When Christina Shannon started her new role as global chief information security officer (CISO) for Catalina USA last year, she was stunned to find an organization with more than 40 cloud environments.
The marketing company, known for producing coupons based on shopper purchases at the checkout counter, had been moving from paper to digital for some time. As part of that shift, the company wanted to provide shopping discounts on smartphones, which meant moving 100% to the cloud.
From Shannon’s perspective, this meant the IT security team would need to get busy implementing cloud-native security tools to
improve its ability to identify, protect, and recover assets across multiple clouds.
“I came into a situation where we had all these cloud environments, and my security team wasn’t looking at any of them,” Shannon recalls. “They were just looking at what lived in a data center, missing half the visibility required to quantify cyber-risk.”
Embracing cloud computing opens up security risks
Catalina isn’t alone. As enterprises race to the cloud, many have done so without first deploying robust security strategies to protect their assets across multiple cloud environments.
This is a serious problem because 73% of organizations, not wanting to get locked into any one cloud service provider (CSP) platform, now house data on multiple public clouds, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud, according to a Splunk survey. Lacking guardrails to manage the multiplication of cloud environments has contributed to 45% of businesses suffering from cloud-based data breaches or failed audits in the past 12 months, reports the 2022 Thales Cloud Security Study.
Such unchecked complexity can be the bane of any IT security department’s existence because it leads to cloud and firewall misconfigurations that open portals to opportunistic hackers. Indeed, Gartner says, 99% of cloud security failures through 2025 will “be the customer’s fault.” Twitch, Uber, Imperva, and a host of companies whose clouds have been breached due to misconfiguration can
attest to that.
Extending good cybersecurity practices across on-premises and cloud infrastructure is no easy task. It can take years to carry out, in part because digital environments are constantly changing. And even if a company has its own house in order, partners may not have adequately safeguarded their clouds, networks, and products.
“As organizations adopt multicloud environments, they need to
be mindful that cyberattacks are often successful because they
take advantage of a vast supply chain of technology vendors,” says Nataraj Nagaratnam, chief technology officer (CTO) for cloud security at IBM. “With this complexity, bad actors can easily
exploit vulnerabilities created through misconfiguration or
Dedicated cybersecurity is needed for each cloud
Experts say it’s important to recognize that each cloud is likely to have its own set of security challenges and solutions. Cookie-cutter approaches and tools therefore will not work.
I came into a situation where we had all these cloud environments, and my security team wasn’t looking at any of them.
“The biggest issue about securing multicloud is realizing that each cloud service has slightly different ways of implementing and monitoring basic security functions,” says John Pescatore, director of emerging security trends for the SANS Institute. “Your security controls will have to be adapted to work across that.”
With public clouds, companies should start with tools provided by the CSPs themselves. Microsoft Azure, for instance, offers built-in controls and services across identity, data, networking, and apps. AWS, meantime, supplies basic data protection, identity and access management (IAM), managed detection and response (MDR), and network and application protection.
Tackling multicloud security challenges with a comprehensive approach
Though CSP tools are solid, they work best for their own cloud environments.
Most enterprises need a mix of complementary tools and techniques to achieve comprehensive multicloud coverage. A wide-ranging approach grows in importance as a result of the rise of containerization, which isolates applications, as well as the growth of microservices that loosely couple the elements of an application. These strategies help applications run across different clouds, and all of them need to be secured.
To get on top of multicloud visibility and security, experts recommend a few steps in addition to putting CSP tools to use.
- Weave security into DevOps. Philip Bues, research manager for IDC Cloud Security, notes that many organizations have multiple in-house developers who write code for private and public clouds that works great from a functional standpoint but isn’t necessarily secure by default. He says every cloud security strategy should include a “shift left” component, which refers to ensuring that more operational and security testing is conducted at the earliest stages of development for any cloud-based software or service.
- Adopt an endpoint protection platform. In 94% of enterprises, up to 20% of endpoints are unknown. These days, every one of those endpoints accesses a public or private cloud and becomes vulnerable to data that isn’t secure. Endpoint protection platforms (EPPs) provide a combination of security hygiene, threat detection, and incident response as well as IT asset management and operations management capabilities.
- Consider MDR technology. Shannon says one of the first things her security team did after she arrived was to find out which of Catalina’s 40 clouds contained the most critical assets. “That’s where breaches were most likely to occur,” she says. Then they deployed a combination of cloud-native security tools to better monitor, manage, and secure those locations. Shannon’s team wanted to extend security from the cloud to the device, so they deployed MDR tools on top of endpoint protection.
- Prioritize vulnerability management. Brian Bobo, CISO for Greenway Health, a midsize electronic health records software provider, uses MDR and EPP as well. But he thinks that vulnerability management technology is also needed to identify, classify, and address known vulnerabilities in a system. “Most organizations do not put as much effort into vulnerability management as I think they should,” says Bobo. “To me, if you do nothing else, vulnerability management should be the top priority. You can have all the best technology in the world, but one vulnerability can allow an attacker to get past all of that and compromise you.”
- Evaluate crypto-key management solutions. To ensure control of who can decrypt data, Nagaratnam of IBM says it’s important to be able to view, provision, and manage crypto keys from one dashboard. This unified view can help simplify operations and enable enterprises to securely run workloads across various environments. It can also more quickly help IT and legal departments prove compliance with data sovereignty regulations, he adds.
- Conduct penetration testing. Shannon also recommends conducting periodic penetration testing to see how well current security measures are performing. “I identify certain risks to the business that I’m concerned about, then look to see what our situation might be with penetration testing,” she says. “For example, I just did one to understand our likelihood of a ransomware attack occurring because of a cloud vulnerability.” Shannon had been told the company had segmented backups in case of an attack, but wanted to prove that. So, she conducted a penetration risk test to see how easily someone could increase their access privileges to launch a systemwide attack.
The bottom line for securing multicloud infrastructure is that enterprises need to deploy best practices and tools from the very moment they begin designing and coding environments and throughout their lifecycles. Clouds never sleep. And with attacks happening around the clock and across time zones, neither do the hackers that attack them.