Implementing security for a bullet-proof, multi-cloud environment
Financial services firms worldwide are continuing to look towards either starting or accelerating their journey into the cloud with better flexibility and functionality as the primary drivers. When approaching cloud migration, many CIOs focus on including a multi-cloud strategy into their implementation roadmap in order to not put all their proverbial eggs in one basket.
In 2019, 81% of organisations said they used two or more cloud providers. Although this showcases a clear move towards the cloud and the willingness towards its adoption, having a successful multi-cloud strategy is not possible without the right security in place. The same ease with which cloud environments can be set up can be just as easily misconfigured, leading to holes in security, making companies vulnerable to DDoS attacks and costly data breaches.
Unsurprisingly and according to the latest survey by Gartner, with the continuous move towards becoming cloud-ready, cloud ranks as the top risk concern for executives in risk, audit, finance and compliance.
When approaching security for a multi-cloud environment, cloud-security must be built into the overall environment and be a key component in the cloud journey vs being an afterthought.
The factors to consider for multi-cloud security implementation can be broadly classified into three parts: cyber defence (cyber operations and resilience); applied cybersecurity (cloud and infrastructure security), and managed security (managed application security). cyber defence and security are managed by cloud providers in many different ways and a number of fintech can offer support whereas application-level security has to be designed and architected as part of the cloud migration journey -- this is where you draw the balance between going cloud-native vs retiring technical debt.
Managed application security in a microservices architecture application that is built on an emerging technology stack, is part of a “reinvention bucket” and is mostly re-built as part of an organization’s journey to cloud migration.
There are three aspects of application-based security that are key when building multi-cloud solutions, including identity and access management (IAM), data encryption and multi-layered infrastructure security:
- Identity and access management should be required within an organisation where the business and IT (information technology) teams have developed a clear policy of who does and does not have access. The IT teams should have complete visibility of who has access, along with the appointment of a secure, centralized identity source to allow administrators to define a second layer of data access control policies, based upon roles and job functions to ensure data remains secure and private. Along with establishing clear role access, enabling multi-factor authentication as an additional security measure is critical to safeguarding company data.
- Data encryption includes the encryption of data at rest and ideally, is encrypted on-premises prior to moving to cloud. Data encryption keys (DEKs) are then used to ensure only users who are meant to have access to that data can do so, so in the event of a potential breach, the attacker cannot understand or decrypt the data unless they have access to all the keys. Your cloud provider of choice should play a major role in helping you ensure your data is encrypted, safe and secure.
- Finally, there is the implementation of a multi-layered security framework to help ensure all parts of your cloud platform are secure. This can be achieved through the use of data encryption, firewalls, privacy controls, a regular audit for employee access, protecting access to the root account and much more, all to ensure the protection of your infrastructure.
The move towards a multi-cloud environment cannot be complete without taking into consideration the important role automation plays with cloud migration. Automation is able to provide the orchestration of applications, data and infrastructure across different cloud environments that can help organisations automate manual workloads, innovate faster with a quick go-to-market and ensure up-to-date compliance.
Whilst leveraging automation, businesses should also look towards DevSecOps – the holistic implementation of end-to-end security throughout the course of any development in an organisation’s cloud security strategy to achieve the results they need faster. The two ultimately go hand in hand. Through implementing DevSecOps or “shifting left of security”, security can be embedded into each deployment to ensure quicker development whilst simultaneously allowing the company to auto-detect security threats on a daily basis. In being able to auto-detect security threats, DevSecOps, along with automation, can help organisations better adhere to policies and standards to ensure overall compliance with regulations like GDPR, SONAR, MiFID etc, whilst managing a vast amount of data.
There are multiple ways organisations can implement security in a multi-cloud environment but what is vital is that they do so from the start of their cloud journey. If organisations have already started their cloud migration roadmaps and want to avoid future attacks, data breaches and are keen to innovate faster to allow for a quicker go-to-market, they should take a pause, ensure they have implemented multi-layered security across their business and get back on track to achieve their goals in a way that is automated, safe and most importantly of all, secure.
Anand Chandra
Anand Chandra is the senior director-technology, Synechron. The views in this article are his own.