Operating the same security policy for an entire cloud environment and all mobile devices may seem like an impossible dream...but is it?
Multicloud environments are becoming increasingly popular. In the past, businesses only had to deal with applications in their own data centre, though now they also have to deal with an average of three to four additional cloud environments. In this article, Mohamed El Haddouchi – Director of Solutions & Innovation at Infradata – addresses the big question: how do you secure environments like these?
"Complexity kills security" - Mohamed El Haddouchi, Director of Solutions & Innovation at Nomios
'There are a number of security measures that you can implement in any cloud environment. The problem is that when you have three or four separate environments – each of which requires a different procedure – it's difficult and time-consuming to manage them all separately. After all, Amazon Web Services does things in a completely different way to Microsoft Azure, and your company network has its own security policy too. Before you know it, you're having to juggle four or five different security policies simultaneously and somehow find a technological solution for all of them.'
Supplement, don't substitute
This makes things extremely complex and expensive. 'Complexity kills security,' explains El Haddouchi. 'Therefore, you have to carefully consider how you can ensure optimal security for your business using your existing security systems and processes, supplemented with new security opportunities offered by the cloud.'
According to El Haddouchi, it is vital to consider how you can securely interconnect different cloud environments via a single security architecture for the entire multicloud environment. 'For example, certain security features within AWS can be used within Microsoft Azure. This way, you can operate the same security policy, perform the same inspections, and receive the same reports whether the application in question is in the cloud or on site.'
<?UMBRACO_MACRO macroAlias="ClickToTweet" Quote=""Complexity kills security... "You have to carefully consider how you can ensure optimal security for your business using your existing security systems and processes, supplemented with new security opportunities offered by the cloud."" />
The goal is to simplify the security architecture so that it no longer matters whether applications operate in the cloud or on-site. This also makes it much easier to manage both costs and security. Security is substantially improved as you are able to view and monitor everything from a single central location, giving you an overview of the entire environment.
Central control point
Besides the transition to multicloud, other developments and transformations on the user side have had an impact on security, such as the rise of mobility. Employees now use all kinds of mobile devices, such as phones, tablets, laptops, and smart watches.
'Every employee now has multiple devices, and this is only compounded the rise of IoT, which introduces printers, cameras, sensors, and alarms into the mix. This means the number of devices that you have to manage has increased exponentially.'
"...you have to do everything you can to recognise and identify the user of the device so you are certain that you know who they are." - Mohamed El Haddouchi, Director of Solutions & Innovation at Infradata
Everything is connected to the network, and more and more devices now require connectivity with the cloud. 'This means you have to think differently nowadays,' explains El Haddouchi. 'It's no longer enough to say "okay, that's my perimeter, now I'll just add some firewalls, endpoint security, maybe some anti-DDOS protection and SIEM software, and that's that." Nowadays, you have to think about the identity of the users and their potential motivations.'
In short, security has to become completely independent of the devices used. 'You need to know exactly who is logged in, whether it's with a computer, mobile phone, or other device. It's all about identity: who is using the device and what is this person allowed to do within your network or environment? Identity has become a vital aspect.'
The next step is to verify that the person is who they say they are. Identities and passwords can be stolen, and in such cases, you have to prevent abuse. 'To do this, you need to implement solutions for multi-factor authentication, identity governance, privileged access, and identity management. In a nutshell, you have to do everything you can to recognize and identify the user of the device so you can be certain you know who they are.'
Identity and the cloud
Finally, these identity-based security measures must be compatible with multicloud security. 'To do this, you could use modern solutions such as a Cloud Access Security Broker (CASB),' says El Haddouchi. 'This solution tells you who is using applications and what they are using them for, wherever the user or application is located. As a result, you can secure the data on site (e.g. via encryption) before it is sent to the cloud environment, so if it happens to get lost or stolen, nobody will be able to access it. This factor has become even more important since the GDPR came into force.'