The total number of mission-critical applications running in public clouds almost doubled between 2020 and 2022, and we expect this growth to continue. With this statistic in mind, no one argues against the need to prioritize securing multi-cloud estates.
Public cloud providers such as Amazon Web Services and the Google Cloud Platform have significant resources and expertise dedicated to cloud security. But what are cloud providers actually responsible for securing vs. what an IT team needs to manage? The short answer: it depends on what the company buys.
Shared responsibility in the cloud
AWS created the shared responsibility model for securing the cloud, and other providers adapted it. The services the company purchases from these providers will determine who’s responsible for what. So it’s important to dig into this when making a purchasing decision, and clearly identify what the team can secure vs. what it needs help with.
The different areas that need security ownership include: data and access; applications; runtime; operating systems; virtual machines; compute; networking; and storage.
The company’s team will own all of these areas for its private cloud. But as the company moves to Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS), responsibilities will become a mix between the enterprise IT team and the cloud provider, depending on what the company purchases. Clearly defining ownership between the company’s team and the cloud provider lays the groundwork for achieving a secure multi-cloud estate. It’s also important to understand that cloud providers remain focused on preventing unauthorized access to their respective clouds, but the responsibility for data security in the cloud will always fall on IT teams.
Is my cloud secure?
After determining shared ownership, the work begins. Many enterprises have policies in place for securing their on-premises estate. Unfortunately, it’s not possible to just take these same policies and extend them to the cloud. On-premises security controls are not as effective in the cloud, as defensible perimeters are erased and virtualization and decentralization make visibility more challenging.
To make matters a bit more complicated, visibility and the ability to verify compliance has become a different challenge. Once traffic egresses the private network, the ability to track its behavior end-to-end and hop-by-hop, or verify compliance becomes obfuscated. At that point, if a container gets accidentally left open or there’s a misconfigured path, it can create a security vulnerability.
Verifying multi-cloud compliance
Many enterprises have a detailed view of their private network, but that view begins to get blurry in the cloud. IT teams need a way to visualize the cloud, like they do with on-premises.
Cloud security posture management (CSPM) platforms are helping organizations secure their virtual estates, but they have their limits, including:
- Present data in ways that are difficult to interpret.
- Obscure relationships between resources, like between multiple accounts and info on whether they are shared or not.
- Lack visibility into all possible paths for traffic to reach the internet, and the security points that traffic would pass through.
- Don't always detect security controls, which means they can report the network is compliant even when it’s not.
Despite these challenges, CSPM tools are still valuable. They deliver visibility into connectivity of traffic, but they need augmentation. Teams need a dynamic, simple way to visualize traffic, end-to-end. They also need timely alerts when changes are made that do violate any policies. With or without the help of a CSPM, here are the areas enterprises need to focus on to ensure multi-cloud compliance:
- Visibility: Enterprise IT needs visibility into cloud services. The team needs to collect that data from live environments so it can independently verify that application connectivity has been configured as intended and will operate correctly.
- Rationalizing: IT needs to rationalize monitoring, controls, and security across each service and product. Security teams must automate data collection frequently to keep up application and infrastructure changes in the cloud.
- Auditing: Once data gets collected, the security team can leverage it to monitor for changes and flag potential problems as they occur – across all cloud environments.
- Verifying data: Network applications need access control so that the system only uses authorized application components. Frequent monitoring can ensure policy compliance or provide a timely alert to remediate any issues.
It follows that achieving a secure multi-cloud estate requires some hard work. The company needs to collaborate and communicate with each respective cloud provider to determine responsibilities and procedures. It requires diligence and tailoring for each different cloud environment. Once ownership and procedures are clearly defined, it then requires the IT team to focus on achieving the visibility it needs to ensure cloud security.
Chiara Regale, vice president of product, Forward Networks