Security for Hybrid Multi-Clouds

According to PAC cyber security experts, a hybrid multi-cloud infrastructure is the norm. Companies face the challenge of identifying and implementing the appropriate cyber protection as this infrastructure approach is becoming increasingly complex.

The overall problem, at the moment, is twofold and driven by the increasing digitalization of companies of all sizes: Complexity, on the one hand, is driven by a mixture of legacy applications which are hosted on-premises on a company’s servers (or hosted/housed elsewhere) and new applications which are often sourced from public or private cloud infrastructures via a SaaS model. On the other hand, heterogeneous infrastructure leads to the need to use different security models.

Here are some specific problems and their solutions:

• Cloud usage itself must be secure - The responsibility to secure the cloud (security of the cloud) lies with the IaaS provider (i.e., hyperscalers). By protecting their data centers, cloud service providers adopt all the necessary cyber security measures that might be relevant. The task of securing within the cloud (security in the cloud) lies jointly with the IT users, their IT service providers, and the cloud providers. These solutions include backup and recovery, the security of the container and everything within and around the container, and, if necessary, the implementation of microsegmentation architectures. Cloud security (security for the cloud) can be provided via three different approaches beside standard web application firewalls: first, cloud access service brokers (CASB), which consolidate various types of security tools such as authentication and authorization, enforcing corporate security policies when accessing cloud-based resources. Second, secure access service edge (SASE) combines network and network security functions as a service by consolidating several different security solutions such as Zero Trust Network Access or SD-WAN. Third, the relatively new cloud security posture management (CSPM) uses IT security tools designed to detect misconfigurations and compliance risks in the cloud. An essential purpose of CSPM is the continuous monitoring of the cloud infrastructure for gaps in the enforcement of security policies.
• The legacy environment must be secure - Protecting the legacy environment is a challenge as there are already security measures and tools in place that need to be modified and adapted to a hybrid multi-cloud environment. By requiring a unified view, this can be solved via network security (e.g., network access control) and data center security (e.g. SSL deception).
• The endpoints must be secure - Endpoints, or more precisely, end users, have finally moved back into the focus due to the COVID-19 pandemic and the increase in remote work. Securing these is of the utmost importance, especially when dealing with a heterogeneous mix of company infrastructures. This can be achieved via endpoint detection and response (EDR) tools, application control, and secure desktop solutions, in addition to traditional anti-virus solutions.
• The heterogeneous infrastructure must be secure - A higher-level approach, including governance, risk & compliance, data and application security, and identity management, is needed to secure the entire heterogeneous infrastructure and all solutions. Central monitoring via security operations centers (SOCs) and computer security incident response teams (CSIRT) can solve this issue. Depending on the organization, outsourcing this to a suitable managed security service provider is the best approach in most cases, as security resources are limited.

Nevertheless, the combination and its characteristics must be designed individually and subject to a comprehensive target-performance analysis in each case to provide the best possible protection. The development of the cyber security strategy and of security policies, as well as service provider management should remain in-house.

The most critical questions that decision-makers should ask themselves when choosing an IT and security services provider are:

• How many different IT service providers can be effectively managed?
• Are my geographical requirements in line with the potential partner?
• Is the provider’s cyber security portfolio (supported solutions, partnerships) compatible with existing investments?
• Does the potential partner meet industry-specific and process-specific requirements?

A recent PAC InBrief report provides an in-depth analysis of market developments. The report analyzes different paradigms (security first, assumed breach, zero trust) and technical aspects (AI-driven cyber security platforms) as well as newly developed concepts (SASE, microsegmentation). It answers questions about their combination and existing solutions, and about the scope required to guarantee security for the hybrid multi-cloud.