#HowTo: Reduce Risk and Complexity in Cloud Networks

Written by

An unprecedented era of rapid cloud migration means that most organizations now operate within highly complex, multi-cloud networks that often include hybrid on-premises elements. The flexibility to mix and match assets brings increased agility, but the ‘stitched together’ nature of the resulting environment also increases complexity and risk.  

A lack of visibility and consistent governance across environments can result in blind spots and gaps in security controls, providing attackers ample opportunity to slip through the cracks. 

To remain secure in this vendor-diverse environment, enterprises must address this complexity and risk without compromising the agility driving many enterprises to look to the cloud.  

Challenges in Managing a Multi-Cloud Network 

One of the biggest challenges in maintaining security and compliance in a multi-cloud environment is that each ecosystem has its distinct set of security controls and management consoles. Each provider excels in operating their own environment; however, visibility and control cease at the provider’s edge and begin again, with a new set of controls, at the next provider.  

It has been estimated that enterprises average two to three public clouds and a similar number of private clouds. Additionally, most enterprises maintain a hybrid network, requiring separate management consoles for each on-premise vendor ecosystem. This forces enterprises to work across five or more disparate management systems – none of which are likely to be designed to work together.

Processes and people suffer from this wide array of different security solutions. Working across multiple disparate management consoles is time-consuming and creates a breeding ground for misconfigurations and vulnerabilities. Ensuring security policies are uniformly applied across all environments requires intensive manual activities and staff well-trained in each ecosystem. These challenges are exacerbated in the cloud, where completely separate teams are often responsible for cloud security and operations, creating silos of responsibility which increase risk and inhibit agility. Security teams often lack clear visibility and oversight into CI/CD processes.

The Need for Abstraction Layer Cloud Management 

Both technical and process challenges created by multiple disparate clouds and a hybrid network ecosystem can be overcome by shifting security and management functions to an abstraction layer. This abstraction layer sits above individual cloud and on-premise vendor solutions, providing enterprise security teams with holistic oversight and management of the entire hybrid ecosystem.

This abstracted approach allows enterprises to normalize security policies from multiple distinct solutions within a single point of control. Because the abstraction layer is an agnostic approach, enterprises can select the vendor solution that best addresses the problems they are trying to solve instead of feeling locked into a particular vendor for convenience.

The Value of Cross-Cloud Segmentation 

Segmenting a multi-cloud environment can be highly challenging. Applications and services may span two or more cloud providers and on-premise resources. Cloud environments are highly dynamic. While security would prefer highly granular segmentation, DevOps teams see this as an inhibitor, requiring lengthy change processes to provision new connections. The eternal struggle of security versus agility is only magnified by the cloud. Still, enterprises realize that mitigating risk to an acceptable level mandates some level of cloud segmentation. 

An abstracted approach to cloud security management enables enterprises to design and enforce multi-cloud segmentation strategies which can be applied uniformly across each environment. Security and compliance are no longer constrained by cloud boundaries but instead are enforced consistently across the enterprise’s entire hybrid estate. These same processes can also be extended to virtual third-party security solutions running in the cloud, achieving secure segmentation through various enforcement mechanisms.

Implementing Segmentation Without Changing Workflows 

This abstraction significantly reduces the complexity of automating cloud security policy changes, allowing changes to be pushed via the same process regardless of which cloud environments may be impacted by each individual change. DevOps teams can operate quickly but securely, with changes within guardrails established by security being fully automated and manual review only required to approve exceptions. 

Automation through the abstraction layer can also be leveraged earlier in the CI/CD process to further increase agility and reduce roadblocks in later stages of development. Automated verification of compliance with security guardrails early in the development lifecycle allows insecure configurations to be identified and corrected sooner, allowing faster delivery of more secure applications.

One of the most common value drivers for enterprises moving to the cloud is the agility the cloud can provide; however, achieving the desired level of agility is often illusive. Automating multi-cloud security policy changes through an abstraction layer allows security to move from inhibitor to enabler and can significantly reduce the time required to implement changes and increase business agility.  

What’s hot on Infosecurity Magazine?