By Peter Smith, CEO and Co-founder, Edgewise
It’s clear the future of IT lies in hybrid cloud, thanks to its ability to increase an organization’s scalability, agility and cost savings. According to a recent survey from Microsoft, two-thirds of enterprises already use hybrid cloud, more than half of these just deployed in the past two years. What’s more, this growth isn’t anywhere near finished. Analysts expect spending on hybrid cloud will grow more than 300% from 2017 to 2023, topping $138 billion.
Digital transformation will help a business to discover new ways of engaging with customers, create a smarter enterprise, and define new business models. Significantly, the nature of digital technologies allows it to deliver different outcomes for different business functions. For example, the CIO gains from increased speed and agility of the IT environment, the CMO can orchestrate campaigns better and acquire more customers, the CSO can now have a scalable and predictive engine and forecast more accurately, the CFO benefits from reduced costs, increased revenues and profits, while the CHRO enjoys improved employee experience and engagement. Undoubtedly, digital technologies CIOs now see the cloud as potentially more secure than their own environments, thanks to the massive resources and expertise cloud providers are able to dedicate to cybersecurity.
While security used to be a primary concern preventing enterprises from using the cloud, that thinking has shifted dramatically.That doesn’t let the enterprise off of the security hook, however. Cloud providers secure their own infrastructure, but it’s still up to the customer to lock down access to data stores (e.g., S3 buckets) and workloads. That’s no simple task. Each cloud operates differently, so as additional environments are added, the level of management complexity increases exponentially for network and security teams. And as complexity grows, so does the likelihood of misconfigurations and other errors leaving a cloud environment vulnerable to attack. Even worse, the tools security teams use to protect their on-premises data centers aren’t well suited to the autoscaling environments of the cloud.
The best way to cut through all of the multi-cloud complexity is to adopt a security model that operates independent of the environment. And a good place to start is the data, which, let’s face it, is the asset that bad actors are almost always targeting. Here are five capabilities to make sure you have in order to secure your hybrid cloud environment from attacks.
Preventing unauthorized access to data is clearly critical for cloud security, but it’s not sufficient. Limiting access to authorized apps and users is a necessary start, but sophisticated attacks will use stolen credentials or even piggyback on authorized communication paths to reach their target. More is required to protect data-rich applications and services inside hybrid cloud networks.
For example, software, devices, hosts and servers all require access to other network assets, but it’s easy for malware to exploit these communication pathways to propagate laterally across the network. So instead of relying on “trusted” network connections, security controls need to allow access after verifying the identity of software and services — a core tenet of zero trust networking. Additionally, prior authorization should not be used to grant new access; it must be iterative and awarded on a least-privilege basis.
One of the big advantages of basing access on identity is that it can operate independently of the underlying network. That’s especially important in autoscaling environments like the cloud, where addresses change constantly.
It’s impossible to protect data or systems if your security team is unaware that they exist, and in today’s sprawling networks across multiple environments, it’s easy for even important assets to be overlooked. Security tools must have the ability to provide a current inventory of all assets and data. Doing this manually is far too time-consuming and error-prone, so tools should automatically discover and update the asset inventory.
This leads to our next capability, because discovering and mapping the environment is certainly not the only security function that’s too complex to handle manually. Automate low-level tasks to free up security teams’ time so they can focus on critical, strategic initiatives. Rote and routine processes are important, but they are best performed by algorithms, which can complete them faster and more accurately.
Flat networks are fast and easy to use, but these benefits don’t just apply to users — attackers take advantage of them as well. Instead, the network needs to be segmented into much smaller “secure zones” governed by policies that allow only those applications, devices and users to access them. In this way, we move security much closer to the assets we want to protect.
In a microsegmented, zero trust environment, all network traffic is assumed to be hostile and so the identities of workloads are verified before they are allowed to communicate. The traditional model of a hard shell just won’t work in a threat landscape where hundreds of thousands of new malware files emerge on a daily basis. Eventually, something will penetrate the perimeter and, if the interior isn’t hardened, malware has free rein to do as it likes, moving across the network until it can access the data it’s seeking.
Every security professional knows how important keeping devices and applications up-to-date is to an organization’s security posture. However, sometimes circumstances require delaying the deployment of a new patch. Still, even though it might not always be possible to do so immediately, the security team has to know when assets are out of date. At the very least, security can update policies to strictly limit communications to unpatched software or devices.
A Time for Change
The hybrid-cloud landscape presents some tricky challenges when it comes to security. Their autoscaling nature alone means many of the tools and methods that security teams are accustomed to using no longer apply. A new security paradigm is required that replaces the “hard shell / soft center” approach with one that moves security close to the data that needs protection by microsegmenting the environment, adopting a leastprivilege access model and basing authorization on immutable identity of the communicating workloads.
This is a tall order, and frankly, would not have been feasible even just a few years ago. But with the help of AI, machine learning and automation, cloud security is now within reach of any organization. And given how dangerous the threat environment is — and it’s getting worse all the time — this change is overdue.
Disclaimer: CISO MAG does not endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. Views expressed in this article are personal.