By William Klusovsky, CISSP, CISM,NTT Ltd.
Networks for our businesses are not as simple as they used to be. With the evolution of cloud environments and the multitude of “everything ‘as a service’” offerings, we are faced with a gauntlet of additional security challenges.
Dealing with multi-cloud presents many security challenges, one being simply the sheer quantity. Working with one cloud provider is an endeavor, but many organizations today are dealing with four or more providers, and this creates an expanding array of tasks. At the “1’s and 0’s level”, your security engineers are probably already addressing plenty of issues, but there are additional risks to the business you may not have remediated or even identified yet. As the following illustrates, managing multi-cloud security also calls for competence in policy, negotiation, organizational alignment, budgets, business processes, and partnerships.
One of the largest and most difficult challenges we face with the plethora of cloud solutions is understanding exactly which party is responsible for what aspects of security and to what degree. Is the service provider on board with your company’s compliance requirements? Will you be able to audit them or conduct pentesting? In the event of a breach or loss, how does the incident response play out and who has liability?
At the end of the day, this requires a lot of diving into contracts and working with lawyers. That may not be what you signed up for, but as security leaders, we have to understand how our controls and policies will – or will not – be applied. As an example, your hardening standards may exceed the capabilities or willingness of a provider. If that’s the case, how will you address the additional risk? And from your own compliance standpoint, how do you account for an exception? Many times, cloud services may push back on requirements, making their link in your chain of security a weak point. When that happens, you’ll need to address the issue both technically and contractually.
In the multi-cloud world it’s likely you are using some form of Identity and Access Management (IAM). Even with these robust solutions, you have to understand how to restrict access. Will you leverage the least privileged or a role-based solution? And will all of your cloud vendors accept and apply those rules? What about data shared between multiple providers? This area of concern is complex, and the right solution will vary based on the services you are consuming and your business, but it will require a very detailed evaluation. The key here is understanding your data and processes, something many businesses struggle with. Multiple business lines will need to be on the same page as to how to access data, what those processes will be and how to maintain security while enabling the business. You will need to talk to these business lines and understand them.
Now that we know who is responsible for what and how we’ll access “the clouds,” how are we going to protect the data? Service providers are likely encrypting your data in transit, but not at rest, and many will charge a lot more to do so. Does your data protection solution extend or work with your provider, or are they offering their own solution?
You also have to translate how your requirements impact costs. As business leaders, we are challenged to keep the business secure, without negative impacts and within budget. The selection of the right vendor is key, as is partnering with the right vendors to deliver what is needed. Notice I said “partnering,” often just buying the cheapest solution can end up costing more than the right (more costly) one. This is even more critical in multi-cloud environments, where you could have data residing in multiple locations with different levels of protection. Here we need to understand the business processes and then apply the necessary controls at all steps of data flow and across the multi-cloud design. If gaps exist, you’ll have to address them with a compensating control or possibly some acceptance of risk to the business.
Even if you are not officially living in the multi-cloud world, you’re likely already dealing with Shadow IT, which includes a multitude of cloud-based apps and services that individual users or departments employ because it just makes their jobs easier. The solution here is again to understand the business process and identify how the data is used, why those services are in place and what data is really required. Some business lines send excessive data outbound because “it’s easy.” Automating or streamlining a process to send only relevant data can reduce risk and improve the operation. With existing Shadow IT, start by identifying what the risk is, relevant to the services being used. Once the risk is understood, take measures to reduce it through redaction, masking, encryption, new processes or other approved solution.
Tracking Shadow IT is a continual challenge. Having a great asset management program in place can help reduce the risk, as can documenting data, data flow and business processes. Couple those steps with strong integration of information security into systems development and acquisition processes and you further reduce risk by getting involved early in the process. Moreover, you do so as an enabler to the business. Often security is seen as a roadblock; working with business lines to improve their processes in a secure manner helps position the CISO organization as a valuable partner.
Monitoring & Response
This is a culmination of areas. You’ll need to look into what traffic you can actually monitor within the multi-cloud, as well as what services for this are available, who allows you to use your own solutions, where all of the monitoring data is originating from and where it is going. Ideally, you want this all managed in your own SoC or MSSP, but there is a chance you’ll have multiple feeds for different services. The goal is to be as efficient as possible and leaving any crucial areas un-checked. This may take time, and long term planning. Take the time to analyze this out and incorporate it into your risk management program.
Getting It All Done
How many organizations finish 100 percent of their security projects every year? The simple fact is there are more needs than there are individuals to address them. In order to realize more progress in multi-cloud security, you may want to bring on someone who has relevant experience or else contract-out some projects to help with the stepping-stones.
Create a plan of your current and desired state, identify high-level tasks you need to do and then realistically assess what steps you can and can’t do. Be honest. Data discovery, business process documentation, and asset management may be areas you can’t tackle alone. Or if those tasks are well in hand, maybe it’s the complexity around deploying and managing access controls across the multi-cloud. Seeking knowledge, training or aid will reduce the headaches and boost your probability of success, leading to earlier completion dates and overall better management of the challenging, multi-cloud security environment.
About the Author
William Klusovsky has 20 years in the InfoSec and IT industries, is a US Marine Veteran, and held multiple positions in retail and consulting. He is currently the Sr. Director of Client Strategy with NTT; his team advises security leadership across the industry spectrum. He maintains CISSP and CISM certifications and holds an MS in Information Security Management, as well as business coursework from The Wharton School and Univ. of Notre Dame.