Addressing the Security Requirements of Dynamic Cloud Environments
Cloud computing has changed how organizations consume and deploy IT solutions, especially those that are being relied upon for current remote work initiatives. As a result of this shift to the cloud, compute is rapidly evolving to a utility model that features shared infrastructure at its core. As organizations embrace this new model, where networks, storage, servers, and even the data centers have become shared resources, it is essential that they also understand the risks associated with such a fundamental redesign.
In IDG’s 2020 Cloud Computing study, it was found that 81% of organizations have a portion – at least one application – of their computing infrastructure in the cloud, up from 73% in 2018. Furthermore, this same research found that 92% of organizations’ IT environments are at least partially in the cloud today, while only 8% still features a dedicated on-premises model. As such pervasive reliance on the cloud grows, the threat landscape is adapting to this new reality by not only becoming more sophisticated and complex, but by expanding to target new networked environments that often have a far less mature security infrastructure in place. Because the cloud has changed the way data flows, defending against traditional cyberattacks is no longer the only thing security teams need to consider. Now, because so many of these systems are interconnected, they must also focus on “east-west” traffic patterns between services inside the cloud, as well as connections to the cloud control plane’s user interface and API’s.
Addressing this challenge requires understanding some essential concepts and even rethinking some traditional assumptions about security. We outline the key elements of an effective cloud security solution below, covering public, private, and hybrid cloud environments.
Public Cloud Security
Until recently, organizations were largely slow to move to the public cloud, largely because of security-related concerns over sharing systems and networks with unknown third-parties. To overcome these concerns, there are two fundamental elements to public cloud security that need to be understood: the shared security model and provider integration.
Shared Responsibility Model
The shared security responsibility model is mainly concerned with the approach that security teams take on when securing the cloud. It encompasses the idea that teams the cloud provider is not responsible for all security in the cloud, but rather that cloud security solutions need to be flexible enough to support the level of protection required by these environments, including issues of performance, scalability, and multi-cloud interoperability.
With cloud adoption, it is essential that organizations understand who is responsible for security – your organization or your cloud provider – and to ensure that certain risks aren’t introduced due to misunderstandings of the shared responsibility.
Assuming that a cloud provider handles everything, including security, is a common mistake among those who are new to public cloud security. In a shared responsibility model, the focus of the provider is to secure the cloud infrastructure and to isolate tenants so they do not present risks to best protect computing power, storage, and networking. They should also enable customers with the ability to implement effective security for the cloud services offered to customers.
Nearly all traditional security solutions developed prior to the cloud-enabled world came into existence are unable to provide the necessary levels of visibility across these new environments. These outdated solutions are either appliance or host-based, and when deployed to secure the more complex and API-driven cloud environment, they often fall short of providing end-to-end visibility and protection. In addition, public cloud security must also seamlessly integrate with provider resources and be cloud native.
Organizations should be able to secure workloads through tight, cloud native integration with multiple cloud services from all major public cloud providers to ensure visibility and control. All while reaping the benefits of scalability, automation, and ultimately time to market that only a fully integrated solution can provide. An organization’s solutions should also allow for centralized management, open API integrations, metering consumption, automation, and cloud platform orchestration.
Private Cloud Security
Virtualization has played a significant role in the transformation of data centers into agile, innovative, software-defined, and cost-effective private cloud environments. Despite these benefits, though, security is often left as an afterthought when it comes to private cloud deployments. To do its job as effectively as possible, however, a private cloud security solution must naturally support this new software-centric approach.
The growth of Software Defined Networking (SDN) means that networking resources no longer wholly reside on dedicated physical hardware. Instead, they now operate as services that are housed in a data center but that may span across physical and virtual devices and locations. As a result, security is no longer a matter of simply securing hardware. The notion of security must expand to cover services that can be dynamically reconfigured and provisioned based on real time changes to business requirements.
Certified by leading SDN, virtualization, and network function virtualization (NFV) platforms, Fortinet’s software-defined security solution can be applied to any data center that has been transformed into a private or even hybrid cloud environment.
Not all applications are created equal, and while many may share the same physical infrastructure within a private cloud, they do not feature the same level of risk. With this in mind, security solutions must be able to segment these applications and apply the appropriate functions based on the nature of the risk presented. Microsegmentation, which enables the compartmentalization of specific types of traffic, is especially critical as east-west traffic increases in software-defined environments.
Between public and private clouds, hybrid cloud environments are created. These mixed environments present the most challenges with regards to choosing an effective security solution. With data and other digital assets spanning private and public clouds, visibility across hybrid cloud environments is critical for any security team to get the full picture of their environment and understand whatever challenges they are facing. End-to-end management, segmentation, and the consistent security for connections should be at the top of the list of priorities for any hybrid cloud security solution.
Hybrid cloud environments present a complex, physical-virtual environment that can be difficult to manage, meaning siloed point solutions with individual management interfaces will not suffice. Instead, a cloud security solution must integrate a singular view across all systems operating in the cloud, enabling centralized management. This single-pane management approach must allow for network-wide tracking of data flows and consistent security policy implementation, all while incorporating centralized threat intelligence that will more accurately inform decisions.
For example, with the Fortinet Security Fabric, security teams can enjoy this level of consistent security and visibility across their entire digital attack surface, both on-premises and in multiple clouds. This offering uses native integration with all major cloud providers and private cloud infrastructures to enable automated, centralized management of the entire security infrastructure, all from a single-pane-of-glass view. Additionally, Fortinet Fabric Connectors provide open, API-based integration and orchestration across multiple public cloud providers and private cloud platforms, further enabling security automation and simplified management across a distributed, hybrid environment.
Segmenting traffic and systems across the cloud is most critical when internal resources are on a network that is open to the public or third-parties. Segmentation plays an especially crucial role in minimizing a breach in a mixed (hybrid) environment since business-critical applications and workloads that are not associated with the hybrid environment can be effectively “walled off” for protection.
In a hybrid cloud environment, data, workflows, and applications need to move between external and internal locations, including third-party services that are connected to internal networks, presenting unique types of risks. A hybrid cloud security solution must provide the right kind of protection for all of these discreet connections based on the unique risk profiles of each network connection. As part of its strategy for defending this complex infrastructure, hybrid cloud security must incorporate functionality for on-demand Virtual Private Networks (VPN) to provide secure temporary access to resources as needed, while still protecting the rest of the network.
Dynamic Cloud Security Enviornment
Security professionals have watched their world radically change as a result of cloud adoption. Defending a well-defined perimeter against outside threats is no longer the main challenge they face. In this age of cloud-enabled collaboration and individually-accessed cloud services, those perimeters have all but vanished. Any security solution that today’s IT professionals choose to protect their networks and data must address the requirements of every possible type of cloud environment – public, private, and hybrid – while minimizing the risks of moving data across a dynamically changing infrastructure.