If your organization has put most of its assets onto multiple public cloud services, it should be clear that your old on-premises security solutions and policies will no longer work. However, solutions for single-cloud models may not be adequate. Here's how to make your multi-cloud security posture as strong as it can be.
Cloud security fundamentals
"It's almost guaranteed that some security controls won't operate the way they did in-house or won't be available in cloud service provider environments," said Dave Shackleford, a senior instructor at the SANS Institute, in a 2018 white paper sponsored by Qualys. "Looking at core security and IT controls, security teams will quickly realize that some controls are made easier in the cloud, while others will need to be modified in order to meet requirements."
The chief trade-off you make for the cloud's flexibility and cost savings is a drastic loss of control and visibility. You're running your business operations on someone else's server, and you will have to use the cloud service provider's (CSP) own application-program interfaces (APIs) to get a full picture of what's going on in your cloud instances.
Because of this, consider security solutions such as a cloud access security broker (CASB) that can monitor traffic between your endpoints and other on-prem assets and the cloud, or monitoring and vulnerability-management tools such as a cloud-native app protection platform (CNAPP) that works with your CSP's APIs to provide maximum visibility into and control over your cloud workloads.
You will need to thoroughly comprehend the shared-responsibility model with your CSP so that you will immediately know who must fix what, as well as the CSP's security controls, tools, compliance status and terminologies. In many ways, you're taking on the CSP as a business partner, so perform your due diligence accordingly.
Why multi-cloud is different from single-cloud
Using more than one public cloud service provider makes these issues even more complicated. Just to take one example, Amazon Web Services, Microsoft Azure and Google Cloud Platform may refer to the same things using different terms.
"Each cloud provider identifies assets with its own proprietary set of attributes, and there is little commonality in how some of the key attributes are named," said Swapnil Ahirrao, a senior product manager at Qualys, in a 2022 blog post. "To identify an instance, AWS uses 'Instance ID,' Azure uses 'VM ID,' and GCP uses 'VM Instance ID.' For an organization employing a multi-cloud strategy, this quickly becomes challenging from a reporting and analytics perspective."
To maintain competitive advantages, each major CSP does things differently, and each provides its own security tools for clients to use, with their own learning curves. Unifying the controls and feeds from those tools will best be achieved with a third-party solution.
"Some vendor products will work only in specific environments, and most cloud providers' built-in services will work only on their own platforms," Shackleford said. "Such siloing can lead to major headaches when business needs drive organizations to a multi-cloud strategy, necessitating the revisitation of security controls that meet requirements."
How to make your multi-cloud environment more secure
Here are several things your organization should do to improve its multi-cloud security posture. Some apply to hybrid or single-cloud environments too, and others are just common sense, but all should be useful.
Strive for maximal, unified visibility of assets and workloads across different cloud environments.
The adage is that "you can't protect what you can't see," so you want to see as much as you can. Work with your CSPs to gain visibility, but also investigate buying or subscribing to a cloud-native third-party solution that can continuously collect data and control aspects of all your cloud instances from a single control panel.
"Look for tools that can help you manage both in-house and cloud assets in one place," said Shackleford. "Security and operations teams are usually spread too thin to manage multiple management and monitoring tools across one or more cloud provider environments."
Strive for maximal automation in security and vulnerability management.
You can hire only so many humans for your security staff, and overworked staffers make mistakes. Lighten their load and strengthen your cloud security by implementing automated processes to handle routine tasks and orchestration programs that can remediate security issues on their own.
"Complex organizations with critical missions can augment and empower their cyber workforces through automation, machine learning and artificial intelligence," said Brad Beaulieu, a principal at Booz Allen Hamilton, in a 2020 blog post. "Leveraging innovation in these areas can scale the bandwidth and reach of small cyber teams by assisting with activities like normalizing the data, establishing baselines, detecting anomalies, automating repetitive tasks, rapidly retrieving information, and automatically enforcing standardized security policies and configurations."
Shift left.
You need to integrate automated security processes into coding and app development. Build automation into your continuous integration/development (CI/CD) cycle so that security is baked into cloud development from the get-go.
Gain a thorough understanding of shared responsibility with each cloud service provider.
Each CSP may have a different idea of what it's responsible for and what you're responsible for. Make sure you know exactly what those things are, and craft your cloud-security policies accordingly.
Understand how each CSP works.
You want clear comprehension of each of your CSP's infrastructure, security tools (such as Google Cloud Security Command Center or Azure Security Center), APIs and other technical matters.
Analyze, review and update your own end — continuously.
Be ready to adjust or even overhaul your security controls, policies and tools, your own cloud configurations and settings, and your security team's skills in handling multi-cloud environments. You may need to institute tougher internal policies because the risks of error will likely be multiplied.
"A single person can spin up a new server in almost no time at all," said Beaulieu. "But unless project teams are perfectly in sync with their agency's cyber operations, that kind of velocity can easily lead to isolated environments and blind spots — creating substantial risk, as securing an enterprise truly does require full, real-time awareness across the entire network."
Harden your cloud infrastructure.
Lock down ports, access, applications and interfaces, and integrate an infrastructure-as-code (IaC) solution into your cloud-management process. You don't want any ports left open, any dormant accounts left active, or any third-party software left out-of-date, and IaC will help you manage that.
"Any cloud applications and instances should be as locked down as possible, running a minimum of services, and configuration requirements should be revisited to ensure any cloud-based infrastructure is as resilient as possible," said Shackleford.
Unify identity and access management (IAM).
You need to be able to control user access to everything across your cloud and on-prem platforms from a single control panel.
Log everything.
You'll likely need to refer to logs to remediate security issues and other problems, even those that may have occurred months or years in the past.
"Logs represent a mind-boggling, storage-capacity-busting amount of data, but it really is necessary to keep them accessible for threat hunts and investigations," said Beaulieu. "With the availability of abundant, affordable cloud storage, particularly for infrequently accessed archival storage, an insufficient budget is no longer an excuse."
