a ciso guide to multi-cloud security - fortinet · aci and vmware nsx, while in public clouds, look...
TRANSCRIPT
A CISO GUIDE TO MULTI-CLOUD SECURITY Achieving Transparent Visibility and Control and Enhanced Risk Management
INTRODUCTION 1
SECTION 1: MULTI-CLOUD COVERAGE 2
SECTION 2: MULTI-CLOUD VISIBILITY 5
SECTION 3: MULTI-CLOUD CONTROL 6
SECTION 4: MULTI-CLOUD COST OF OWNERSHIP 7
CONCLUSION 8
CONTENTS
If your organization is one of the 95% of enterprises
that operate in the cloud, you are already grappling
with cloud security. And if your organization is one of
the 85% of companies that use multiple Infrastructure-
as-a-Service (IaaS) and Software-as-a-Service (SaaS)
clouds, you have additional issues to consider.
Compared to the days when organizations managed
everything on-premises or only had a handful of cloud
deployments, this new multi-cloud world exacerbates
the expansion of the attack surface and makes threat
containment and accountability more difficult. Further,
pressure on security teams to protect everything in
the multi-cloud environment is leading to reactive and
expensive threat management.
If you are a security leader tasked with meeting the
challenges of a multi-cloud environment, eventually
you’ll find that siloed cloud security strategies fall short
of the mark. But don’t wait. Now is the time to consider
a holistic security approach that reclaims control from
disparate cloud security functions, and gives you the
means to see your entire corporate security posture
clearly so you can manage it more competently. You
can achieve this through a security fabric approach,
using a comprehensive suite of threat prevention,
detection, and mitigation tools that integrate with all the
major cloud services and can be managed within the
enterprise from a single pane of glass.
INTRODUCTION
1 INTRODUCTION
01
The public cloud market is dominated by five
Infrastructure-as-a-Service (IaaS) and Platform-as-
a-Service (PaaS) providers. Amazon Web Services
(AWS), Google, and Microsoft Azure are the three
hyperscale vendors in the market, followed by Oracle
and IBM, which are also major players.
Most companies are running applications in more
than one of these vendors’ clouds, believing that their
corporate infrastructure is stronger if they choose
the right cloud for the right application. The same
argument applies to security: You need the right
security capabilities for each cloud.
MULTI-CLOUD COVERAGE
For IaaS/PaaS. Public cloud providers typically
employ a shared responsibility model, where the
provider secures the service (infrastructure or platform)
but the customer is responsible for what runs on
top. To deploy security for applications you run in
the public cloud, you need to be able to interface
with the specific architecture of each cloud. Because
developing these interfaces can be time-consuming
and expensive, it makes sense to look for security
vendors that have already made that investment and
offer cloud-specific versions of these key tools:
2 MULTI-CLOUD COVERAGE
§ Next-generation firewalls
§ Secure web gateways
§ Sandboxing technology
§ Security management tools
Of course, all these cloud-specific functions must be able to communicate with one another and be managed from a single pane of glass. (More on this in the next section.)
For SaaS. The situation may seem simpler here, since each SaaS provider takes responsibility for the security of its cloud-based applications. Unfortunately, enterprises run, on average, 13 different SaaS applications.1 If a cyber threat affects one application in one cloud, it can potentially affect your entire organization. Business continuity and compliance are in jeopardy if you don’t have security for all your information assets under your direct control.
Like IaaS and PaaS providers, SaaS providers vary in their technology implementations. For example, the most popular SaaS applications, Microsoft Office 365 and Google G Suite, are similar in function, but their security frameworks are very different.2
Complicating matters further, some SaaS applications, such as Salesforce, run in public clouds (AWS in this case), while others run in private data centers. Microsoft, for example, historically ran Office 365 from private data centers, but it is working to move that SaaS app to its Azure cloud.3
1 Chris Burt, “Slack May Be Sexier, but Office 365 Most Used Cloud-Based Business App,” The WHIR, March 29, 2016. 2 Steve Riley, “Office 365 and Google Apps for Work: Security Comparison,” Gartner, accessed December 14, 2017. 3 Mary Jo Foley, “Microsoft is on a quest to move more of its cloud services to Azure,” ZDNet, April 21, 2016.
3 MULTI-CLOUD COVERAGE
The solution here is to apply an overlay of security at the connection points to your SaaS applications, or, for even better performance, from within the cloud service itself. In the case of Office 365, an email gateway that you control from the Azure cloud provides antispam and antiphishing, identity-based encryption, and more
on top of the Office 365 security provisions.
You can apply cloud-based security to other SaaS
apps as well if your cloud provider offers cloud access
security broker (CASB) subscription services for your
security vendors’ products. These services typically
provide visibility, compliance, data security, and threat
protection for any CASB-compliant SaaS application
you use. The question now becomes, Can you find
such tools for every cloud and SaaS application? More
important, can they all work together?
4 MULTI-CLOUD COVERAGE
02
Visibility is a major point of distinction between
single- and multi-cloud security. It is challenging
enough to coordinate threat management between
the corporate network and a single private or public
cloud. With applications running in, and accessed
through, multiple clouds, the challenges multiply, so
coordination and consistency become paramount to
achieving a defensible security posture.
Consistency and coordination start with a centralized
view. You undoubtedly already use one or more
security device management consoles. To avoid
asking security staffers to learn yet another
MULTI-CLOUD VISIBILITY
management tool, an easy first option is to check
whether your current next-generation firewall (NGFW)
management tool enables staff to view and control
other network devices, including those of other
vendors. Some security vendors have several network
operations center (NOC) or security operations
center (SOC) management tools that can provide
single-pane-of-glass management for multi-cloud
environments. The key is to make sure that the
management tool you select does not limit your view
of the multi-cloud network or your ability to deploy
security policies, perform content security updates and
firmware revisions, and configure individual devices.
5 MULTI-CLOUD VISIBILITY
03
Centralized management affords visibility, but
on its own it doesn’t enable coordinated threat
management. The security functions you manage—
cloud-specific firewalls, web access firewalls, email
gateways, sandboxes, and security information and
event management (SIEM) tools—all need to be able
to communicate with one another to accelerate threat
detection and response. Security platforms play a
coordinating role, but they work in a hub-and-spoke
fashion, first collecting information from connected
devices and then processing it, which takes time.
With today’s rapidly disseminating threats, those
precious minutes, and even seconds, can make all
the difference in detecting an active threat. You can
achieve that only if every device communicates with
every other device in real time.
One way to minimize latency in threat detection and
response coordination is to use virtual security tools that
MULTI-CLOUD CONTROL
have been approved by your cloud provider and are
made available in the cloud environment. For example,
a cloud-integrated sandboxing tool that is a component
of your security fabric can receive incident objects
directly from your email gateways or web access
firewalls, execute any suspicious code, and rapidly
disseminate the results to your management console
and to SIEM tools throughout the multi-cloud fabric.
The same coordination considerations apply to
threat intelligence. To gain the upper hand on zero-
day threats in an era of shrinking intrusion-to-breach
windows, you must ensure that all your security
tools draw on the same threat intelligence and can
share information about threats that they detect.
Furthermore, they should provide consistency in
policy enforcement, and in their approaches to impact
mitigation in the case of successful exploits.
6 MULTI-CLOUD CONTROL
04
According to RightScale, optimizing cloud costs is a primary concern for most cloud users.4 As you adopt multiple clouds, a security fabric can help you minimize the security aspect of your cloud spend through more efficient administration and automation of threat detection and response.
When it comes to administration, the centralized management component of the security fabric helps security staff attend to multiple clouds more efficiently, which may allow you to delay hiring additional staff or outsourcing security services. Automation, however, probably deserves a greater portion of your attention, not only because AI-assisted tools are maturing but also because your human staff can’t hope to keep pace with AI-assisted cyber crime.
Automation covers a wide swath of capabilities, ranging from scaling capacity up or down on demand, to automating failover, to automatically classifying
MULTI-CLOUD COST OF OWNERSHIP
segmenting workloads. Virtualized versions of enterprise and web application firewalls can be automated easily with Fabric-Ready tools, as well as unified threat management functions for smaller organizations.
For private clouds, opt for tools that offer integration and orchestration with SDN controllers, such as Cisco ACI and VMware NSX, while in public clouds, look for security solutions that use native orchestration and scripting—for example, AWS CloudFormation scripts.
For threat detection and response, look for sandboxes that automatically share real-time updates to disrupt threats at the origin, subsequently immunizing the entire organization and the global community. These and other tools are linked through the fabric to threat
intelligence services.
4 Kim Weins, “Cloud Computing Trends: 2017 State of the Cloud Survey,” RightScale, February 15, 2017.
7 MULTI-CLOUD COST OF OWNERSHIP
Whether you’re already operating in multiple clouds or just considering doing so, now is the time to plan for broad, integrated, and automated multi-cloud threat protection. A security fabric can provide the basis for such protection, enabling you to move beyond prevention to more realistic detection and response strategies.
As you assess various multi-cloud security options, keep in mind that a continuous, concerted effort—involving you, your security technology vendors, and your cloud providers—is the best defense against unpredictably evolving cyber threats.
CONCLUSION
8 CONCLUSION
Copyright © 2018 Fortinet, Inc. All rights reserved. 01.26.18www.fortinet.com167340-0-A-EN