A multi-cloud network is a cloud network that consists of more than one cloud services provider. A straightforward type of multi-cloud network involves multiple infrastructure as a service (IaaS) vendors.
For example, you could have some of your cloud network’s servers and physical network provided by Amazon Web Services (AWS), but you’ve integrated that with your servers and physical networking that’s provided by Microsoft Azure. The product and service offerings from one cloud services vendor to another could be a bit different, and this is a way that your organization can take advantage of the best of both worlds.
Another type of multi-cloud network could involve utilizing a cloud vendor’s software as a service (SaaS) or platform as a service (PaaS) with your own infrastructure or another vendor’s IaaS.
No matter which form your multi-cloud network takes, you’re mixing the technologies and services from one company with technologies and services from another company. It could be the most effective way of fulfilling your organization’s unique cloud networking needs.
But getting all of those different entities to work well together takes a bit of careful effort. And properly security hardening such a diverse cloud network comes with its own challenges! Each vendor has its own policies and cybersecurity measures.
But it is possible to deploy a reasonably secure and compliance friendly multi-cloud network. Here are eight best practices that you must keep in mind.
Multi-Cloud Security Best Practices
1. Make sure that your organization’s business partners and other stakeholders understand how the shared security model applies to you and your cloud vendors.
Usually, cloud providers are responsible for the security of their own infrastructure, and they should be able to provide your organization with some of the capabilities you need in order to protect your data while it’s in their infrastructure. Those capabilities include multi-factor authentication vectors, encryption technologies, and identity and access management.
Your organization will usually be responsible for how you use your data in their infrastructure. Any software that your organization develops or acquires from a third party should be patched and otherwise security hardened by your organization.
Your employees should abide by your organization’s information security policies in how they use their data. How you deploy virtual machines and your own necessary security controls is in your hands. Those are the responsibilities of your organization.
2. You must choose all of your cloud vendors carefully.
Read all of the features of their products and services and their own cybersecurity policies. Have a thorough understanding of the cloud vendors you’re deploying now and any you may deploy in the future. Your networking and security staff and all other stakeholders who work with your cloud should understand the details of the vendor services which you use and be involved in the decision-making process when choosing cloud vendors.
3. Upholding the responsibilities of your organization’s part of the shared security model requires that you understand the accounts and deployment zones where you need visibility to monitor for vulnerabilities. With that understanding, you can properly deploy IDS and IPS devices and analyze their logs or have a trusted third party take care of that for you while being informed as to what’s going on in your network.
4. Thoroughly understand how your application in your multi-cloud network works. Make sure that all of the entities in your cloud environment behave compatibly with your various cloud tools. The configuration and deployment of your cloud applications are unique and have their own specific security needs.
5. A vulnerability and exposures (VnE) manager is essential to acquiring the data that you need to security harden your applications.
You need to carefully consider where you’ll put them so that they’ll work effectively. Should you have one on your premises? Should it be deployed in one of your cloud environments? Do you need each of your cloud environments to have one in order to acquire accurate data? What’s the best fit for your vulnerability scanning needs?
6. You must be able to remotely scan your public clouds, as they’re not on your premises. Enable remote scanning device profiler virtual images in your public cloud environments.
7. The security of your multi-cloud network must be assessed on a regular basis because your infrastructure and software will change over time as will the cyber threat environment. Any remediation instructions provided by security testers should be implemented. As Bruce Schneier says, security is a process, not a product!
8. The security of your cloud services themselves should also be assessed. Tripwire’s Cloud Management Assessor now supports both Amazon Web Services and Microsoft Azure. Make sure your configuration of their technologies is secure and monitor for changes that can create vulnerabilities.
To learn more about how Tripwire can specifically help you with advanced vulnerability management in a multi-cloud environment, download this guide here.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.