A multi-cloud environment offers Federal agencies the advantages of high resiliency combined with the agility to adapt quickly to changing mission and technology requirements. But if migrating workloads to one cloud environment expands the attack surface, imagine how multiple clouds can extend the attack surface even more.
Agencies will need a multifaceted, multi-layered set of solutions that can collect, normalize, and analyze events to help detect threats. The toolsets must have deep integration with private and public cloud platforms as well as with traditional on-premises infrastructure. Additionally, the solutions must detect misconfigurations of cloud resources, which could unintentionally expose data, as well as provide insight about users who have deployed, installed, or leveraged unsanctioned tools, experts say.
“The cloud in and of itself is not unsecure compared to on-premise systems. It actually offers an opportunity to become more secure than what you have on-prem,” said Chris Christou, a principal and director with Booz Allen Hamilton, who leads a team that develops cloud security solutions for civilian and defense agencies as well commercial enterprises.
Cloud providers have a host of security functions built into their platforms, such as asset management, inventory, audit logging, two-factor access controls, connectivity redundancy, and firewalls, to protect their cloud infrastructure. Plus, now there are more automated tools available that give technology managers more continuous visibility across cloud environments, making cloud platforms more secure and resilient, Christou noted.
Automation of tasks offer agencies the opportunity to enhance security across cloud environments. However, the same agility, automation, and flexibility provided by cloud environments, if not implemented properly, can lead to misconfigurations that can compromise systems and expose data.
“It is a double-edge sword, but if you do it right you can actually enhance your security,” Christou said.
Misconfigured systems have always been an issue for information technology administrators implementing new systems as well as updating existing systems, especially if tasks are being performed manually.
“The right tools are there. You can set up the right guardrails such as least privilege access to ensure that only certain individuals have access to change certain things,” Christou explained. Agencies can set up automated compliance tools to make sure that changes to cloud resources follow agency policy and goals.
“So, it is a multifaceted, multi-layered approach to ensure that misconfigurations don’t occur. The tools are there,” Christou said. Booz Allen’s Virtual Cloud Defense platform consists of open source-based, commercial-off-the-shelf platforms that work to help agencies implement security controls, perform situational awareness operations, and comply with government and security standards, including the Federal Risk and Authorization Management Program (FedRAMP) and the Department of Defense’s Cloud Security Requirements Guide.
Road Map Needed
Agencies must also build a road map for multi-cloud adoption. Agency technology managers must understand the dependencies between infrastructure, operating models, and applications, cloud experts say. According to the General Services Administration’s (GSA) 2017 Hybrid Cloud Almanac, the average cloud user operates as many as six different clouds that are distributed across multiple geographies and combine both public and private clouds. Adopting hybrid cloud or multi-cloud configurations effectively involves using best practices observed both in industry and government. The first step, however, is to establish a road map for hybrid and multi-cloud migration.
There is a difference though between hybrid and multi-clouds. A hybrid cloud combines private and public clouds toward the same purpose, unlike a multi-cloud model, in which different clouds are used for different tasks.
Christou advises technology managers to seriously evaluate the advantages and disadvantages of third-party tools that aim to manage similar functionalities across multi-cloud environments. For example, a technology manager might use one tool from Amazon Web Services (AWS) to manage a function within the AWS cloud environment, and a tool from Microsoft to manage a similar function within the company’s Azure cloud.
The technology manager might find a third-party vendor that offers the opportunity to abstract that task and manage the functionality in a common way using a tool across both the cloud environments. “That sounds great. But a lot of the time those third-party tools do not work as well as those native tools you get from the cloud providers,” Christou explained.
The bottom line is that end-to-end security is achievable in multi-cloud environments if done properly with a well-thought-out road map that provides a way for a multifaceted, multi-layered approach for implementing security controls, policies, and technologies.
