How to secure your move to the multi-cloud
5 February 2019
Moving to a multi-cloud environment requires an appropriate security approach to ensure your data, applications, and systems stay protected. Steve Armstrong, Regional Sales Director of UK & Ireland at Bitglass, highlights five ways to maximise your security posture in the cloud.
There are many reasons why it makes sense to use multiple cloud service providers when selecting the cloud-based tools that will be employed in an organisation. These cloud tools reduce costs, minimise the risk of application downtime, store data for specific workloads within certain national boundaries, and allow organisations and their various departments to select the best platforms for their needs and business goals.
In recent years, the adoption of cloud has accelerated – a growing number of organisations have embraced the agility, scalability, and cost efficiencies that the cloud delivers. Now, many are implementing multi-cloud architectures in order to avoid over-reliance upon a single vendor as well as to continue growing and innovating.
Clearly, with the amount of organisations adopting the strategy, multi-cloud is no longer an uncommon way of doing things. According to Forrester Research, 74 percent of enterprises describe their current strategy as hybrid/multi-cloud, with 62 percent of public cloud adopters using two or more unique cloud platforms.
Adopting a multi-cloud strategy empowers organisations to explore the widest possible portfolio of cloud solutions and platforms, identifying those best suited for their requirements. However, multi-cloud environments add a new layer of complexity to security strategies. For starters, multi-cloud significantly expands the enterprise threat surface. The way that data, applications, and workflows move between cloud services and devices will need to be understood to identify where risk and security gaps exist.
To successfully manage a multi-cloud environment and ensure that a consistent security posture is maintained at all times, data protection practices need to be reviewed. In other words, approaching security as an afterthought when adopting a multi-cloud strategy is not an option.
The following five steps should help organisations rethink their security strategies so that they can take into account the potential challenges posed by multi-cloud environments:
Also of interest: Unsecured cloud database nearly compromised 445 million customer records
Step 1 Knowledge is power — gain visibility and control of your data
You can’t protect what you can’t see. This is especially pertinent when pursuing a multi-cloud strategy. Unlike in on-premises-only environments, data will move wherever it’s needed — to multiple locations, users, applications, and devices. Additionally, workflows will dynamically evolve depending on how applications or end user requirements change. So, the ability to see into every cloud instance will be vital for identifying unusual behaviours and monitoring traffic as it moves across the network.
As more cloud services are adopted, monitoring these data flows will become exponentially more challenging; however, it will also be essential. Organisations need to be confident that they can track devices and data – in a constantly shifting environment – and apply and maintain policies as things change over time.
In particular, organisations will need the ability to:
- Use cross-app activity logs to gain detailed insight into all user and file activity, enable audits, and give IT a global view of data integrity.
- Encrypt file and file-level data while preserving key functionality like search and sort.
- Address the challenge of shadow IT by detecting and asserting control over ‘unmanaged’ applications that can be used to exfiltrate data.
Also of interest: How will cyber threats evolve in 2019?
Step 2 Ensure appropriate identity and authorisation controls are in place
Many organisations make the mistake of assuming that running their workloads in the cloud makes security the cloud vendor’s sole responsibility. While these cloud providers are responsible for providing certain levels of security and data protection within their offerings, the responsibility for controlling who can access that data when it is at rest ultimately remains with the enterprise.
This means that the organisation must have appropriate tools in place to protect against threats such as compromised credentials and malicious insiders. Consequently, organisations need to know where their data is, where it’s going, and who is authorised to access it. Robust authentication capabilities are the cornerstone of any solid security posture.
Needed security controls to assist with the above include:
- Preventing data exfiltration from a sanctioned cloud service to an unsanctioned one (like Dropbox).
- Authenticating users across all cloud applications.
- Detecting user login anomalies.
Step 3 Protect sensitive data in transit and at rest
Preventing data leakage becomes more complex in a multi-cloud environment. As such, organisations need robust, cloud-based tools that can enforce controls over data access, monitor users’ online behaviours in real time, manage BYOD access, and control file sharing.
- Distinguishing between personal and corporate instances of cloud applications and enforcing different policies accordingly.
- Applying contextual access control to govern data access by a user’s job function, location, device, and more to ensure unauthorised individuals cannot access sensitive information.
- Deploying data loss prevention (DLP) capabilities like digital rights management (requiring credentials to view documents and providing read-only versions) to eliminate the risk of data leakage.
Also of interest: How machine learning can secure corporate data in the cloud
Step 4 Protect every endpoint – without inhibiting users
As more employees access enterprise cloud resources with their own personal devices, the risk of sensitive data leakage grows exponentially. Unfortunately, traditional tools built for corporate owned or managed devices are not ideal for protecting data on these personal endpoints. To protect users and the enterprise, it’s vital that organisations can enable secure employee mobile access to the data they need – without the privacy, performance, and deployment headaches caused by traditional agent-based security tools.
That will mean implementing an agentless solution that:
- Protects data at access
- Delivers malware threat protection as files are uploaded from or downloaded to any device
- Provides visibility and control over corporate data in any app
- Wipes data in the event of employee termination or device loss or theft
- Enforces encryption, PINs, and other device security settings
Also of interest: How to stop your breach hitting the headlines
Step 5 Ensure interoperability between all security tools
To achieve comprehensive data protection, threat protection, visibility, and identity management across the entire enterprise cloud footprint, organisations need to ensure that the cloud security solutions they deploy will integrate seamlessly with one another as well as existing on-premises tools. Having a disjointed IT environment can breed inconsistent cybersecurity and, consequently, vulnerabilities.
For example, cloud security solutions must:
- Extend on-premises DLP policies to the cloud
- Integrate with security information and event management (SIEM) tools
Successfully embracing a multi-cloud strategy requires an end-to-end security approach that ensures sensitive information is safe in any cloud application and any device – every second of every day. That means organisations will need to go beyond their perimeter to discover, manage, and protect their corporate data wherever it goes. It is only in this way that they can securely and successfully compete in today’s business world.