A CISO GUIDE TO MULTI-CLOUD SECURITY Achieving Transparent Visibility and Control and Enhanced Risk Management

Similar documents
WHY LEGACY SECURITY ARCHITECTURES ARE INADEQUATE IN A MULTI-CLOUD WORLD

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Best Practices in Securing a Multicloud World

SIEMLESS THREAT DETECTION FOR AWS

THE IMPLICATIONS OF PERFORMANCE, SECURITY, AND RESOURCE CONSTRAINTS IN DIGITAL TRANSFORMATION

Cloud Computing: Making the Right Choice for Your Organization

The Oracle Trust Fabric Securing the Cloud Journey

Popular SIEM vs aisiem

85% 89% 10/5/2018. Do You Have A Firewall Around Your Cloud? Conquering The Big Threats & Challenges

Borderless security engineered for your elastic hybrid cloud. Kaspersky Hybrid Cloud Security. #truecybersecurity

Spotlight Report. Information Security. Presented by. Group Partner

ebook ADVANCED LOAD BALANCING IN THE CLOUD 5 WAYS TO SIMPLIFY THE CHAOS

The Emerging Role of a CDN in Facilitating Secure Cloud Deployments

Securing the Modern Data Center with Trend Micro Deep Security

Total Threat Protection. Whitepaper

CHEM-E Process Automation and Information Systems: Applications

VMware Hybrid Cloud Solution

Delivering the Wireless Software-Defined Branch

AWS Reference Design Document

SYMANTEC DATA CENTER SECURITY

NETWORK AND SD-VPN. Meshing legacy and Cloud Service Providers

Cisco Cloud Application Centric Infrastructure

Modelos de Negócio na Era das Clouds. André Rodrigues, Cloud Systems Engineer

A Fabric Approach to Network Security

The Business Case for Network Segmentation

State of Cloud Adoption. Cloud usage is over 90%, are you ready?

Cisco Start. IT solutions designed to propel your business

PROTECT WORKLOADS IN THE HYBRID CLOUD

BUT HOW DID THE CLOUD AS WE KNOW IT COME TO BE AND WHERE IS IT GOING?

Security. Made Smarter.

Five Essential Capabilities for Airtight Cloud Security

Cisco SD-WAN. Intent-based networking for the branch and WAN. Carlos Infante PSS EN Spain March 2018

Supporting the Cloud Transformation of Agencies across the Public Sector

HOW MIDSIZE ORGANIZATIONS CAN MEET COMPLIANCE REQUIREMENTS AND ENHANCE CYBERSECURITY WITH MICRO-SEGMENTATION WHITE PAPER FEBRUARY 2018

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Next-Generation HCI: Fine- Tuned for New Ways of Working

Extending Enterprise Security to Public and Hybrid Clouds

Hyper-Converged Infrastructure: Providing New Opportunities for Improved Availability

The Why, What, and How of Cisco Tetration

Software-Defined Secure Networks in Action

Getting Hybrid IT Right. A Softchoice Guide to Hybrid Cloud Adoption

Transform your network and your customer experience. Introducing SD-WAN Concierge

TREND MICRO SMART PROTECTION SUITES

Hybrid Cloud Management: Transforming hybrid cloud delivery

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

Qualys Cloud Platform

Perfect Balance of Public and Private Cloud

Choosing the Right Cloud Computing Model for Data Center Management

Business Strategy Theatre

Accelerate Your Enterprise Private Cloud Initiative

SECOPS: NAVIGATE THE NEW LANDSCAPE FOR PREVENTION, DETECTION AND RESPONSE

Christopher Covert. Principal Product Manager Enterprise Solutions Group. Copyright 2016 Symantec Endpoint Protection Cloud

Securing the Software-Defined Data Center

Commercial Product Matrix

McAfee Public Cloud Server Security Suite

Evolution For Enterprises In A Cloud World

TREND MICRO SMART PROTECTION SUITES

Extending Enterprise Security to Public and Hybrid Clouds

Introducing Cyber Observer

DATA SHEET AlienVault USM Anywhere Powerful Threat Detection and Incident Response for All Your Critical Infrastructure

I D C T E C H N O L O G Y S P O T L I G H T

Data center interconnect for the enterprise hybrid cloud

SECURE HYBRID CLOUD Solution

Reinvent Your 2013 Security Management Strategy

RED HAT CLOUDFORMS. Chris Saunders Cloud Solutions

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

State of Cloud Survey GERMANY FINDINGS

HIPAA Compliance and Auditing in the Public Cloud

Building your Castle in the Cloud for Flash Memory

5 Steps to Government IT Modernization

NEXT GENERATION SECURITY OPERATIONS CENTER

No Limits Cloud Introducing the HPE Helion Cloud Suite July 28, Copyright 2016 Vivit Worldwide

Next Generation Privilege Identity Management

Deploying to the Cloud: A Case study on the Development of EHNAC s Cloud Enabled Accreditation Program (CEAP)

Security and Compliance for Office 365

Transformation Through Innovation

THALES DATA THREAT REPORT

SOLUTION BRIEF RSA NETWITNESS SUITE & THE CLOUD PROTECTING AGAINST THREATS IN A PERIMETER-LESS WORLD

Traditional Security Solutions Have Reached Their Limit

Exam C Foundations of IBM Cloud Reference Architecture V5

MODERNIZE INFRASTRUCTURE

The New Normal. Unique Challenges When Monitoring Hybrid Cloud Environments

GDPR Update and ENISA guidelines

I D C T E C H N O L O G Y S P O T L I G H T. V i r t u a l and Cloud D a t a Center Management

Stop Cyber Threats With Adaptive Micro-Segmentation. Chris Westphal Head Of Product Marketing

Module Day Topic. 1 Definition of Cloud Computing and its Basics

Oracle bakes security into its DNA

Clearing the Path to Micro-Segmentation. A Strategy Guide for Implementing Micro- Segmentation in Hybrid Clouds

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Securing Your Cloud Introduction Presentation

Security Readiness Assessment

SECURING THE NEXT GENERATION DATA CENTER. Leslie K. Lambert Juniper Networks VP & Chief Information Security Officer July 18, 2011

Privacy hacking & Data Theft

How Managed Service Providers Can Meet Market Growth with Maximum Uptime

How to Leverage Containers to Bolster Security and Performance While Moving to Google Cloud

Zero Trust with Okta: A Modern Approach to Secure Access from Anywhere. How Okta enables a Zero Trust solution for our customers

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

Expand Virtualization. Maintain Security.

Data Sheet: Endpoint Security Symantec Network Access Control Starter Edition Simplified endpoint enforcement

Transcription:

A CISO GUIDE TO MULTI-CLOUD SECURITY Achieving Transparent Visibility and Control and Enhanced Risk Management

CONTENTS INTRODUCTION 1 SECTION 1: MULTI-CLOUD COVERAGE 2 SECTION 2: MULTI-CLOUD VISIBILITY 5 SECTION 3: MULTI-CLOUD CONTROL 6 SECTION 4: MULTI-CLOUD COST OF OWNERSHIP 7 CONCLUSION 8

INTRODUCTION If your organization is one of the 95% of enterprises that operate in the cloud, you are already grappling with cloud security. And if your organization is one of the 85% of companies that use multiple Infrastructureas-a-Service (IaaS) and Software-as-a-Service (SaaS) clouds, you have additional issues to consider. Compared to the days when organizations managed everything on-premises or only had a handful of cloud deployments, this new multi-cloud world exacerbates the expansion of the attack surface and makes threat containment and accountability more difficult. Further, pressure on security teams to protect everything in the multi-cloud environment is leading to reactive and expensive threat management. If you are a security leader tasked with meeting the challenges of a multi-cloud environment, eventually you ll find that siloed cloud security strategies fall short of the mark. But don t wait. Now is the time to consider a holistic security approach that reclaims control from disparate cloud security functions, and gives you the means to see your entire corporate security posture clearly so you can manage it more competently. You can achieve this through a security fabric approach, using a comprehensive suite of threat prevention, detection, and mitigation tools that integrate with all the major cloud services and can be managed within the enterprise from a single pane of glass. 1 INTRODUCTION

01 MULTI-CLOUD COVERAGE The public cloud market is dominated by five Infrastructure-as-a-Service (IaaS) and Platform-asa-Service (PaaS) providers. Amazon Web Services (AWS), Google, and Microsoft Azure are the three hyperscale vendors in the market, followed by Oracle and IBM, which are also major players. Most companies are running applications in more than one of these vendors clouds, believing that their corporate infrastructure is stronger if they choose the right cloud for the right application. The same argument applies to security: You need the right security capabilities for each cloud. For IaaS/PaaS. Public cloud providers typically employ a shared responsibility model, where the provider secures the service (infrastructure or platform) but the customer is responsible for what runs on top. To deploy security for applications you run in the public cloud, you need to be able to interface with the specific architecture of each cloud. Because developing these interfaces can be time-consuming and expensive, it makes sense to look for security vendors that have already made that investment and offer cloud-specific versions of these key tools: 2 MULTI-CLOUD COVERAGE

Next-generation firewalls Secure web gateways Sandboxing technology Security management tools Of course, all these cloud-specific functions must be able to communicate with one another and be managed from a single pane of glass. (More on this in the next section.) For SaaS. The situation may seem simpler here, since each SaaS provider takes responsibility for the security of its cloud-based applications. Unfortunately, enterprises run, on average, 13 different SaaS applications. 1 If a cyber threat affects one application in one cloud, it can potentially affect your entire organization. Business continuity and compliance are in jeopardy if you don t have security for all your information assets under your direct control. Like IaaS and PaaS providers, SaaS providers vary in their technology implementations. For example, the most popular SaaS applications, Microsoft Office 365 and Google G Suite, are similar in function, but their security frameworks are very different. 2 Complicating matters further, some SaaS applications, such as Salesforce, run in public clouds (AWS in this case), while others run in private data centers. Microsoft, for example, historically ran Office 365 from private data centers, but it is working to move that SaaS app to its Azure cloud. 3 1 Chris Burt, Slack May Be Sexier, but Office 365 Most Used Cloud-Based Business App, The WHIR, March 29, 2016. 2 Steve Riley, Office 365 and Google Apps for Work: Security Comparison, Gartner, accessed December 14, 2017. 3 Mary Jo Foley, Microsoft is on a quest to move more of its cloud services to Azure, ZDNet, April 21, 2016. 3 MULTI-CLOUD COVERAGE

The solution here is to apply an overlay of security at the connection points to your SaaS applications, or, for even better performance, from within the cloud service itself. In the case of Office 365, an email gateway that you control from the Azure cloud provides antispam and antiphishing, identity-based encryption, and more on top of the Office 365 security provisions. You can apply cloud-based security to other SaaS apps as well if your cloud provider offers cloud access security broker (CASB) subscription services for your security vendors products. These services typically provide visibility, compliance, data security, and threat protection for any CASB-compliant SaaS application you use. The question now becomes, Can you find such tools for every cloud and SaaS application? More important, can they all work together? 4 MULTI-CLOUD COVERAGE

02 MULTI-CLOUD VISIBILITY Visibility is a major point of distinction between single- and multi-cloud security. It is challenging enough to coordinate threat management between the corporate network and a single private or public cloud. With applications running in, and accessed through, multiple clouds, the challenges multiply, so coordination and consistency become paramount to achieving a defensible security posture. Consistency and coordination start with a centralized view. You undoubtedly already use one or more security device management consoles. To avoid asking security staffers to learn yet another management tool, an easy first option is to check whether your current next-generation firewall (NGFW) management tool enables staff to view and control other network devices, including those of other vendors. Some security vendors have several network operations center (NOC) or security operations center (SOC) management tools that can provide single-pane-of-glass management for multi-cloud environments. The key is to make sure that the management tool you select does not limit your view of the multi-cloud network or your ability to deploy security policies, perform content security updates and firmware revisions, and configure individual devices. 5 MULTI-CLOUD VISIBILITY

03 MULTI-CLOUD CONTROL Centralized management affords visibility, but on its own it doesn t enable coordinated threat management. The security functions you manage cloud-specific firewalls, web access firewalls, email gateways, sandboxes, and security information and event management (SIEM) tools all need to be able to communicate with one another to accelerate threat detection and response. Security platforms play a coordinating role, but they work in a hub-and-spoke fashion, first collecting information from connected devices and then processing it, which takes time. With today s rapidly disseminating threats, those precious minutes, and even seconds, can make all the difference in detecting an active threat. You can achieve that only if every device communicates with every other device in real time. One way to minimize latency in threat detection and response coordination is to use virtual security tools that have been approved by your cloud provider and are made available in the cloud environment. For example, a cloud-integrated sandboxing tool that is a component of your security fabric can receive incident objects directly from your email gateways or web access firewalls, execute any suspicious code, and rapidly disseminate the results to your management console and to SIEM tools throughout the multi-cloud fabric. The same coordination considerations apply to threat intelligence. To gain the upper hand on zeroday threats in an era of shrinking intrusion-to-breach windows, you must ensure that all your security tools draw on the same threat intelligence and can share information about threats that they detect. Furthermore, they should provide consistency in policy enforcement, and in their approaches to impact mitigation in the case of successful exploits. 6 MULTI-CLOUD CONTROL

04 MULTI-CLOUD COST OF OWNERSHIP According to RightScale, optimizing cloud costs is a primary concern for most cloud users. 4 As you adopt multiple clouds, a security fabric can help you minimize the security aspect of your cloud spend through more efficient administration and automation of threat detection and response. When it comes to administration, the centralized management component of the security fabric helps security staff attend to multiple clouds more efficiently, which may allow you to delay hiring additional staff or outsourcing security services. Automation, however, probably deserves a greater portion of your attention, not only because AI-assisted tools are maturing but also because your human staff can t hope to keep pace with AI-assisted cyber crime. Automation covers a wide swath of capabilities, ranging from scaling capacity up or down on demand, to automating failover, to automatically classifying segmenting workloads. Virtualized versions of enterprise and web application firewalls can be automated easily with Fabric-Ready tools, as well as unified threat management functions for smaller organizations. For private clouds, opt for tools that offer integration and orchestration with SDN controllers, such as Cisco ACI and VMware NSX, while in public clouds, look for security solutions that use native orchestration and scripting for example, AWS CloudFormation scripts. For threat detection and response, look for sandboxes that automatically share real-time updates to disrupt threats at the origin, subsequently immunizing the entire organization and the global community. These and other tools are linked through the fabric to threat intelligence services. 4 Kim Weins, Cloud Computing Trends: 2017 State of the Cloud Survey, RightScale, February 15, 2017. 7 MULTI-CLOUD COST OF OWNERSHIP

CONCLUSION Whether you re already operating in multiple clouds or just considering doing so, now is the time to plan for broad, integrated, and automated multi-cloud threat protection. A security fabric can provide the basis for such protection, enabling you to move beyond prevention to more realistic detection and response strategies. As you assess various multi-cloud security options, keep in mind that a continuous, concerted effort involving you, your security technology vendors, and your cloud providers is the best defense against unpredictably evolving cyber threats. 8 CONCLUSION

www.fortinet.com Copyright 2018 Fortinet, Inc. All rights reserved. 03.27.18 167340-0-A-EN

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback