The increase in hybrid and multi-cloud environments has increased complexity for cloud security
Technology has advanced at a rapid pace over the past 20 years, and companies have had to digitally innovate to keep up with competitors. As organizations increase their digital assets, they are also increasingly moving to public and hybrid cloud environments for storage and infrastructure needs.
Interestingly, after embarking further into these cloud transformations, organizations also started wanting to add instant service availability and infrastructure-as-code into their own data centers. As a result, public cloud vendors are now offering private data center solutions such as AWS Outpost, Google Anthos and Azure Stack.
At the same time, FireMon’s 2019 Global Customer Survey found that these transitions will continue to increase, with 92% of companies planning to move some element of operations to the public cloud by 2021. As well, 41% have also already deployed in hybrid environments. And, according to Gartner, system infrastructure will also shift 20% further toward cloud solutions by 2020.
These types of hybrid enterprises are also increasing with the need to integrate a variety of cloud services and system architectures: on-premises, IaaS, PaaS and SaaS. Therefore, as companies increase their digital assets, they require more cloud services. This creates hybrid and multi-cloud environments that can become overly complicated.
The Challenge of Securing Cloud Environments
As these transitions occur more frequently, hybrid and multi-cloud environments also become more complex due to three main challenges: limited network control, little to no integration across services and a lack of qualified security personnel with enough domain and cross-domain knowledge and training.
Companies must take advantage of digital transformations and the cloud to stay competitive. However, this change also brings new challenges in managing network security processes across such complex environments, often with reduced security visibility and collaboration across SecOps, NetOps, DevOps and even semi-official CloudOps teams.
In trying to secure their networks, companies often rely on using multiple vendors, but too many hands overcomplicate the problem rather than providing a cohesive solution. For example, according to FireMon’s 2019 “State of the Firewall Report,” more than three-fourths of respondents use two or more vendors for enforcement points on their network. And more than half use three or more vendors to manage their network.
The truth is that most large security and networking vendors have a comprehensive security architecture and platform capability. But even if an organization aspires to consolidate with a single vendor, it will take a long time, and in many cases never be attainable due to longtime legacy, new acquisitions, security leadership changes and more. And even if a single vendor is decided on, it might not be possible to use its unique properties and native services across needed public cloud, containers and orchestrators, microservices, zero trust and soon 5G infrastructure and services.
All of these parties also increase human errors when trying to cope with manual network changes, including logging into multiple consoles to manage security processes. As systems become too large, it is difficult to holistically manage the environment, avoid outages and reduce risk and SLA times while still enabling business growth, with the same number of security staff.
As a result, virtually all cloud data breaches to date have been caused by misconfiguration errors and not by sophisticated hacking. These errors come in two types: improper use of the native security controls offered by cloud providers, and organizations deploying misconfigured servers. According to Gartner, through 2023, more than 99% of firewall breaches and 80% of cloud breaches will be caused by human-introduced misconfigurations.
The solution to securing hybrid cloud environments is to eliminate unnecessary complexity caused by manual network and security policy management processes. Routine IT security tasks should be automated as much as safely possible to help reduce complexity and human-introduced issues.
Automation: The Key to Cloud Security
True security automation is key to protecting virtual assets as more companies move to the cloud. Automated Network Security Policy Management (NSPM) eliminates guesswork and reduces the manual steps that lead to misconfigurations while meeting security and compliance policies. By automating routine manual processes, a layer of complexity is simplified to improve cloud security.
Automation also provides more network control when done right. Automated network security policy management should provide continuous monitoring, scalable data controls, a collaborative policy platform, policy gold rules that provide access permissions and security guardrails that prevent misconfigurations and improve overall consistency. In a complex hybrid and multi-cloud environment, consistency and predictability are key to unifying the security of an entire system.
One of the other security challenges of embracing public clouds is that cloud security works differently than traditional network security and policies often look very different than traditional network security policies. For example, the source and destinations in cloud rules can be objects such as an instance or VM (not the same as the host) that have interfaces and IPs attached and are not the same as an IP-to-IP object. Additionally, an object could also be a native cloud service that resolves to ephemeral public cloud vendor IPs, where the IPs themselves are not obvious or even known to the customer.
Therefore, managing separate cloud and data center security policies, and with different solutions, could lead to misalignment, reduced visibility and compliance and weakened overall security. Although previously difficult, it is now possible to have a unified policy across hybrid infrastructure, supporting native cloud objects such as VMs, VPCs, security groups and more. The alternative approach of implementing separate cloud security and network security solutions, even if they are from the same vendor, would simply not work efficiently in a large-scale hybrid environment, without reinforcing team silos.
Benefits of Going Beyond ‘Zero Touch’ Automation
While companies secure and gain visibility over the cloud, they can also reap the benefits of true security automation by going beyond zero touch automation, which automates the network security life cycle by pushing policy and configuration changes to devices. Automated tools that go beyond zero touch are flexible and adaptable to unify security policy management.
When we say to go beyond zero touch automation, we mean to not stop at zero touch device deployment as a singular event. Rule deployment is not the outcome itself. The real outcome is to have a loop that continually and automatically recalibrates the security policy as infrastructure changes are detected, services scale up within boundaries of what is and isn’t allowed or they need simplified quick approvals.
For the best results, automated network security policy management should match and grow with a company’s security needs and capabilities. Security tools should increase their forms of automation over time to better manage and protect a company’s entire network.
The benefits of going beyond zero touch automation to integrate security processes include:
- Full visibility: Simplify operations and provide the ability to control security rules.
- Eliminate misconfigurations: By removing manual change management processes, we avoid human error altogether.
- Improve efficiency: Automate repetitive tasks to minimize business disruption and avoid outages.
- Ensure continuous compliance: Network security policy management tools should not sacrifice speed for compliance. With real-time policy assessments and device policy recalibration based on application-centric rules, true security automation will guarantee policies are being followed.
Security challenges will continue to advance as cloud platforms continue to expand. While automation will remain the key to maintaining hybrid and multi-cloud security in an increasingly complex environment, companies can benefit now from incorporating automated tools that enable their business to adapt and secure their entire system.