A survey by Valtix earlier this year found that 51% of respondents have resisted moving to multi-cloud platforms because of the added security complexities these environments create, most notably tied to identity and access.
That’s why another report from Delinea found that 86% of respondents say they are exploring ways to automate access controls — especially for privileged access.
But cloud technology is not new. So what has changed? The Delinea research noted that as the cloud environment grows and becomes more complex, security teams are challenged to keep up with the pace of that growth and complexity, said Avishai Avivi, CISO at SafeBreach. Avivi agreed that faced with this complexity, security teams should look to automate.
“The research also suggests that today's security technology would not keep pace with the complex cloud environment already in place,” Avivi said. “We agree with this recommendation, and fully support the need to leverage technology that scales with the cloud and allows businesses to test their security posture, even with this rapidly evolving cloud environment.”
Given the realities that security teams face — and the Valtix research which said some 92% of security pros understand that at some point the business will demand a multi-cloud environment — we put together this guide of five tips for automating multi-cloud environments:
Embrace a secure-by-design culture
An IBM report on creating hybrid, multi-cloud environments said that companies must start with a secure-by-design culture. In doing so, the company introduces security earlier in the development lifecycle, from enforcing the right set of traditional and cloud-native controls to continuous testing and validation. The entire process then gets supported under the foundation of automation: establishing a robust and automated DevSecOps toolchain and an automated deployment of base security controls and policies.
Maintaining secure workloads in a hybrid, multi-cloud environment means that security teams need to have the capabilities to do the following: automate secure application development; define policies by workload requirements; automate security controls using infrastructure-as-code; manage configurations in a multi-cloud environment; repeatedly test the organization’s security defenses.
Build in security automation at every stage of the asset lifecycle
Jasmine Henry, field security director at JupiterOne, said companies need security automation at every stage of the asset lifecycle, from asset creation to destruction. Henry said security teams need automation to identify new assets and map asset relationships to understand how real-time changes impact risk.
“Security teams also need to embed automated security into the DevOps pipeline, so it's easy for product engineers to set secure parameters for assets at the time of creation, such as encryption by default or data classification,” Henry said.
Deploy tools that can manage security for the platforms from the major cloud services providers – and all enterprise SaaS apps
Tim Bach, vice president of engineering at AppOmni, said whether they focus on security monitoring for the major cloud infrastructure providers, or the increasingly more complex security needs for the dozens of SaaS platforms their businesses rely on, CIOs and CISOs are expected to manage security controls and monitoring for an increasing number of clouds that house more and more sensitive data and critical business processes.
Bach said while cloud infrastructure security concerns have been well-known and discussed for years, properly securing SaaS data especially has become more challenging every day.
To help IT and security leaders feel confident in their ability to support an organization’s multi-cloud expansion, those teams need to have purpose-built, automated cloud security tools that stay current with the updates and nuances of each SaaS application.
“Security technologies that can alert and educate in-house security practitioners about potential issues and suggest ways to solve them will continue to be the most scalable solution to this problem," said Bach.
Build automation into privileged access management
Tony Goulding, cyber security evangelist at Delinea, said building as much automation into privileged access management (PAM) can help lessen the complexity of hybrid cloud and multi-cloud environments, especially in more elastic environments where tasks need to move faster and the organization can’t rely on manual processes.
Goulding said PAM solutions need more automation built in natively, such as by automatically discovering cloud platforms and workloads so they can get visibility into what virtual systems exist.
Then organizations need to add a whole range of post-discovery automation to bring them under PAM management, consistently enforcing centralized PAM policies.
“So for example, companies need to automatically deploy a PAM client and enroll these virtual systems into the platform, assign a unique machine identity and establish a trust relationship, which puts them into access zones based on roles or groups that apply pre-defined policies, and automatically vault away the local privileged account. The more visibility, the more control and ability to automatically lock them down.”
Leverage solutions that can automate critical security functions from a single policy plane
Douglas Murray, CEO at Valtix, said each cloud has a proprietary security stack, and organizations are ill-equipped to handle the learning curve required of each.
In a recent Valtix survey, 82% of IT leaders admitted that the complexity of cloud security within multi-cloud slows down business agility.
Murray said to achieve the promise of multi-cloud, organizations need multi-cloud security solutions that can abstract critical security functions like firewall, intrusion prevention, and traffic monitoring across each cloud into a single policy plane.
“When organizations shift to a cloud-first perspective, they can achieve multi-cloud agility by leveraging a wide range of cloud-native platforms for security, operations, and other functions," Murray said. “Business agility decreases, and costs go up when organizations stick with legacy datacenter tools forklifted to the cloud.”