The data out there about cloud security is grim. Even the security providers are being hacked. The FireEye breach was huge, and the SolarWinds cyber intrusion was a highly advanced, backdoor attack. Check Point Software Technologies recently released an interesting study where they planted a “honeypot” in the cloud for seven days. In that brief timespan, they got almost four million attacks.
It doesn’t matter if your applications were born a minute ago. Hackers can identify new apps as soon as they’re on the internet pipe and wage an immediate attack. Attacks are not a matter of if, but when, and your CIO or CTO is going to ask you what happened and why you didn’t prevent it. What will your answer be?
As a senior solution architect specializing in security for over 20 years, I see far too many security architects acting like cloud security is only partly on their plate. Cloud security is not a shared responsibility between you and your cloud service provider (CSP). It’s ultimately your responsibility. Thinking otherwise can lead to costly mistakes.
The four mistakes you’re probably making
If you’re like most security architects, in the early days of the cloud, you avoided migrating because you thought the cloud wasn’t secure. Then your developers ventured into using the cloud for small, non-production applications. They didn’t pay much attention to security, because they didn’t think it was important and didn’t want to get slowed down by those “extra” steps.
Then, you woke up: The cloud is real. Multi-cloud is real. You faced corporate pressure to take advantage of the agility it offers, and started moving from on-premises to the cloud for your production workloads. But you were left with a serious problem: the inadequacy of your CSP’s native cloud constructs. Think of these as primitive knobs which don’t give you much security control and don’t give you the visibility you need from a compliance perspective.
A misguided attitude about whether the buck stops with you or your CSP when it comes to cloud security leads to four big mistakes that you should fix or avoid, starting today.
Mistake #1: When enterprises begin the migration from on-prem into the cloud, they often don’t think about cloud security holistically. They don’t take an architectural approach or build cloud security into their overall security posture.
Mistake #2: Enterprises often protect the production applications or pre-production applications but forget that development applications also need protection. The Solar Winds hackers exploited this very mistake: they started building or injecting their malicious code during the development process. Security controls in the development environment could have stopped the attack right there.
Mistake #3: Enterprises often fail to keep Next-Generation Firewall (NGFW) inspection in mind. They may think that if they’re working in a normal production environment, NGFW are expensive and aren’t needed for east-west traffic. It is only needed at the perimeter for Egress or Ingress Traffic. The CSP provided L4 Stateful Firewall and WAF are enough. The Application-level TLS encryption is enough. Extra controls will complicate their architecture, the thinking goes, so they’ll skip using NGFW in places and end up creating holes in cloud security architecture. Bad idea.
Mistake #4: Enterprises often fail to understand that the security landscape and risk fundamentally changes in cloud. Providing security used to mean building a moat around your infrastructure and protecting the edge. In cloud, every single application can have internet access and traditional approaches don’t plug all these new holes. We have to think differently.
Without a cloud security strategy, you lose agility, time, and money. It’s true that effective security takes a long time to figure out and get right, but a failure to do so costs even more time on the back end. You don’t want the auditor to arrive and cancel the project you spent two years on because it was deemed too high a security risk.
I can’t stress enough how important it is to ensure that cloud networking and security go hand in hand. You must get your base network infrastructure architecture 100 percent right from day one. If you didn’t, start fixing it today.
The right approach to cloud security
How do you embrace what’s already in your environment and at the same time bolster what’s there? How do you get your cloud security strategy done without taking shortcuts or impacting time to market? These questions are especially pressing for enterprises that face a skills gap and can’t internally support multi-cloud environments – or even a single-cloud environment.
An important first step is to think about security everywhere. Update your mindset (and help others do the same) and introduce a holistic, matrix-type approach to security. Plan for a layered security mode, starting with applications and going all the way to the perimeter, and include automation to help avoid human error.
Second, don’t rely on your CSP’s cloud-native constructs. They’re a black box. How can you protect something you can’t see? Visibility is extremely important. You need to be able to tap into enterprise data, to have eyes and ears that can detect anomalies and let you take actions based on alerts. Our Aviatrix CoPilot platform provides extremely powerful multi-cloud transit visibility for networks.
Finally, consider working with a trusted partner who knows exactly what challenges and limitations you face because we’ve helped hundreds of enterprises solve the same business problems. Aviatrix could be that partner, as we’ve helped over 550 enterprises secure their multi-cloud environments.
If you’re ready to learn more, read our Security Architect’s Guide to Multi-Cloud Networking or contact us to discuss our multi-cloud network architecture and cloud security solutions.
Shahzad Ali is Vice President of Customer Solution Architecture at Aviatrix.