Multi-cloud Cloud security

How to protect your multicloud?

Fabien Gilis
Placeholder for Fabien GilisFabien Gilis

Fabien Gilis, Expert réseaux et sécurité

4 min. read
Placeholder for Office facade cloud reflectionOffice facade cloud reflection

Share

Cloud-based IT adaptation is accelerating as IaaS, PaaS and SaaS solutions mature and companies seek to make their IT infrastructure more agile and cost-effective. Currently, the biggest factors limiting cloud adaptation are security and compliance. Recent studies have shown that 90% of organisations that are moving to the cloud or are considering a move are either concerned or very concerned about security. Specific concerns are about general security, data loss and leakage and loss of control. Regulations such as GDPR place constraints on where data and applications can be placed and what level of protection is required.

Traditional security architectures are based on a separation between public and private networks where one or a limited number of connection points exist. These connection points are secured with perimeter defence solutions, and internal data and applications are not accessible from the outside, except through an extension of that perimeter such as a VPN connection to a secured host or location.

Cloud solutions only provide physical security and security features aimed at system availability such as DDoS protection. System, data and application security is the responsibility of the user of the cloud solution. While security tools are provided, they need to be configured and only provide basic levels of (network) security.

A new approach to security

“A chain is only as strong as its weakest link” is a popular saying and very relevant when it comes to security. Most cloud deployments (71%) are hybrid, which means that data and applications can be inside or outside of your corporate perimeter at any time. Regardless of where they are, security must be at the same robust level. Different security concerns require different approaches to implementing security. It also creates new challenges in terms of visibility, management and reporting.

While it is possible to make the cloud a virtual part of your inside perimeter, it would only be applicable for IaaS cloud solutions and counteracts most of the benefits of cloud-based solutions. Implementing this type of security is relatively easy and can be done with standard functionality offered by most cloud providers.

A more scalable approach is to create direct access points to the cloud. This offloads access to your data centre and is more resilient, but creates additional entry points that need securing. Creating a protection layer between the two silos is also recommended.

The type and extent of security measures required depend on what needs to be secured. Applications and data are accessed from outside the perimeter with devices that are not always under your control, which means that security decisions are no longer about who has access to what, but also with what, from where and what they can do with that data.

Available multicloud protection solutions

Various solutions for securing multicloud architectures are available today, ranging from simple network security to full content and context-aware security. Each comes with a price tag in terms of the acquisition, but more importantly in terms of (operational) complexity. Some of the most common security solutions in use today are:

Stateful firewalls

Stateful firewalls provide basic network security allowing connections to form between endpoints using sanctioned protocols.

Next-generation firewalls (NGFW)

NGFW take network security a step further. In addition to allowing sanctioned protocols, they can inspect the actual application being used and the type of data being transferred. Next-gen firewalls also make it easier to map users to endpoints, making it easier to control who has access to what and how.

Data loss prevention (DLP)

DLP increases the security level provided by an NGWF in that it not only allows or blocks an application. It actively inspects the data being transferred and can flag data that is prohibited. It also can provide visibility into what data is located where, allowing security measures to be aligned accordingly.

Content access security brokers (CASB)

CASB addresses the issues that arise when companies start using cloud-based applications and data is no longer contained inside company boundaries. CASB, in addition to getting grips with what data enters and leaves your organisation, can also control where it is sent to and in what format.

Endpoint security

Traditionally endpoint security solutions were limited to ensuring that malicious content is blocked on the end device. The current generation also controls what data is stored on the endpoint and what can be done with it. In case of an issue with the device (stolen or otherwise compromised) the data can be made inaccessible thus limiting the impact of such an event.

Placeholder for Engineeroover shoulder laptopEngineeroover shoulder laptop

Each of these solutions offers different security levels at the possible expense of performance and application usability, and they all have different levels of CAPEX and OPEX for your organisation. Each need to be placed in strategic locations within your IT infrastructure to maximise efficiency. Multiple solutions in multiple locations throughout the infrastructure also require a management solution that ensures security consistency, visibility into possible weak spots and the immediate reporting of anomalies. Additionally, the security management platform can be the point where compliance audits are automated.

Cloud security services & solutions

Sign up for our newsletter

Get the latest security news, insights and market trends delivered to your inbox.

More updates