Securing an expanding threat surface
Multiple recent studies reveal two truths about multi-cloud security. The first, leaders in most organizations know security is a priority. The second, that same overwhelming majority believes their enterprises are falling far short of where they need to be.
One study in particular — the Flexera 2020 State of the Cloud Report — reveals that while enterprises are discovering the possibilities of the cloud, the rapidly growing number of workloads and the widespread expansion of hybrid and multi-cloud strategies presents serious and pervasive security challenges.
Respondents in the Flexera survey indicated that, on average, they are running half of their total workloads in the cloud and they expect to increase that number to 57% by the end of 2021 or early 2022. The same is true for data: The study showed that approximately 46% of enterprise data resides in the cloud today and respondents predicted that total would increase by 8% over the year. To make matters even more complex, 93% of enterprises are fully engaged in multi-cloud strategies, while 87% are deployed in hybrid cloud environments.
As both workloads and the volume of data in the cloud increase — and as multi-cloud sprawl continues to expand — enterprises are finding themselves with expanded attack surfaces and vulnerabilities. Findings from multiple surveys indicate that CISOs, CIOs and other senior leaders are well aware of the increasing risk, but they simply cannot afford stop or even slow their digital transformations.
Even while the expanded digital footprint of an organization presents clear risk in terms of cyberthreats, irrelevance is an even greater risk. Enterprises must leverage the cloud to accelerate innovation processes, bring products to market faster, construct resilient supply chains, and connect directly with customers and partners. In fact, another study conducted by the CIO Magazine indicated that CIOs and CISOs believe they will be under increasing board pressure to create value for the organization. Once viewed as builders and protectors of infrastructure, CIOs and CISOs now face an added level of responsibility as the engines of innovation.
This new combination of security and agility is not easily realized, but it is possible to achieve with the right discipline. Here are four key considerations that can help you get set in the right track.
1. Know your cloud infrastructure
If your organization, like most, is already fully engaged in a multi-cloud strategy, chances are you got here a bit haphazardly. This is not a criticism, but the reality of discovering and implementing cloud strategies for many companies. Almost every enterprise has empowered their teams to identify the apps and the cloud service providers that allow them to work most efficiently and stay ahead of competitors. But now that you’re living in a multi-cloud world, you need to develop an effective security strategy.
The first step is identifying all the various clouds used by your organization. You need to articulate and deploy a robust data governance program that informs security decisions, rather than simply responding to security issues, and provide a path for deploying the tools you need to assert the appropriate levels of control.
2. Protect apps and data
A foundational aspect of an effective multi-cloud security program is application security. Given the volume and variety of threats, the concept of hardening and securing applications is critical. This includes developing bug-free code and ensuring that the libraries used by your apps are updated and present no vulnerabilities. Data management, data minimization, data anonymization, and data encryption are also must-haves.
3. Choose and configure the right security tools
There are simply too many variations of security features embedded in cloud offerings today. Deploying and managing them all results in cost overruns and security vulnerabilities. That means deploying the right combination of tools for your unique combination of cloud solutions requires thoughtful investigation.
To span your cloud infrastructure and provide you with a singular point of control, you need to precisely determine which tools work the best, what they protect, and how to configure them. This often requires the use of cloud access security brokers (CASBs), which is simply software that consolidates and enforces security measures like malware detection, user authentication, credential mapping, and data encryption. You may also want to consider using cloud security posture management (CSPM) tools that assess enterprise cloud environments in relation to security requirements.
4. Deploy zero trust practices
User authentication and other security technologies have been moving towards a “Zero Trust” model for several years. Zero Trust is simply a security framework that requires all users — regardless of whether they are inside or outside the enterprise — to be authenticated, authorized, and continuously validated before they can access applications or data. With Zero Trust, every user and every device is verified before being granted access to resources in the cloud environment. It also assumes no traditional network edge. Networks can be local, in the cloud or hybrid, with both resources and users located anywhere.
An evolving landscape
Cloud security technology is like every other market. Analysts predict that the hyperscale public cloud leaders will also come together and form alliances and develop frameworks that provide a strong line of defense against cyberthreats. Best practices and tools continue to evolve. Vendors forge alliances and bring new solutions to market. Your knowledge of how to select and deploy security tools will continue to expand. But as all of this evolves, it’s important to assess the current and future state of your cloud strategy and infused security technologies and practices into everything you do.
