforce consistent security controls across all environments.
- Real-time detection
- Ability to identify and flag vulnerabilities as they arise versus hours or days after the fact.
- Alerting
- Notification to appropriate personnel when vulnerabilities arise.
- Compliance auditing
- Ability to audit private and public cloud environments for compliance with regulations such as HIPAA, NIST, PCI-DSS, etc.
- Reporting
- Ability to generate regularly scheduled security and audit reports to demonstrate compliance.
- Remediation
- The ability to correct common vulnerabilities without operator assistance—or at least identify necessary corrective actions.
- Extensibility
- No tool or set of tools is likely to address all your requirements out of the box. Therefore, it may be important to choose a tool that can be extended to address unique needs now and as they arise in the future.
Choose the Right Solution
Some of the solutions available for multicloud security and compliance overlap with those described earlier for multicloud infrastructure management. Although it may make sense in terms of your team’s learning curve and the total cost to choose a single tool that satisfies multiple needs, be careful not to sacrifice key capabilities in the process:
- Hybrid cloud management software
- There are a number of hybrid cloud management vendors that offer integrated and add-on multicloud security capabilities.
- Platform vendor solutions
- If you opted for a platform vendor that provides a unified control plane in Strategy 1, by definition you’ll have the same (or a very similar) security model across environments, simplifying security management. Security is an important consideration when evaluating unified platform solutions.
- Other solutions
- There are too many solutions in the multicloud security space to enumerate them. Do your homework and make sure you pick a solution that will grow with your needs.
Summary
With new malware attacks and data breaches occurring with ever greater frequency, security and compliance remain among the top hybrid cloud concerns. However, only about one-third of enterprises have adopted hybrid or multicloud security management tools. Deploying one (or more) of the available security tools is the best way to gain a global view of security and compliance and improve your company’s overall security posture.
- Key takeaways
-
-
A variety of solutions are available for hybrid and multicloud security management.
-
Multicloud vendor platforms, as described in Strategy 1 provide the same security model everywhere.
-
Evaluate your organization’s requirements and skills to ensure that you choose a solution that is appropriate for your needs.
-
Advanced capabilities such as automated compliance audits and automated or one-click remediation can enhance security and compliance.
-
Extensibility to accommodate unique organizational requirements may be important for growing hybrid and multicloud deployments.
-