Can you use AWS and Azure together?For example, you could have some of your cloud network’s servers and physical network provided by Amazon Web Services (AWS), but you’ve integrated that with your servers and physical networking that’s provided by Microsoft Azure. The product and service offerings from one cloud services vendor to another could be a bit different, and this is a way that your organization can take advantage of the best of both worlds. Another type of multi-cloud network could involve utilizing a cloud vendor’s software as a service (SaaS) or platform as a service (PaaS) with your own infrastructure or another vendor’s IaaS. No matter which form your multi-cloud network takes, you’re mixing the technologies and services from one company with technologies and services from another company. It could be the most effective way of fulfilling your organization’s unique cloud networking needs. But getting all of those different entities to work well together takes a bit of careful effort. And properly security hardening such a diverse cloud network comes with its own challenges! Each vendor has its own policies and cybersecurity measures. But it is possible to deploy a reasonably secure and compliance friendly multi-cloud network. Here are eight best practices that you must keep in mind.
Multi-Cloud Security Best Practices
1) Understanding how shared models workMake sure that your organization’s business partners and other stakeholders understand how the shared security model applies to you and your cloud vendors. Usually, cloud providers are responsible for the security of their own infrastructure, and they should be able to provide your organization with some of the capabilities you need in order to protect your data while it’s in their infrastructure. Those capabilities include multi-factor authentication vectors, encryption technologies, and identity and access management. Your organization will usually be responsible for how you use your data in their infrastructure. Any software that your organization develops or acquires from a third party should be patched and otherwise security hardened by your organization. Your employees should abide by your organization’s information security policies in how they use their data. How you deploy virtual machines and your own necessary security controls is in your hands. Those are the responsibilities of your organization.
2) Choosing the right cloud vendorYou must choose all of your cloud vendors carefully. Read all of the features of their products and services and their own cybersecurity policies. Have a thorough understanding of the cloud vendors you’re deploying now and any you may deploy in the future. Your networking and security staff and all other stakeholders who work with your cloud should understand the details of the vendor services which you use and be involved in the decision-making process when choosing cloud vendors.
3) Understanding accounts and deployment zonesUpholding the responsibilities of your organization’s part of the shared security model requires that you understand the accounts and deployment zones where you need visibility to monitor for vulnerabilities. With that understanding, you can properly deploy IDS and IPS devices and analyze their logs or have a trusted third party take care of that for you while being informed as to what’s going on in your network.
4) Align all the toolsThoroughly understand how your application in your multi-cloud network works. Make sure that all of the entities in your cloud environment behave compatibly with your various cloud tools. The configuration and deployment of your cloud applications are unique and have their own specific security needs.
5) Harden your applicationsA vulnerability and exposures (VnE) manager is essential to acquiring the data that you need to securely harden your applications. You need to carefully consider where you’ll put them so that they’ll work effectively. Should you have one on your premises? Should it be deployed in one of your cloud environments? Do you need each of your cloud environments to have one in order to acquire accurate data? What’s the best fit for your vulnerability scanning needs?
6) Remotely scanning your public cloud is a mustYou must be able to remotely scan your public clouds, as they’re not on your premises. Enable remote scanning device profiler virtual images in your public cloud environments.
7) Security is a process, not a productThe security of your multi-cloud network must be assessed on a regular basis because your infrastructure and software will change over time as will the cyber threat environment. Any remediation instructions provided by security testers should be implemented. As Bruce Schneier says, security is a process, not a product!
8) Monitor for changeThe security of your cloud services themselves should also be assessed. Tripwire’s Cloud Management Assessor supports both Amazon Web Services and Microsoft Azure. Make sure your configuration of their technologies is secure and monitor for changes that can create vulnerabilities. To learn more about how Tripwire can specifically help you with advanced vulnerability management in a multi-cloud environment, download this guide here.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.