8 Best Practices for Multi-Cloud Security
By Jonathan Maresky, Product Marketing Manager, CloudGuard IaaS, published December 20, 2019
Back in the early days of the digital transformation, forward-looking organizations could declare they were using one cloud for their Infrastructure-as-a-Service (IaaS) needs. But today, more and more companies are adopting a multi-cloud strategy—using more than one cloud computing service provider.
The move to a multi-cloud strategy has been largely driven by choices; using more than one cloud service provider allows an organization to choose whichever services and capabilities fit their needs best.
For a tangible analogy, consider the current cell phone service provider market; there are multiple providers, all of whom claim to offer different benefits. Many families and businesses have more than one cell service provider, to best meet the needs of each user. Similarly, each organization has a myriad of requirements and certain cloud services meet some of those needs, while other needs can be better met by a different provider. For example, your organization may employ one cloud for HR applications, while business applications run in another cloud.
While a multi-cloud approach offers numerous benefits, there are some pitfalls to be aware of as well. This post will explore the pros and cons of multi-cloud usage, the unique security challenges it poses, and eight best practices to ensure your multi-cloud environment is properly secured.
The Advantages of a Multi-Cloud Strategy
Multi-cloud is quickly becoming the standard, with 84% of organizations that use the cloud employing a multi-cloud strategy. What’s more, these businesses are using a combination of four to five public and private clouds on average. In a 2019 Cloud Security Report, 42% of organizations in the survey reported that their primary cloud deployment strategy is multi-cloud.
It is clear that companies of all sizes are now recognizing the benefits of moving away from the “one-organization, one-cloud” approach to one in which their workloads are distributed among multiple cloud service providers. There are a number of reasons for this, which will be discussed below.
Minimizing Downtime – Reliability and Redundancy
Using a multi-cloud strategy can help prevent downtime and disruptions in case of outages. If you’re running one cloud and your provider goes down, you’re out of luck. For example, on October 22, 2019, AWS was hit with a DDoS attack that affected S3 services. A significant number of websites on the East Coast of the US were fully or partially down for nearly eight hours—the duration of a full business day.
Then in May 2019, a DNS outage impacted a wide range of Microsoft Azure services. Just a handful of time affected services included Azure Active Directory, SharePoint, and OneDrive. The root cause? A misconfigured DNS update, which left a large portion of users without access to these services for almost two hours. And while these examples are from the biggest cloud vendors, there are many other examples from smaller vendors as well.
Obviously a multi-cloud strategy for all of your applications may not be ideal from an operational and infrastructure costs perspective, but for mission critical applications it is a must. Clearly, relying on one vendor brings inherent risks. Running applications and workloads that require high availability on multiple cloud providers ensures they won’t fail if one provider does.
Accommodating Peak Usage
Another reason organizations may choose to go the multi-cloud route is to enable cloud bursting. This means that applications on one cloud platform can burst temporarily to another already in-place cloud platform when the need for computing capacity peaks and for economic efficiencies.
Cloud bursting comes in handy for retailers in high demand shopping seasons or any other businesses that require short bursts of computing power to meet demand without going down. This may allow teams to scale their clouds to match their workloads and keep costs down with highly-discounted services like AWS Spot Instances.
Avoiding Vendor Lock-in
Relying on a single vendor for their products and/or services and the inability to move to another platform without incurring hefty fees is notoriously known as “vendor lock-in.” Lock-in may be directly enforced by the cloud provider or could be due to technical issues and dependencies.
Lock-in can create a number of issues, especially as companies expand. For example, if you’ve developed your infrastructure on top of one cloud but your organization has grown and you want to move it to a different one, this can be challenging. A multi-cloud approach allows you to avoid lock-in by ensuring another platform is available and can be utilized if and when needed.
Allowing You to Pick and Choose
Using a multi-cloud approach allows you to pick and choose the best of what each platform has to offer. It allows you to create a customized, flexible solution to meet your needs. For example, your organization may wish to use certain machine learning developer tools offered by AWS but prefer Google’s high-speed database services. Multi-cloud gives you the freedom to pick the best components from each provider to create your ideal setup.
And given that over 70% of organizations have a presence in the cloud, it is inevitable that the majority of organizations undergoing a merger or acquisition will have to manage a multi-cloud use-case.
The Drawbacks of Multi-Cloud
Multi-cloud may sound like the perfect solution for achieving the cloud deployment of your dreams, but it has a number of drawbacks as well. When bringing more than one provider into the mix, there are a number of important issues that should be taken into account.
Added Complexity
There’s a steep learning curve with even one cloud platform, and it takes a great deal of time and effort to become well versed in it. Having to master and maintain another platform is clearly more challenging.
Lack of Skilled Professionals
The added complexity of multi-cloud makes it more difficult to find developers, security analysts, and engineers with the right skill set to manage the different platforms. They must have the ability to develop across multiple such platforms and they must also be able to secure and manage more than one infrastructure.
Cost Planning
While using multiple clouds can be more cost-effective since you can pick and choose the services needed from each, this also requires a thorough understanding of the pricing structure and cost per service for each provider. With multiple vendors it can be more challenging to track these expenses and your overall costs. And the pricing structure and cost per service are constantly changing.
User Errors
Most security incidents in IaaS/PaaS deployments occur due to lack of knowledge on the part of the cloud consumer. According to Gartner, “Through 2025, 99% of cloud security failures will be the customer’s fault.” In multi-cloud environments, the myriad options and configurations can increase the likelihood of user error. Moreover, in the competitive cloud environment, vendors are constantly changing and improving their services. This makes it difficult for users to keep up.
Difficulty in Choosing the Right Tools
With each provider offering its own set of tools, it can be difficult to determine those that best suit your organization’s needs. And one vendor’s tools don’t match those of the other vendors.
Added Security Challenges
Maintaining multiple clouds means there is a larger landscape to secure and thus a greater chance issues will arise. The following are a few important security challenges to consider when using multiple providers:
Synchronizing security policies across vendors: With each vendor having its own set of controls, it’s challenging to sync decisions across different platforms in order to ensure consistent policies.
Visibility: Obtaining visibility into different platforms, each with their own security features and granularity, is particularly complex in multi-cloud environments.
Monitoring: Each provider offers different monitoring options, but your monitoring must account for the full scope of your entire deployment. Leaving anything out increases the security risk.
Increased attack surface: Multiple providers means a greater number of services and a larger attack surface, giving attackers more ways to infiltrate.
Best Practices for Multi-Cloud Security
Despite these pitfalls, organizations are increasingly choosing the multi-cloud route. With the many advantages multi-cloud offers and the rapid pace of development in the field, it’s not hard to see why. By implementing the following best practices, organizations can significantly improve the security of their multi-cloud deployments.
- Synchronize policies & settings: If you’re using multi-cloud for availability, with identical operations on two clouds, the same security settings should be maintained across both. This can be achieved by synchronizing policies and settings across providers.
- Use different security policies for different services: If your organization is using different workloads/applications, individual security policies should be created for each service. For example, if you’re planning on setting up a new BI service, the advantages of building it on each platform should be considered first. The security policies should then be based on the chosen platform.
- Automate, automate, automate: Using a system that automates various tasks reduces the human risk factor and allows you to stay agile. But be sure to address automation from not only a DevOps perspective, but a DevSecOps perspective, to ensure that security is a core consideration and driver throughout the entire process.
- Choose the right tools: Find tools and products that allow you to synchronize your security policies across different providers. Your security policies should be written in general terms, with the tools interpreting them based on how your various providers work.
- Monitoring: Establish a security monitoring strategy that consolidates logs, alerts and events from different platforms into one location. Tools that automatically remediate issues, or provides guidance on remediation strategies are even better.
- Compliance: Find tools to help you maintain compliance in a consistent and efficient way across different platforms.
- Single point of control: Simplify your sprawl by using a “single-pane-of-glass” tool that gives admins a single point of control to manage all application and data security across all their cloud deployments.
- Minimize “point security solutions”: Minimize the number of “point security solutions,” which don’t integrate well together. Each additional point solution requires expert staff as well as new integrations and deployment. This adds to the complexity and increases the likelihood of error.
Similarly, the cloud vendors all provide security services. While these may be beneficial within the vendor’s single cloud deployment, they are insufficient when it comes to securing a multi-cloud deployment. You cannot rely on each cloud provider to only protect its own service (for example, AWS to protect your AWS services, Azure to protect Azure, and so on) and assume you’re getting holistic security coverage. You need a single tool that’s capable of providing unified and consistent coverage across all of your deployments.
Putting Cloud Security First
Whether or not multi-cloud is the ideal set up, the jury is still out. Every organization must take into account its goals, needs, and limitations—especially when it comes to security—before starting out on a course towards multi-cloud.
The key to a successful multi-cloud security strategy is finding a dedicated multi-cloud security solution that will provide flawless coverage between clouds. And the right tool should be able to be customized to your company’s individual needs, without forcing you into their framework. Choosing a solution that puts your needs first allows you to take advantage of all the benefits multi-cloud has to offer, while maintaining a secure and compliant environment.
Click here to download the 2019 Cloud Security Report.
To read about how to design and implement agile cloud security architectures, read this white paper.
For a demo of Check Point’s cloud security solutions, click here.
Follow and join the conversations about Check Point and CloudGuard on Twitter, Facebook, LinkedIn and Instagram