Same Trick, New Dog: Securing Multi-cloud from the Start

There has been a palpable shift in multi-cloud excitement over the past 12 months. Where enterprise IT seemed to be still grappling with cloud strategies a couple of years ago, the focus has moved from how to get to cloud, to where to go with cloud. With varying enterprise needs and the surge in open technologies, it’s becoming clearer that multi-cloud is the endgame.

As the focus shifts from cloud to multi-cloud, a new layer of complexity emerges. Operating in a single context brings challenges, operating across multiple contexts magnifies them. And chief among those challenges? Multi-cloud security.

 Multi-cloud vs. Multiple Clouds

Before delving into multi-cloud security, it is important to make the distinction between multi-cloud and multiple clouds. The path to multi-cloud starts organically for most enterprises. In these early days of multi-cloud adoption, it’s not typically a deliberate strategy but rather the natural outcome of disparate cloud initiatives within a company. 

The premise of multi-cloud is that resources—regardless of where they reside—are managed as a single, cohesive infrastructure. It allows for diversity in the way applications are serviced while maintaining operational uniformity. Contrast that with multiple clouds, where each cloud (or application) is managed in an operational silo. 

 Operational Uniformity

The notion of operational uniformity is critical for maintaining security. 

Consider the current enterprise IT security climate. There are literally dozens of security solutions deployed in enterprises of even moderate size and complexity. The challenge is not only in deploying all these solutions but also in administering them in a way that is both cost-effective and consistently applied across the vast infrastructure sprawl that sits underneath.

As a company moves from one cloud to multi-cloud, the operational burden, and therefore the risk, increases. Maintaining a strong security posture is dependent on the consistent application of policy across each environment; adding more environments increases the level of complexity.

This means enterprises with multi-cloud strategies need to make security an upfront consideration. But perhaps more importantly, enterprises without multi-cloud strategies need to think about how their security practices will evolve alongside cloud adoption. Decisions made early that preclude multi-cloud operations will likely come back to haunt, and correcting course when operating under constraints or duress will be exponentially more difficult. 

 Alongside the Application

Coinciding with the cloud movement has been the move to microservices-oriented architectures. By breaking applications into smaller pieces and relying on distributed communications, enterprise IT has unlocked huge benefits that come with scale-out architectures – but this has also increased attack surfaces.

As infrastructure gets increasingly componentized, security must evolve. Having agents alongside applications to provide additional micro-segmentation is a useful means of adding to a layered security approach. In a multi-cloud world, this means layering security not just within a cloud but also across clouds. 

Of course, this creates additional operational overhead and requires thoughtful approaches to operational control so security mechanisms can be uniformly administered, regardless of underlying infrastructure. Essentially, security policy and control should sit above the enforcement points so that policy can be specified one time and applied everywhere.

Attackers do not care whether an application is in a virtual machine or container, in AWS or Azure. Candidly, neither should operators. 

Winter is Coming

During economic boom times, enterprises will float their IT spend higher to cope with growth. To some extent, this has enabled the security sprawl existing today. So long as budgets are flush, this is perhaps a sustainable approach.

But at some point, budgets will be constrained. At that moment, enterprises will be forced to choose between the CFO and the CISO. Do budget constraints dominate? Or do security concerns win?

In many ways, this is all true regardless of any move to cloud, but multi-cloud certainly exacerbates the situation. Enterprises will do well to consider the impacts of multi-cloud operations on security early. As any architect is painfully aware, designing for success is a much simpler path than course-correcting midway through.