How to make your multicloud security more effective – Source: www.csoonline.com

The days of debating whether cloud or on-premises is the best location for your servers are thankfully far behind us. But lately, more enterprises are shifting their workloads as they realize that security and simplicity matter.

This movement isn’t uniform because of the richness and complexity of multicloud computing in the modern era. Some enterprises are consolidating all their workloads from multiple PaaS providers into a single provider, typically AWS or Azure. But others are slimming down their cloud footprints into fewer providers. Having multiple cloud providers has been tolerated in the past but has proven difficult to support technically, as we wrote about earlier this month. “There is some movement to consolidate different cloud providers,” Forrester analyst Andras Cser tells CSO. “But this is more of an effort to reduce technical debt and to reduce vendor lock-in.”

Some of these consolidations are just circumstantial — such as trying to trim back the result of corporate acquisitions or bring uniformity to having to run disparate development teams — and are not borne out of having any great architectural plan. Some enterprises are repatriating workloads back to on-premises or are moving from public to hybrid or private clouds. We’ll get into the reasons for that in a moment.

Let’s look at the challenges and complexities of multicloud security by identifying the gaps and highlighting the gotchas. We’ll look at ways to be more purposeful about cloud security and focus on containing and managing tool sprawl with recommended courses of action that you can take.

Containing costs

Certainly, one of the biggest challenges has to do with the higher operational cost of maintaining separate cloud development teams. As each cloud has its own tools and specific implementation details cutting across different services, protocols and systems that require careful study and skilled engineers to maintain.

“Engineers don’t have the knowledge to maintain multiple clouds, they tend to focus on one or two clouds at most and deploy as much security automation as possible to manage them. Let’s do one cloud and do it well. Efficiency can only be gained by being less agnostic and being more focused. You can’t replicate all workloads everywhere,” Ashley Manraj, CTO of Pvotal, tells CSO.

The multicloud approach has lost its luster, according to Andrew Plato, who founded security consultancy Zenaciti among other tech startups. “And there are high costs and lots of difficulty in switching workloads from Amazon to Azure, as an example.” He hasn’t seen any wholesale move by enterprises to repatriate their cloud servers back into their data centers. Instead, “enterprises are backing away from deploying multiple public clouds.”

So, while cutting costs is a big motivation, figuring out these costs is still a very hard problem. The tools to predict cloud costs haven’t gotten noticeably better in the past decade. Everyone’s cloud cost figures vary from month to month, just by their very nature with all the usage charging and changes to the providers’ pricing models too. As previously noted “trying to parse your monthly bill requires the skills of a CPA, a software engineer, a commodities trader and a sharp eye for the details.”

There is also what Steve Cobb, CISO at SecurityScorecard, calls “cloud sticker shock” that happens when you get your first monthly bill after turning on a new cloud app. “You don’t necessarily know what your traffic patterns will be until you build the app. They are hard to predict before you go into production with the actual data, and the shock is greater of course as you move a lot of data across cloud regions or have built in failover across providers.”

Is it time to repatriate to the data center?

Perhaps. Some organizations, such as Zoom, have moved workloads to on-premises because it provides more predictable performance for real-time needs of their apps. John Qian, who once worked there and now is the CISO for security vendor Aviatrix, tells CSO that Zoom uses all three of the major PaaS providers for elastic demands that they can spin up quickly. “You have to take the best features of both cloud and on-premises. For example, the data center makes sense if you can buy enough GPU bandwidth to build your own AI cluster.” Qian says Aviatrix uses just two PaaS providers at present.

Others have found that the bigger their storage needs have become —  for AI LLMs for example —, the more cost effective and predictable on-prem storage can be, particularly if you are shipping huge data blocks from one PaaS to another.

Plato has a good rule of thumb: “Don’t put it in the cloud if you don’t need to.”

One solution: containers

One trend many sources could agree on is the movement of workloads to using more containers. Qian said that “containers can make the transition across clouds and from cloud to on-premises easier because of its abstraction layer, but this can also mean developers have to understand the cross-container security implications too.” Still, it is easier to shift workloads from virtual machine (VM) instances to containers, according to Plato. “It can be easier to secure a cluster of containers than a bunch of VMs.” Cser tells CSO that “containers make cloud movement more fungible because they are essentially clouds running on top of clouds.”

Centralize cloud security policies

The ideal is to have a centralized, common and consistent set of security policies across all clouds. Then you can implement automated ways to deploy (such as with Terraform or some other IaC that can integrate with your IDEs). Another set of tools that can help are Cloud Native Application Protection Platforms (CNAPP). The advantage of CNAPP tools is that they have many integrated sub-tools which make it easy to bring uniform policies across a complex environment. But, if you already have a lot of non-CNAPP automation, it might not be the best path. “You can build a very robust and secure infrastructure with these tools,” says Plato.

“As an example, say you create a new application that requires you to make changes across your entire multicloud environment,” says Cobb. “Without automation and something like CNAPP, that can quickly become untenable in terms of budget, expertise, and time.”

Understand the security problems you are trying to solve

One typical situation is when the devsecops team gets ahead of the CISO technically. P “When that happens, the CISO doesn’t know what security problems the teams are trying to solve, and if what is being recommended is really going to solve them,” says Plato. That leads towards mandates on particular tooling, he finds, “rather than making sure particular security requirements are met by specific tools. You want to avoid tool sprawl with security data spilling out all over the place.”

Developers can get ahead of themselves too, and don’t necessarily understand how everything is secured across all possible clouds. Manraj says that the different PaaS players are diverging more than ever with different CPU, serverless and application support that have their own cloud-specific features. “This makes crafting the same security policy rule across all of the providers in some uniform fashion harder.”

Final recommendations

There are some other ways to improve multicloud security. “Spend some time ensuring that the workloads are as close to their actual infrastructure needs, such as storage, as possible. That also cuts down on costs and data entry and egress fees,” says Manraj.

Several sources suggested that enterprises manage their entire application stack inside their data centers. “Start by building your own in-house private cloud facility,” John Cronin, a retired enterprise IT architect, tells CSO. “Be 100% in control of all the software technology you will be using — database, storage, applications, and APIs. Then use outside cloud providers to provide additional processing capacity, redundancy and resiliency.”

“You shouldn’t buy a security tool until you have a clear set of priorities and a solid risk analysis in hand,” Plato says. “You must understand the threats you face before you start applying tools to them. Consider the native PaaS security tools that each provider has and start with what each can do. These typically cost less than third-party products.”