As if there weren’t enough security risks in the realm of traditional IT, the cloud presents some unique vulnerabilities. “The cloud,” although a deceptively singular phrase, is many things and comes in many forms. From infrastructure (IaaS) and platforms (PaaS), to software-as-a-service (SaaS) offerings. Each new service introduces equally new challenges in terms of both integration and security. And keep in mind, that’s just the cloud landscape in a singular sense. What about organizations with many public, private, and/or hybrid clouds? The emergence of Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) has given choice to this space. As a result, multi-cloud architectures are introducing new challenges to already complex security models. Leaving cloud operators and admins alike scratching their heads in terms of developing the right security posture. So, without belaboring any further, this blog seeks to answer - what are the security risks of multi-cloud computing?
Before jumping into multi-cloud security, let’s consider what security is and why it’s important. One of the most simplistic ways to describe security is that it’s basically insurance. Which is true to a point. Insurance is one of those services that you buy, hoping that you never have to use it. Likewise, rarely do organizations implement security programs because they want to, but rather in anticipation of a breach. The key point here is that a proper security program is proactive. It actively helps organizations avoid threats to their data, employees, and reputation. An organization that takes security seriously can turn it into an asset that enables the business. This means viewing it as more than just a part of a risk management portfolio.
Risks With Data Governance
IT security professionals only have so much influence in the data integrity discussion. With that in mind, organizations of all sizes need to implement robust data governance models and policies. Data governance defines exactly what data an organization has, how it’s used, how it’s managed. These organization-wide frameworks also outline in which systems and locations authoritative data is housed. As well as identify who has access to it and other meta properties.
Different divisions using data differently can wreak havoc on their organizations by making decisions on the basis of different assumptions. The security policies and frameworks you create for your single location or multi-cloud-centric company can’t be developed in a vacuum. You have to engage a broad group of stakeholders. Your security policies will intersect these other efforts and will both inform them and be informed by them.
Risks With Human Error
Access management is one of the most critical areas of cloud security and organizations need to plan very carefully to ensure a sound security posture. A Dow Jones Customer Intelligence Study found that “68% of executives whose companies experienced significant breaches in hindsight believe that the breach could have been prevented by implementing more mature identity and access management strategies.” Unfortunately for you, even with an effective process in place, privileged credentials alone are often not the solution. A large number of breaches involve privileged credentials. Which indicates that once a boundary is breached, via an employee with a lower level of access potentially, the credentials of someone with administrative access is eventually obtained. One defense against this is the use of multi-factor authentication. You will see a greater infusion of authentication apps for mobile devices in the coming year.
To ensure the security of your infrastructure and data, it is important that you design a strong RBAC (role based access control) strategy along with a directory service to manage centralized access. Build policies to ensure that your staff has the least privileged access for what they need to access. Enact need-based access policies so employees get access to specific resources only for a limited time and access expires after a certain duration. Perform regular audits on a quarterly or yearly basis, according to your business requirements, to ensure that only valid users exist in the system.
Remember, IT no longer has full control over the provisioning, de-provisioning and operations of the cloud infrastructure. This decentralized ownership has increased the complexity for IT teams to provide the compliance and risk management policies required to protect their businesses. IT needs to find new ways to exert soft controls to protect the business, while not inhibiting the agility their stakeholders expect now from the cloud.
Risks With a Shared Security Model
If you work with data in any capacity, it’s likely you’ve heard someone say, “Security is everyone’s responsibility.” And to be honest, that’s a true statement. We’ve obviously just established how vital an individual’s impact can be when it comes to cloud security. That is exponentially amplified in a group setting. In order for a business of any size to stay protected against the growing threat landscape, everyone has to maintain some level of awareness and do their part in fending off bad actors. As with all things IT though, there is a bit more nuance. Different people sometimes have different ideas about where to draw the line on getting a job done and making sure that security is front and center. Too many people believe that moving to the cloud releases them from certain obligations such as backups and security. Their rationale is that the cloud provider handles these functions.
This is dangerous thinking that can leave you exposed. In the world of cloud, shared responsibility means that your organization retains security responsibility for certain aspects of the environ-ment while the cloud provider handles other aspects. The provider ensures that its service is secure. The provider makes sure that the services that you’re consuming are protected, including the hardware and the software. You, however, retain significant responsibility for the applica-tions and data that you’re operating in the cloud, including secur-ing the operating systems, networks, and firewalls that support your applications. Can you imagine the chaos that would ensure if large public cloud providers were forced to control everything clients did just to make sure that it remains secure? The cloud provider secures what it provides, but you’re responsible for the rest.
So, What to Do Now?
If you’re not confident about your security posture in any of these areas, don’t fret. Nutanix is here to help. We’ve recently partnered with Wiley Publications to produce the Multi-Cloud Security for Dummies Ebook. We offer knowledge and stories to aid in your quest to provide your organization with the best possible security posture. The ebook will help you secure your multi-cloud environment while enabling the activities that make your business successful.
© 2019 Nutanix, Inc. All rights reserved. Nutanix, the Nutanix logo and the other Nutanix products and features mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other brand names mentioned herein are for identification purposes only and may be the trademarks of their respective holder(s).