Op-Ed: Defining an effective path to operating securely in multi-cloud

The catch-22 of multi-cloud is that one of the biggest benefits of the model is also its most sizable detractor.

Enterprises adopt multiple clouds because each cloud is uniquely suited to certain workloads and data processing tasks. No two clouds operate in the same way; each has evolved with its tech stack to support different workloads natively. More clouds mean more avenues to support innovation, or so the theory goes.

But the uniqueness of each cloud environment is also one of the biggest challenges for enterprises operating a multi-cloud set-up. Figuring out how to make effective use of each cloud to support web applications while maintaining a level of consistency between those environments, such that they can be managed and secured centrally and effectively, is a key challenge.

The typical cloud journey for enterprises starts with one cloud. The enterprise trains its people in the intricacies of developing for that ecosystem before migrating existing workloads in or standing up entirely new applications that take advantage of that cloud’s native capabilities.

At some point in that journey, it’s inevitable that new cloud services will emerge, either within the existing cloud ecosystem or, more likely, outside of it. Individuals and teams will inevitably be drawn to experimenting with it. That may lead to them pitching a new option as more cost-effective for their specific use case.

As that repeats, multi-cloud set-ups are born and grow in complexity. Organisations have 15-plus clouds, sometimes more, and it’s clear when looking at some multi-cloud set-ups that the organisation has never encountered a cloud they didn’t like.

That kind of rapid cloud adoption can be particularly painful from an operations perspective. Each new cloud requires a new set of expertise, but it’s unrealistic to have experts for every cloud on staff, not least because it often isn’t budgeted for.

Total cost of ownership (TCO) exercises undertaken when embracing a new cloud are often based on a comparison of the metred cost of consuming a cloud service to run a particular application or workload. A number of more “hidden” costs are often overlooked when teams pitch the adoption of additional clouds. These include the engineering costs of maintaining the environment, along with the costs of securing the environment, from day one and beyond.

VIEW ALL

Teams often do not understand the costs of tailoring security policies and controls to each new cloud. In addition, the cloud environments themselves are not static: they evolve over time, and so does their usage. Differences in the way a cloud is used tomorrow compared to today are difficult to forecast or represent in TCO or budget calculations. The introduction or addition of a simple API could change application consumption and usage patterns, creating additional cost and security risk exposures.

SecOps also has a direct role to play

It isn’t just the development and product teams with cloud accounts that need to consider the TCO impacts of their cloud usage and decision making. Security operations teams themselves may also need to shift their ways of working and thinking to enable effective multi-cloud operations.

An important realisation for SecOps is that principles used to secure on-premises environments do not easily translate into the cloud – or multi-cloud – world. A common mistake is to attempt to replicate the same level of security and controls previously applied to internal servers to cloud operations. However, the paradigms of on-premises and cloud are fundamentally different. Some of the ways that applications and workloads were secured in the past are simply not relevant to the cloud and need to be discarded.

In particular, cloud and multi-cloud invite more of a shared responsibility model for security, where cloud service providers natively provide secure foundations that the customer organisation trusts but verifies. Everything above that foundation layer is the responsibility of the customer organisation to secure. Operating securely in a majority or fully web- or cloud-based environment means living with elevated risk tolerances and discomfort for security teams.

SecOps needs to determine how best to plug in its security capabilities, how to instrument multiple cloud services appropriately, and how to work with the data flows and event streams from each of the cloud platforms to better understand what they’re dealing with and to remediate any performance inconsistencies, misconfigurations or security-related anomalies.

De-risking multi-cloud

The key to supporting future web applications is to embrace the native capabilities of each cloud to the fullest possible extent but also to have an overlay – in the form of a unified control plane – in front of multi-cloud deployments that can bridge visibility and technical capability gaps between each cloud, and make multiple clouds seem like one from an operational perspective.

This control plane provides a holistic overview across the entire multi-cloud landscape. The idea is to have an “umbrella” of security regardless of how many clouds are used. This makes it easier to apply best-of-breed security in front of cloud infrastructure: maintaining consistent alerting and control over every component of the environment, giving greater insights into threats targeting multiple environments, as well as making it easier to configure rules and execute compute from a single platform.

Managed security services may also have a role to play in enabling organisations to be more easily multi-cloud, providing coverage assistance with monitoring and detection across the large attack surface posed by a multi-cloud set-up. They can also assist with access to staffing with specialised skills across multiple clouds, enabling enterprises to continue to expand and support more clouds, without adding operational and security risk.

Stephen Gillies holds the title of APAC technology evangelist at Fastly.