A CISO GUIDE TO MULTI-CLOUD SECURITY Achieving Transparent Visibility and Control and Enhanced Risk Management

Transcription

1 A CISO GUIDE TO MULTI-CLOUD SECURITY Achieving Transparent Visibility and Control and Enhanced Risk Management

2 CONTENTS INTRODUCTION 1 SECTION 1: MULTI-CLOUD COVERAGE 2 SECTION 2: MULTI-CLOUD VISIBILITY 5 SECTION 3: MULTI-CLOUD CONTROL 6 SECTION 4: MULTI-CLOUD COST OF OWNERSHIP 7 CONCLUSION 8

3 INTRODUCTION If your organization is one of the 95% of enterprises that operate in the cloud, you are already grappling with cloud security. And if your organization is one of the 85% of companies that use multiple Infrastructureas-a-Service (IaaS) and Software-as-a-Service (SaaS) clouds, you have additional issues to consider. Compared to the days when organizations managed everything on-premises or only had a handful of cloud deployments, this new multi-cloud world exacerbates the expansion of the attack surface and makes threat containment and accountability more difficult. Further, pressure on security teams to protect everything in the multi-cloud environment is leading to reactive and expensive threat management. If you are a security leader tasked with meeting the challenges of a multi-cloud environment, eventually you ll find that siloed cloud security strategies fall short of the mark. But don t wait. Now is the time to consider a holistic security approach that reclaims control from disparate cloud security functions, and gives you the means to see your entire corporate security posture clearly so you can manage it more competently. You can achieve this through a security fabric approach, using a comprehensive suite of threat prevention, detection, and mitigation tools that integrate with all the major cloud services and can be managed within the enterprise from a single pane of glass. 1 INTRODUCTION

4 01 MULTI-CLOUD COVERAGE The public cloud market is dominated by five Infrastructure-as-a-Service (IaaS) and Platform-asa-Service (PaaS) providers. Amazon Web Services (AWS), Google, and Microsoft Azure are the three hyperscale vendors in the market, followed by Oracle and IBM, which are also major players. Most companies are running applications in more than one of these vendors clouds, believing that their corporate infrastructure is stronger if they choose the right cloud for the right application. The same argument applies to security: You need the right security capabilities for each cloud. For IaaS/PaaS. Public cloud providers typically employ a shared responsibility model, where the provider secures the service (infrastructure or platform) but the customer is responsible for what runs on top. To deploy security for applications you run in the public cloud, you need to be able to interface with the specific architecture of each cloud. Because developing these interfaces can be time-consuming and expensive, it makes sense to look for security vendors that have already made that investment and offer cloud-specific versions of these key tools: 2 MULTI-CLOUD COVERAGE

5 Next-generation firewalls Secure web gateways Sandboxing technology Security management tools Of course, all these cloud-specific functions must be able to communicate with one another and be managed from a single pane of glass. (More on this in the next section.) For SaaS. The situation may seem simpler here, since each SaaS provider takes responsibility for the security of its cloud-based applications. Unfortunately, enterprises run, on average, 13 different SaaS applications. 1 If a cyber threat affects one application in one cloud, it can potentially affect your entire organization. Business continuity and compliance are in jeopardy if you don t have security for all your information assets under your direct control. Like IaaS and PaaS providers, SaaS providers vary in their technology implementations. For example, the most popular SaaS applications, Microsoft Office 365 and Google G Suite, are similar in function, but their security frameworks are very different. 2 Complicating matters further, some SaaS applications, such as Salesforce, run in public clouds (AWS in this case), while others run in private data centers. Microsoft, for example, historically ran Office 365 from private data centers, but it is working to move that SaaS app to its Azure cloud. 3 1 Chris Burt, Slack May Be Sexier, but Office 365 Most Used Cloud-Based Business App, The WHIR, March 29, Steve Riley, Office 365 and Google Apps for Work: Security Comparison, Gartner, accessed December 14, Mary Jo Foley, Microsoft is on a quest to move more of its cloud services to Azure, ZDNet, April 21, MULTI-CLOUD COVERAGE

6 The solution here is to apply an overlay of security at the connection points to your SaaS applications, or, for even better performance, from within the cloud service itself. In the case of Office 365, an gateway that you control from the Azure cloud provides antispam and antiphishing, identity-based encryption, and more on top of the Office 365 security provisions. You can apply cloud-based security to other SaaS apps as well if your cloud provider offers cloud access security broker (CASB) subscription services for your security vendors products. These services typically provide visibility, compliance, data security, and threat protection for any CASB-compliant SaaS application you use. The question now becomes, Can you find such tools for every cloud and SaaS application? More important, can they all work together? 4 MULTI-CLOUD COVERAGE

7 02 MULTI-CLOUD VISIBILITY Visibility is a major point of distinction between single- and multi-cloud security. It is challenging enough to coordinate threat management between the corporate network and a single private or public cloud. With applications running in, and accessed through, multiple clouds, the challenges multiply, so coordination and consistency become paramount to achieving a defensible security posture. Consistency and coordination start with a centralized view. You undoubtedly already use one or more security device management consoles. To avoid asking security staffers to learn yet another management tool, an easy first option is to check whether your current next-generation firewall (NGFW) management tool enables staff to view and control other network devices, including those of other vendors. Some security vendors have several network operations center (NOC) or security operations center (SOC) management tools that can provide single-pane-of-glass management for multi-cloud environments. The key is to make sure that the management tool you select does not limit your view of the multi-cloud network or your ability to deploy security policies, perform content security updates and firmware revisions, and configure individual devices. 5 MULTI-CLOUD VISIBILITY

8 03 MULTI-CLOUD CONTROL Centralized management affords visibility, but on its own it doesn t enable coordinated threat management. The security functions you manage cloud-specific firewalls, web access firewalls, gateways, sandboxes, and security information and event management (SIEM) tools all need to be able to communicate with one another to accelerate threat detection and response. Security platforms play a coordinating role, but they work in a hub-and-spoke fashion, first collecting information from connected devices and then processing it, which takes time. With today s rapidly disseminating threats, those precious minutes, and even seconds, can make all the difference in detecting an active threat. You can achieve that only if every device communicates with every other device in real time. One way to minimize latency in threat detection and response coordination is to use virtual security tools that have been approved by your cloud provider and are made available in the cloud environment. For example, a cloud-integrated sandboxing tool that is a component of your security fabric can receive incident objects directly from your gateways or web access firewalls, execute any suspicious code, and rapidly disseminate the results to your management console and to SIEM tools throughout the multi-cloud fabric. The same coordination considerations apply to threat intelligence. To gain the upper hand on zeroday threats in an era of shrinking intrusion-to-breach windows, you must ensure that all your security tools draw on the same threat intelligence and can share information about threats that they detect. Furthermore, they should provide consistency in policy enforcement, and in their approaches to impact mitigation in the case of successful exploits. 6 MULTI-CLOUD CONTROL

9 04 MULTI-CLOUD COST OF OWNERSHIP According to RightScale, optimizing cloud costs is a primary concern for most cloud users. 4 As you adopt multiple clouds, a security fabric can help you minimize the security aspect of your cloud spend through more efficient administration and automation of threat detection and response. When it comes to administration, the centralized management component of the security fabric helps security staff attend to multiple clouds more efficiently, which may allow you to delay hiring additional staff or outsourcing security services. Automation, however, probably deserves a greater portion of your attention, not only because AI-assisted tools are maturing but also because your human staff can t hope to keep pace with AI-assisted cyber crime. Automation covers a wide swath of capabilities, ranging from scaling capacity up or down on demand, to automating failover, to automatically classifying segmenting workloads. Virtualized versions of enterprise and web application firewalls can be automated easily with Fabric-Ready tools, as well as unified threat management functions for smaller organizations. For private clouds, opt for tools that offer integration and orchestration with SDN controllers, such as Cisco ACI and VMware NSX, while in public clouds, look for security solutions that use native orchestration and scripting for example, AWS CloudFormation scripts. For threat detection and response, look for sandboxes that automatically share real-time updates to disrupt threats at the origin, subsequently immunizing the entire organization and the global community. These and other tools are linked through the fabric to threat intelligence services. 4 Kim Weins, Cloud Computing Trends: 2017 State of the Cloud Survey, RightScale, February 15, MULTI-CLOUD COST OF OWNERSHIP

10 CONCLUSION Whether you re already operating in multiple clouds or just considering doing so, now is the time to plan for broad, integrated, and automated multi-cloud threat protection. A security fabric can provide the basis for such protection, enabling you to move beyond prevention to more realistic detection and response strategies. As you assess various multi-cloud security options, keep in mind that a continuous, concerted effort involving you, your security technology vendors, and your cloud providers is the best defense against unpredictably evolving cyber threats. 8 CONCLUSION

11 Copyright 2018 Fortinet, Inc. All rights reserved A-EN