Paul Nicholson, director of product marketing at A10 Networks, examines the security challenges of the multi-cloud space.
As companies leverage a multi-cloud strategy to improve IT operations and provide better services to their customers, they can’t afford to overlook the implications for security.
This is especially true with the emergence of a new paradigm to run multiple disparate compute environments for application delivery.
In fact, while issues like creeping complexity, non-existent cross-platform visibility, and multiple vendor standards all compete for IT focus in a multi-cloud environment, enterprise leaders cite security as the top challenge of all.
This trend was illustrated in a recent global survey of IT and business executives conducted by A10 Networks in partnership with the Business Performance Innovation (BPI) Network.
In the survey, respondents reported that ensuring strong security across clouds, networks, applications and data will be critical for realising the advantages of multi-cloud IT.
This is clearly a work in progress; to date, only 11% believe they have been highly successful in seeing the full value of their multi-cloud strategy, while a majority (51%) rate themselves as only somewhat successful or unsuccessful so far.
A quick web search will uncover many cases of vulnerabilities and real-life incidents. In one blog post by VMware, it is noted that it’s the job of IT and security teams, not just cloud providers, to take care of many aspects of security.
To stop sophisticated bots, frequent data exfiltration of personally identifiable information (PII), application attacks, and other threats, it’s essential to implement a security strategy across all your clouds, private or public that is as stringent as the one used for your on-premises solutions, if not more so.
Deterministic or accidental multi-cloud complexity: It all needs to be secured
It’s easy to understand why the proliferation of multi-cloud environments has tended to outpace the evolution of multi-cloud security. While the move to multi-cloud is often part of a clearly defined and intentional strategy, this isn’t always the case.
For many organisations, the shift happens on a more ad hoc basis. For example, it may happen when a company with a single-vendor cloud strategy acquires or merges with another organisation using a different cloud platform.
Business units and development teams may source their own cloud resources, with or without IT’s blessing as shadow IT. New requirements for specific services, data sovereignty (such as GDPR), or integration lead IT to add new vendors to the environment. As a result, most companies end up in a more complex multi-cloud setup than they had envisaged.
Intentional or not, the evolution to multi-cloud environments typically focuses on the business and IT factors driving it.
As with many technologies in IT operations, organisations first provision the services they need to address various requirements, and only then turn their attention to how best to control, govern, and manage the resulting environment.
This often proves more difficult than anticipated, as shown in the results of the survey. Nearly two-thirds of respondents (63%) said that ensuring security across all clouds, networks, applications and data was the top challenge of multi-cloud IT, which is good news, as it is top-of-mind, even if the solutions are not ubiquitous today.
Management skills and expertise (37%) and centralised visibility and management (33%) were also cited—both key concerns for effective multi-cloud security.
Essential security capabilities and practices
As IT, security teams, and business leaders have worked to close the security gap in their multi-cloud environment, a clear sense of the most relevant technologies to leverage is needed.
In the BPI report a majority named centralised visibility and analytics into security and performance (56%), automated tools to speed response times and reduce costs (54%), and centralised management from a single point of control (50%) as the top capabilities for improving multi-cloud security, reliability, and performance.
With the volume of digital business data and transactions constantly rising, 38% of respondents also pointed to the need for more scalable, higher-performing security solutions. This will only be exacerbated over time, especially with the rise of IoT and the emerging 5G connectivity.
Looking at the most important considerations in protecting the security and reliability of multi-cloud environments, 62% of survey respondents agreed on the importance of centralised authentication or pre-authentication to help maintain effective control over the users, admins, and systems allowed to access various resources across multiple clouds.
One respondent, Raja Mohan, senior strategic architect for cloud and platform services at Franklin Templeton, explained the reasoning behind this emphasis, “How do we deliver highly secure applications in a way in which it doesn’t matter where they reside? How do we provide seamless, secure services? That’s the goal.”
An answer to this question is seen in the high ranking of centralised security policies as a critical practice for multi-cloud IT (46%). Among defensive technologies, many respondents called out specific high value defences such as robust web application firewalls (WAFs) (40%) and DDoS protection (33%).
IT operations need to partner with the security teams for cross-cloud security
Organisations have been doing their best with the security tools available to them, but they’re far from satisfied with the results. “At this juncture, we’re taking advantage of security solutions from our public cloud providers augmented with our existing toolset, but we are continuing to evolve in that space,” said Mohan.
Indeed, IT organisations are continually reassessing their solutions and vendors and identifying areas where change is needed. Only nine percent of survey respondent are extremely satisfied with their current security solutions for multi-cloud environments – while 38% see a need for significant improvements.
Only 18% believe they do not need to re-evaluate their suppliers. Figures like these are a wake-up call for everyone in the multi-cloud security space.
This evidence shows the need to adopt a Polynimbus secure application services approach to give the power back to IT and security teams so they can provide a secure and consistent secure application services environment across their clouds.
Powered by application delivery controller (ADC) solutions, Polynimbus mindsets and practices will be the most effective way to ensure that multi-cloud compliance, security policies, functionality, and expectations are met, while easing the burden of over worked and stressed IT and security teams. Ultimately, this approach will make vigilance easier to enact and responsibility easier to fulfil.