How To Implement Security In The Multi-Cloud Era?
By C.J. Radford, Global VP, Thales E-Security
Getting Trapped in the Ecosystem
It comes as no surprise that CSPs want customers to use their services exclusively. To achieve this, CSPs offer a broader set of services to become the de facto cloud provider to organizations. The idea is to offer a wide selection of IT services to fulfill as many used cases as possible for the organization. As the organization relies upon the cloud provider for more and more services, the harder it is to move to a different provider.
Trapping the organization is great from the CSP perspective, as it collects maximum spend from the organization. If the provider has a rich ecosystem of solutions that are specific to that provider only, this also traps organizations. The CSP wants the organization to consume not only native services but also solutions that are purpose-built for that specific cloud provider, again making it harder to leave.
There are also sales and economics tactics that make it difficult for organizations to leave service providers. For example, CSPs typically offer a lower price for data transfers coming into a CSP (low price of entry) versus the price to move data out of the provider (higher price to exit). Another example is that some cloud providers like to lock organizations into multi-year commitments of minimum use and/or forced cost increases in the outer years of a multi-year agreement regardless of use.
However, service providers are beginning to learn that many enterprise organizations want to adopt a multi-cloud strategy, and some service providers are embracing this trend.
If a business chooses a single cloud provider for its applications and data, it could be positive for the business, particularly if they don’t have security knowledge
For example, Rackspace, as a managed service provider, offers managed cloud capabilities to enterprises, where enterprises can choose to leverage the cloud services of Microsoft Azure or Amazon Web Services.
Single-Cloud + Security
If a business chooses a single cloud provider for its applications and data, it could be positive for the business, particularly if they don’t have security knowledge. Let me explain. A large cloud provider typically has a much larger and deeper pool of IT security talent than all, but the largest enterprises can field to protect their organizations. Inherently, all CSPs have some security included in their service offerings, and some security is better than no security.
However, concerns about using cloud environments are still quite high, but have dropped somewhat from a year ago— typically in the range of 8-12 percent from last year (according to the 2017 Thales Data Threat Report – Advanced Technology Edition). Perhaps, this is because most reported problems for cloud environments have stemmed from a compromised credential or account at the enterprise level, and not the cloud provider.
For those companies who have significant security knowledge and follow security best practices (mainly Fortune 1000 businesses and governments), a single-cloud approach could have adverse effects on security. These companies need to use the “best-of-breed” security solutions on their data that is stored in the cloud, versus native solutions that are not considered “best of breed” or don’t meet stringent compliance frameworks.
Avoiding the Trap with a Multi-Cloud Approach and Portable Security Solutions
As part of the strategy towards using the cloud, enterprises need to factor in a multi-cloud requirement from the get-go. Enterprises should consider at least two cloud providers to keep pricing in check, but also take advantage of the innovation that each service provider has to offer to advance the business of the enterprise. This essentially forces the enterprise from day 1 to not place all eggs in one basket, which is too risky of a strategy. Recent cloud outages have proven that redundancy of mission-critical applications is essential.
Additionally, enterprises should look at best-of-breed independent software vendor solutions that are portable from cloud to cloud provider to ease any transitions needed in the future – and to fight vendor lock-in. These solutions should be across not only security but also data management, identity and access management, applications, databases, developer tools, analytics and so on.
Whether your organization opts for a single-cloud or multi-cloud strategy, the security of any cloud service depends on the level of protection given to the cryptographic keys used to protect and encrypt sensitive data. These keys are the root of trust in an enterprise’s entire system – if they are lost, so is the data. If they are stolen, secrets might not stay secret for long.