Multi-cloud, more problems: the increasing attack surfaces of multi-cloud adoption
In the not too distant past, cloud computing was a concept that IT professionals would spend hours explaining to their board of directors. Now, the ubiquity of the cloud requires no further explanation.
Cloud evolution is revolutionising business operations by employing a network of remote servers hosted on the internet to store and process data instead of relying on-premise infrastructure.
Utilising a cloud-based IT infrastructure can significantly increase the cost efficiency of an enterprise. It has also been known to facilitate greater agility by allowing systems to operate without the constraints of on-premise infrastructure.
Migrating to the cloud is simple and there are several rental options on the market that can be scaled according to specific business needs. Indeed, the global public cloud market, or Infrastructure as a Service (IaaS) grew 31.3% during 2018 to US$32.4 billion, according to Gartner.
The cause of this growth may be traced to the rising number of corporations embracing multiple cloud services. Indeed, more than 73% of organisations are using two or more public cloud providers.
Perhaps this is because each vendor specialises in different aspects of cloud computing from managing and maintaining IT systems, to more flexible workflows, while offering automatic updates.
The major cloud service providers are Amazon Web Services, Microsoft Azure and Google Cloud. These services are often preferred because of their intrinsic security infrastructures. While the benefits of utilising the cloud are numerous, there are some significant shortcomings.
The decreased visibility that comes with relying on multiple third-party applications can result in a larger attack surface.
Indeed, the more an application comes into contact with the Internet, the more risk it accumulates. This risk is augmented by the fact that different providers require different services and tools to address unique problems across multiple environments.
Often the tools on cloud-hosting services fall short, especially for console and deployment security affecting enterprise customers.
This has been a contributing factor for several recent cloud breaches. The trap that ensnares many security professionals is assuming that they are completely safe and secure with no need for internal security testing. However, this is of course a myth.
The enterprise that rents virtual space on IaaS also needs to ensure their own safety, especially in environments using multiple cloud providers.
The increasing sprawl of the cloud means that there is a dire need for a new approach to cloud security; an approach that helps enterprises address vulnerabilities through one service that can assess threats across a range of platforms from a single pane of glass.
Without a system in place, blind reliance on the cloud could have detrimental consequences as breaches are increasing globally. Security professionals are expected to possess a comprehensive understanding of risk covering all aspects of the cloud.
However, defining the risk posture of your enterprise depends on what type of data is stored and processed in the cloud. Some data is more regulated than others such as: business intelligence, intellectual property, the personal information of customers, internal records, and financial information.
This data is not just valuable to organisations, but also to cybercriminals. If your corporation is putting sensitive data into a public cloud, then you are creating a promising temptation for potential hackers.
For the security professional, implementing and monitoring cloud security means dealing with a mixture of new clouds, new ways of creating and deploying apps, legacy IT, off-premise architecture, shadow clouds and potential cloud sprawl.
Addressing these challenges can be difficult with a security workforce that often lacks operational skills for every scenario.
This creates new problems that go beyond the traditional protection of physical on-premise infrastructure.
The cloud era ushers in a new way of conducting business with greater efficiency, and complications.
While increasing the speed of conducting business, it becomes more difficult to Monitor cloud assets and detect vulnerabilities. This is complicated by inconsistencies between cloud providers and the capabilities of their security tools, which typically do not collaborate with other cloud services.
In order to practically address cloud security, responsibilities must be shared by both providers and enterprises, with each focusing on the technologies that are within their remit of control.
When discussing IaaS, where the cloud provider secures the back-end data centres, networking, servers, and virtualisation; the enterprise is responsible for protecting cloud payloads such as operating systems, databases, security and applications.
This shared responsibility model puts the onus on the enterprise to protect its own workloads running in public clouds.
The enterprises intent on improving their cloud security posture should prioritise the issues not covered by their service providers. The methods of protection provided by IaaS vendors generally only protects the infrastructure they rent to the enterprise.
While these safety measures comprise an essential element of cloud security, it is not necessarily helpful for customers who have cloud security needs across other areas.
First and foremost, security professionals should secure the control plane, which consists of enterprise connections into third-party public cloud.
Security for the public control plane is all about ensuring identity access and networking management for critical applications are correctly configured, thereby reducing the risk of permission malfunction and increasing security across the board.
Secondly, enterprises should focus on securing their data plane, which includes performing security assessment for cloud workload instances (applications) for any vulnerabilities. This means that enterprises should protect any information on the cloud as thoroughly as they would if it were onsite.
Security professionals should deploy a continuous process of automatically assessing cloud environments against security best practices and security violations to recommend steps for remediation.
For the modern enterprise, the rush to multi-cloud is bringing huge operational benefits to organisations, and new classes of service for customers and business partners. Yet with these benefits comes a rapidly rising degree of risk due to inherent security vulnerabilities with cloud services.
For IaaS scenarios, responsibility for cloud security posture management and cloud workload protection rests squarely within the enterprise. Cloud providers will not do this for you. In order to ensure perpetual protection, professionals should not become complacent.
It is essential to take security into your own hands, especially when your data is in the hands of others.