Cloudy with a Chance of Threats

The agility and benefits of cloud computing are undeniable. Forrester predicts that the total global public cloud market will be $178 billion in 2018, up from $146 billion in 2017, and will continue to grow at a 22 percent compound annual growth rate. And IDC forecasts that by 2020, more than 90 percent of enterprises will use multiple cloud services and platforms.

However, what many organizations are finding out is that securing multiple public, private, or hybrid clouds can be very complex. It becomes increasingly difficult to “see” what’s going on in all these clouds, which makes security a huge challenge. Let’s look at what security across multi-cloud environments needs to look like for organizations of all kinds.

(Image: Shutterstock)

Multi-cloud complicates security

It’s important to acknowledge the reality that multi-cloud can lead to more complex security challenges. Part of the issue is that multi-cloud in the enterprise is never really planned. It’s usually something that happens organically, with the IT team coming in after the fact to retrofit a security strategy.

It can all start as simple as someone using an O365 document, someone else subscribing to Dropbox, another employee uploading a document onto Google Drive to share, and someone else creating the website using the public cloud. All of a sudden, your organization is consuming services from four different cloud providers.  

This creates a situation where information flow in and out of the organization becomes less controlled. Each one of these activities adds to the risk. On a case-by-case basis, each cloud service selection makes sense, but when they’re all looked at in the aggregate, it hits home that this is a patchwork of cloud services with somewhat unknown security or data management policies.

Many threats, little control

For example, users will often re-use the same passwords for different applications. Then, all of a sudden, your security team faces risk that results from not only corporate-controlled assets but that is now a result of publicly available information not controlled by corporate IT. The distributed nature of information lessens visibility and leads to a situation where the security risk level is unknown – and likely higher since compromise of a single information repository is enough to impact the entire organization. Where information is stored or being used or what data is being shared or managed offsite in a cloud service are all unknown parameters. That’s what brings this concept to its “cloudy” notion because no one really knows what is going on.

The other security concern transcends the risk of “cloudy” visibility and is related to the multiplying effect associated with the risk profile of the different platforms, which have different vulnerabilities and are exposed to different threats. Subsequently, your risk skyrockets. This is especially true in situations where less-secure end-user behavior is exhibited across these multi-clouds, including shared credentials or uploading of sensitive data.

All these behaviors create a situation that exemplifies the adage that security is as strong as your weakest link – only the cloud adoption reality and your employees’ interaction with the variety of systems have now multiplied the number of weak links. It is simple probability that one of these sources being breached is higher than when there were fewer sources you had to protect. And in this case, you’re not even protecting them, since they’re not your platforms. Yet you are vulnerable to the threats on them. This is the landscape of the “cloudy” higher-risk situation.

No turning back

You can’t really take control over what’s already been done; the train has left the station. People are going to use cloud services, and it is less practical to prohibit their use completely than to find ways to secure them. Instead, it’s a matter of the mindset of the security practitioner, security officer, and security architect needing to change from one that says “no” to the organization. That’s because for every “no,” there’s a workaround. This will merely create a shadow IT environment of additional, and now hidden, risk.

Business will always win over security. As a result, security professionals won’t win by trying to block access to cloud services. Instead, they should focus on finding tools and laying out the foundation for desired behavior. This includes setting up a corporate Dropbox and a corporate Google Apps, for example, and providing your employees access to these systems sooner than later. This doesn’t solve all multi-cloud security problems, but it’s a place to start. These corporate accounts can be policed and provisioned centrally for an organization later in the process. This is easier than letting users create their own solutions and then trying to reel them back in.

As a security professional, you need to cultivate a habit of saying “yes” to the business, because then you’ll be included in the multi-cloud decision process more often. Once you do this, you can start thinking about how to exert greater control and gain the visibility needed for a stronger security strategy.

Who Is responsible for cloud security?

The guiding principal associated with the shared responsibility model is that if you touch it, it’s your responsibility. If you change the configuration option on the cloud, you are responsible for what happens as a result of that change. If you’ve uploaded data to the cloud, it’s your responsibility to make sure that it’s secure.

Cloud computing service providers often offer a great amount of documentation. Everything is clearly documented, with the cloud providers doing their best to define SLAs and be clear about the risks associated with leveraging their cloud platforms. They’ll document what they do provide – resiliency and security – and what they don’t. This means the user is responsible, as difficult as it may be, to read exactly where the demarcation is between the cloud provider’s responsibility and his own responsibility to keep services up and running.

Your job is to understand where the cloud provider’s responsibility ends and yours begins. This will then enable you to begin to build a strategy to secure data that includes encrypting it and making sure it is available when needed and meeting confidentiality requirements as well.

The good part is that the cloud offers a great number of tools that, if used right, can support building infrastructures and applications that are much more robust than the infrastructures that were built previously, as security and resiliency can be programmed into the system.

Peace and safety in the cloud

The multi-cloud juggernaut has begun, and resistance seems not only futile but counter-productive for security teams. Since adopting cloud environments for their many benefits at the sacrifice of security is not an option, you will need to make peace with the reality of multiple cloud environments. Creating a strong security posture in the cloud will add to that peace.

Multi-cloud security must be integrated to be effective. This will provide the clear visibility and consistent security that are so critical across platforms. It must also be dynamic and flexible, able to move with cloud workloads and applications as they expand.

A security strategy following these characteristics creates the opportunity to lay out a unified and centralized control point, bringing visibility and policy into your multi-cloud environment. This approach enables defenses across the cloud where applications and endpoints communicate securely, leading to minimized risk. When security takes a proactive role and is implemented consistently across the infrastructure, your organization can reap the cost, flexibility and scalability benefits of the cloud while avoiding its security pitfalls.

Lior Cohen is Senior Director of Products and Solutions – Cloud Security at Fortinet. He has over 20 years of experience working in the information security, data center network and cloud computing spaces. Lior serves as Fortinet’s lead for cloud security solutions with a focus on securing enterprise public cloud-based deployments and private cloud build-outs.