Security in a hybrid, multicloud world
Hybrid and multicloud environments have made it crucial for enterprises across the board to manage complexity at scale. Failure to do so represents the single biggest risk to any organisation adopting a multicloud approach.
So says Mikey Molfessis, cyber security specialist at Mimecast, adding that the cloud vision was always that there would be a short period of hybrid during the journey to cloud, and these environments would eventually disappear.
"It didn't pan out that way," he says. "Many organisations choose not to 'complete' the journey to cloud for a variety of reasons, usually related to risk and cost. This means cloud vendors can't just treat hybrid as a temporary aberration, but need to address it as an inevitable part of cloud architecture and the security architecture. Many cloud vendors have amazing features that work well in pure cloud configurations, but fail to work in hybrid or multi-cloud configurations. This adds complexity to securing environments as organisations have to manage security for cloud and on-premises environments."
Both hybrid and multicloud are tightly woven into cloud strategies and have been from the early days of cloud computing, says Jon Tullett, research manager for IT Services at IDC South Africa.
"They've evolved a great deal, although in most cases, it's been parallel development rather than one influencing the other. Multicloud usually implies management and orchestration capabilities, using automation APIs already published by providers. IDC has forecast that 90% of organisations will embrace a multicloud strategy within three years; there are very limited reasons not to do so," he says.
There have been some significant changes along the way. For example, Google, Facebook, Twitter, and Microsoft formed the Data Transfer Project to coordinate data exchange, a clear nod to multicloud realities, adds Tullet. "Hybrid is less of a play than was originally envisaged. It's technically feasible to construct a viable hybrid cloud platform, but very complex and expensive. The growth of multicloud mindshare reflects that; coordinating workloads among multiple environments is far more realistic and offers a much better return."
Increasingly stringent regulations, such as GDPR and PoPI, have also added to the complexity involved with securing hybrid and multi-cloud environments.
Jeremy Matthews, regional manager: Africa at Panda Security, says: "Adhering to the regulations requires far more than securing data. In addressing the requirements, organisations should be implementing data security practices and the technologies that enable regulatory compliance."
With these regulations, there are strict rules around how businesses can collect, process and store information that could lead to the identification of an individual, including names, ID numbers and even IP addresses and location data, adds Andrew Voges, Threat Prevention sales leader, Check Point Middle East and Africa.
He continues: "Moreover, both regulatory standards put the individual at the centre of data protection, giving them the right to know how their personal data is being used, stored, protected, transferred and deleted, as well as the right to be forgotten. This naturally has a significant impact on security, including cloud platforms, as data protection needs to be a top compliance and strategic priority for companies and governmental organisations. Businesses can no longer only focus on securing their own environments; instead, they also need to apply the same level of protection to all the personal data they have in their possession."
IDC has forecast that 90% of organisations will embrace a multicloud strategy within three years; there are very limited reasons not to do so.Jon Tullett, IDC
Molfessis believes the move to greater data protection exemplified by new regulations is likely to become the norm. "While South Africa's PoPI Act is yet to be fully implemented, businesses are preparing for it. GDPR is actually less about privacy than about good data governance, which includes data management and data security. This involves having the appropriate prevention, detection and remediation measures in place. Cloud security that focuses on a defence-only approach, as opposed to a cyber resilience approach, has been found wanting. When it comes to preparing to manage and adhere to data regulations, organisations need to think beyond traditional, defence-only security. They need to implement a holistic cyber resilience plan that embodies advanced security, business continuity, data protection and end-user empowerment."
According to Voges, with the shared ownership of assets in the cloud between cloud provider and end-user, knowing who is responsible for security is often unclear, and can lead to additional confusion. "In a typical Open Systems Interconnection model, there are seven layers of computing infrastructure that need to be secured - the physical layer, the data link layer, the network layer, the transport layer, the session layer, the presentation layer and the application layer.
"Layers one to three security are covered by the public cloud vendor, and layers four to seven should be protected by a full-fledged cloud security solution platform, falling under the responsibility of the organisation, and should be overseen, controlled and managed by the CISO and his department," adds Voges.
Organisations should always understand where their data is and what security measures are taken to secure this.Zaheer Ebrahim, Trend Micro
Dragan Petkovic, Cloud Platform Security leader ECEMEA at Oracle, says there's a shared responsibility model between cloud customers and a provider, but that responsibility ultimately lies with the customer as part of a due diligence process. "Within a shared responsibility model, each party has responsibility over its area of control. For Infrastructure-as-a-Service, the cloud provider will be responsible for network security, giving secure access, security between virtual machines and so on. Within Platform-as-a-Service, say Database-as-a-Service, appropriate multi-tenancy, encryption and segregation of duties will be added."
It's Molfessis' view that it's very much a shared model, but, ultimately, the head of the organisation with appropriate authority must own it and delegate to CIOs and CISOs. "It's bad practice to outsource responsibility to a vendor, because laws like GDPR explicitly distinguish between data processors and data controllers. Even in a multi-cloud environment, the cloud providers are simply the data processors. While the cloud providers do have a role to play in the security model, the ultimate responsibility rests with the organisation."
Zaheer Ebrahim, presales engineer, Trend Micro, Sub-Saharan Africa, believes responsibility needs to be divided. "Firstly, internal IT. The role of security will have to be a split of responsibilities between both the CISO and CIO. The CIO owns the cloud platform, which has some security features built in at the hypervisor and physical level, while the CISO owns the IT security of the organisation. These two will work together to ensure the security is operating at an optimal level. Next, the cloud environment. This will be a shared responsibility model. Virtualisation, storage, networking and servers are the responsibility of the service provider while the application layer is the responsibility of the client."
Responsibility becomes a greater issue when an organisation considers data residency, or the legal or regulatory requirements imposed on data based on the country or region in which it resides. Is it possible for an organisation to ensure its data remains under its control?
According to Tullett, it's not. "Your data is never fully under your control; you just put measures in place to manage risk and exposure. Regarding data location, the big cloud providers are taking steps to help with data sovereignty - building out more regional centres and providing tools to manage data and workload geographic restriction. And it created a market for local providers able to assist with specific local requirements, which is good."
Petkovic sees data residency as more of a regulatory issue. "There are countries where regulators insist that certain data can't leave country borders. Some regulators are extremely stringent with data residency, and I respect their decision, but the principle of adequacy might be more practical. Having your data in a territory that provides an adequate data protection framework is usually sufficient if datacentres aren't available in a given territory. We touched on the reality that most organisations will be multicloud. In large territories, datacentres from top cloud providers should be available. Opening of datacentres for smaller territories will probably not be as fast. This phenomenon will be even more pronounced when it comes to the specialised industry vertical cloud solutions from smaller vendors in cases where data residency is a must and a datacentre is not available, or even in cases where data must stay within the organisation's perimeter."
Ebrahim adds that the majority of cloud providers have employed security assurance to assist clients with the shift to the cloud and ensure that they meet these stringent laws to remain compliant. The organisation should also take steps to understand where the data is replicated so they always know where the data resides.
Effective data protection
So, with all the challenges of control, responsibility and regulation, how should organisations go about protecting their data?
From a vendor perspective, it's important that they have adequate security in place, but this isn't always good enough, says Molfessis. "Relying on a single cloud vendor is risky. It's important to have advanced, layered security in place. Unfortunately, cloud-based services offer a very broad attack surface for threat actors. The volume of users on cloud-based email services like Google or Office365 means there's more malware created for these environments. Hackers know they have only one lock to pick to gain access, so they focus their attention on cloud services because of the potentially large payoff. The way to avoid that is to have a defence-in-depth approach and not rely on a single cloud vendor, especially in a hybrid or multi-cloud environment. The single biggest assurance a company can have that data in a cloud environment is safe from accidental or deliberate encryption or erasure is to ensure that there's a third-party copy of their data stored by a different cloud provider in a secure fashion."
Molfessis says in addition to protecting your data with targeted threat protection, it's important to store data in a fully encrypted, immutable and redundant system. "A multipurpose archiving solution can help mitigate the risk of losing data, by creating a digital corporate memory and allowing you to restore data, on demand. Businesses can rest assured that their data is always available, always replicated and always safe in the cloud."
Petkovic says his first step would be to choose a vendor that's financially sound and will likely stay in business in a very competitive market. "The first thing that comes to mind with data breaches is confidentiality, but it's not the only one. The availability and integrity of the data are as important in some cases. There are already regulators realising it and they require from subjects to have due diligence plans for changing cloud environments altogether and recovering their data. Having a business continuity plan for the cloud that caters to all eventualities is also required. A multicloud strategy, which sometimes might be an operational nuisance, can help here. For confidentiality and personal data protection reasons, the choice of datacentre from a reputable vendor in the territory with adequate jurisdiction is key. Having technical controls, such as CASB, in place is probably the first thing anyone should do for the security of their data."
According to Ebrahim, a good security approach with the right people, process and technology should be used when designing the roadmap and migrations to the cloud. "Organisations should always understand where their data is and what security measures are taken to secure this. Regular audits should be done to ensure the compliance levels are met."
In Matthews' view, an effective advanced cyber security solution needs to be based on two fundamental pillars - security and information management. "The first step should be a change in mindset to a proactive approach of assessing the state of cyber security in the organisation. An internal audit will verify the security status and provide insights for developing a comprehensive cyber security strategy."
Today's dynamic threat landscape calls for a combination of advanced cyber security solutions, and human and computer intelligence. Any security solution needs to offer the kind of prevention, detection, visibility and intelligence to protect the organisation against cyber attacks. "Regulations demand reporting and accountability that can only be evidenced by constant visibility and control of endpoints," concludes Matthews.