Investment in multi-cloud environments is dominating long-term IT strategies for many organizations, but there are still a lot of unknowns when it comes to security. In fact, at Google’s recent Cloud Security Summit, leadership cautioned organizations to take a “hard reset” and rethink their cloud security approaches. This is especially needed given the increase in attacks on software supply chains, zero-day issues in email services and ransomware impacting our critical infrastructure industries.
Clearly, the demand for cloud enablement is growing and there are benefits to having a multi-cloud strategy. First, it enables organizations to avoid “vendor lock-in.” It also enables them to avoid having to rely on a single vendor for all their cloud-based needs. Second, it allows them to take advantage of features that best serve a specific business area that different cloud service providers (CSPs) may offer. Lastly, it helps to protect them against data loss and/or downtime, as an issue in one environment won’t necessarily spill over into another.
But deploying a multi-cloud strategy can be a minefield for some to navigate, especially when looking at security challenges. A recent study conducted by Tripwire found that most security professionals say that taking a multi-cloud approach has created additional security challenges for their organization.
Furthermore, with multiple cloud environments to manage, some organizations struggle to maintain compliance with regulatory standards and gain visibility into the vulnerability landscape across their entire cloud infrastructure.
This reality raises several challenges organizations must overcome to benefit from their long-term investment. Here are a few things to consider when assessing your organization’s cloud security posture:
Rely on Established Frameworks to Address Security Gaps
The study found that the majority (59%) of organizations have configuration standards for their public cloud and use best-practice security frameworks (78%). Still, only 38% of framework users apply them consistently across their cloud environments. Lack of consistency likely stems from having a wide variety of standards to choose from, but the Center of Internet Security (CIS) Benchmarks are an excellent place to start. They offer a mature set of standards that provide guidelines for multiple cloud providers and operating systems and applications. In addition, CIS offers benchmarks with prescriptive guidance for configuring the security options of organizations’ AWS, Azure and Google accounts. The framework is designed to protect organizations from risk when they set up their cloud accounts.
Understand the Skillsets on Your Team
When it comes to managing cloud environments, the research indicated that most organizations rely/relied on existing security teams to complete training or self-teach. Yet, only 9% of those surveyed would categorize their internal teams as experts. It may seem obvious, but failing to address a skills gap can directly impact your organization’s security posture – incidents like the attack on the Oldsmar, Florida water supply reiterate that a security team or a specific team member is often our first line of defense. Ensuring that your team is trained and adequately resourced to support the intricacies of different cloud platforms is essential for long-term success.
Know Your Role in the Shared Responsibility Model
CSPs offer a variety of default security configurations, but at the end of the day, it’s their job to deliver a platform and the tools to manage that platform, not to secure the environment. This notion increases dramatically when you consider a complex, multi-cloud setup. Most (98%) security pros feel the disconnect and want to see specific security improvements from their cloud partners, including communicating security issues faster and following consistent security frameworks. But even if CSPs do make improvements, the best way to cover your bases is to introduce a third-party security platform. An ideal solution will deliver a consolidated view of configurations across the entire cloud environment and help mitigate security issues as well as real-time visibility into how your organization is tracking against a specific framework or benchmark.
Cloud security best practices will continue to evolve as organizations better understand the environment(s) and more business is conducted in the cloud. That said, there is no replacement for a strong foundation that relies on proven hardening standards, a knowledgeable team and the right third-party security solution to protect and maintain the integrity of your digital assets.
Tim Erlin VP of Product Management and Strategy, Tripwire