As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Vishal Jain of Valtix warns IT teams not to wait for the next Log4Shell event before considering the switch to multi-cloud security.
With organizations of all sizes moving to the cloud, studies have shown that for them to compete and reach their goals, companies must operate on multiple clouds. According to recent research, 94 percent of surveyed IT leaders stated they would be going multi-cloud within the next two years. At the intersection of this critical requirement, agility, and security sits the emerging discipline of the “cloud security architect.” Cloud security architects have the daunting task of designing sustainable practices to protect cloud deployments against ever-changing threats, and they must often do so across multiple providers, each with different security models and services. As we progress into the multi-cloud era, IT leaders must enable cloud security architects to create and enforce enterprise-wide standards that consolidate and centralize best practices across the entirety of their multi-cloud deployments.
The following explores the importance of multi-cloud security, the reasons why companies may resist expansion to multi-cloud, and how real-world examples, like the Log4Shell incident, show the importance of defense in depth for the cloud– including enforcing least privilege access and the monitoring of outbound connections.
The Importance of Multi-Cloud Security
For a variety of business reasons, including vendor risk mitigation and cost reduction, multi-cloud security is a top priority for the majority of business and IT leaders. Naturally, 95 percent of IT leaders also said that multi-cloud security is a strategic priority.
But what exactly is multi-cloud security? Multi-cloud security enables comprehensive protection of assets across multiple public cloud platforms. Businesses can’t implement security in the cloud the same way they do on-premises. The assumptions of the cloud and the shared responsibility model are different. The cloud is more dynamic, and the perimeter is much less defined. Bringing security tools from the data center to the cloud often comes at great implementation, integration, and operations expense. Cloud security architects must consider cloud-native security solutions from both the cloud providers themselves and third parties who focus on multi-cloud capability.
In the cloud, security solutions must adapt to a new set of assumptions and more ephemeral workloads, application identity, and dynamic IP addresses. To avoid making an already complex situation worse, security tools simply cannot add to the complexities of multi-cloud– they should be easy to implement and work natively. An emerging ecosystem of cloud-native but cloud-agnostic solutions can enable organizations to deal with the complexities of multi-cloud security across all public and private clouds.
Security Must Be Standardized and Centralized Across Clouds
Many IT leaders are hesitant to make the switch to multi-cloud for a number of reasons, one of which is a lack of budget. According to our research, multi-cloud security is a top priority for 96 percent of IT leaders. However, 76 percent of companies underinvest in it. IT leaders understand that operating on multiple clouds is necessary as they continue to grow, but the challenge of actually implementing it can be overwhelming and incredibly costly.
Most companies also lack the security architecture needed for successful multi-cloud security, and their employees don’t have the right skills to implement it effectively. Currently, 72 percent of companies that do already operate on multiple clouds have a different security strategy in each of their cloud providers. This is incredibly difficult for IT teams to manage and will inevitably cause a wave of security incidents. IT leaders already struggling with visibility and security challenges are hesitant to switch to multi-cloud as they have realized that their problems multiply with each new cloud and their custom security model requirements.
IT leaders need to adopt a multi-cloud security mindset and become confident in multi-cloud visibility. They must allocate a budget and empower their cloud security architects to develop a strategy that will enable security with centralized visibility and standardized control across each cloud.
The Potential of Another Log4j Means We Must Assume Vulnerability
Recent threats and incidents have made it evident that there is no such thing as an invulnerable app. IT teams cannot keep waiting for the next security vulnerability to occur to begin implementing new security processes. Cloud security must assume vulnerability and exercise the best practices of defense in depth– defenses inside and outside every app are necessary and must be automated to keep pace with the cloud. Security architects can’t just rely on posture management or basic access constructs– they must consider security controls in each layer of the stack, including the network. They must consider not only how they monitor and stop malicious activity from entering the environment but also how threats might move laterally or how they would know if data was exfiltrated.
And this is not about replicating data center security model in the cloud. The cloud is different, and given the relative openness of the public cloud, new security controls are required to stop unwanted activities, including outbound communications to malicious domains.
While some companies may not see the need to implement a multi-cloud security strategy at the moment, they never know what is coming. Most businesses didn’t plan their endeavors that way, and because of this, adoption was decentralized, and different groups did different things. IT leaders should leverage an end-to-end cloud-native security approach that consolidates multi-cloud security. Centralizing multi-cloud visibility and control enables a more dynamic security function that can move faster, more confidently, and provide better security outcomes. They can meet critical security and compliance requirements without compromising or inhibiting the speed of the business.
A consolidated multi-cloud security policy will enable IT leaders to adapt to the new cloud requirements that business agility demands. But with the right tools, leadership, budget, and governance, running multiple clouds can open the door to growth and real competitive advantage.
- The Growing Importance of Multi-Cloud Security Architecture - December 12, 2022