How to provide secure application access in a multi-cloud world
Long gone are the days when a single cloud is the preferred choice for businesses still undergoing a digital transformation. Instead, most organizations are quickly moving toward a multi-cloud environment that mixes both public and private platforms.
But that mixture leaves security teams in a quandary. As organizations move more of their workload to the cloud, the teams charged with safeguarding assets need to lock down apps and plug other vulnerable hotspots that arise or are amplified by a multi-cloud strategy, but they can’t make those security measures burdensome to users. Otherwise, users can’t easily do their jobs — at any time and from anywhere, as today’s digital economy dictates — and they’re more likely to find workarounds that undercut security.
The flip to multi-cloud is fully underway, after arguments against the move evaporated in the face of digital transformation and as the pandemic bore down, sending workforces home to work remotely. These events accelerated migration to the multi-cloud environment in order to meet the increased demand by users to access apps and data from outside the office. Workers needed to do their jobs from wherever they were — at home, in the office, or at a coffee shop — and using any device, managed or not.
In the “Before Times” — pre-2020 — there were already clear indicators that a shift to multi-cloud or hybrid environments was in the making. Early cloud strategies hewed toward single-cloud implementations — perhaps because they were more tightly coupled to a vendor like Microsoft, with which an organization already had an existing business relationship for other products and services. But as different branches of an organization saw the benefits and efficiencies of moving to the cloud, they added different platforms to the mix.
The pandemic, and the resultant shift to remote work, accelerated not only migration to the cloud but also the embrace of multi-cloud or hybrid environments. A study by the Harvard Business Review found that 69 percent of organizations expect upwards of 60 percent of their workloads and infrastructure to be in the cloud in the next two years. And the 2021 State of the Cloud report from cloud management firm Flexera found that among enterprises plotting their continued digital transformations, 93 percent are mulling multi-cloud implementations, with organizations using an average of five or so clouds, almost equally divided among public and private platforms.
Couple those results with findings from Denodo that reveal a proclivity toward hybrid and multi-cloud for 53 percent of respondents and the trend is clear: The action is in multi-cloud.
But as the number of cloud implementations multiplies, so do the challenges — security and otherwise. Regardless of whether an organization patches together its cloud offerings or executes a more careful strategy, integrating cloud platforms operationally and securely is a monumental task. Among the top obstacles organizations face are the following:
Management of access to apps.
Applications in a multi-cloud environment are often out of reach for those who need them most. Some organizations have applications in their private clouds that are not as centrally located as they would be in a traditional data center. Others still have applications in the data center that aren’t easily accessible via cloud environments.
Standardization of processes.
Not surprisingly, different branches of an organization have developed their own sets of processes on the cloud platforms they use. When those platforms are melded into a single strategy, processes aren’t consistent across an environment, and in some cases they’re in conflict. Standardizing and securing processes, though, requires particular attention to how they’re used by employees.
Poor visibility into assets.
It’s difficult enough to “see” assets across a single cloud platform; add others to the mix and visibility dims further. Since organizations can’t protect what they can’t see, poor visibility can cripple even the best security strategy.
Uneven encryption.
Again, not surprisingly, different branches of an organization may vary their approach to encryption, with some adopting more stringent encryption requirements while others take a more relaxed, piecemeal approach. But encryption is meaningless if it isn’t end to end, so it’s important for organizations to develop and execute a comprehensive encryption plan across cloud platforms.
Gaps in security skills.
Cloud security pros often specialize on one platform or the other and are not skilled in other cloud offerings or on particular security issues. As organizations integrate their cloud platforms, they likely will find gaps in the skills their IT and security pros bring to the table.
Management and remediation of vulnerabilities.
Many organizations are felled by breaches that result from unpatched flaws, many of which have been known for years. When environments span multiple clouds, spotting and addressing those vulnerabilities before they’re exploited by bad actors becomes more difficult.
Shared responsibility that gets murkier.
Organizations on a single cloud platform already grapple with understanding where a provider’s security responsibility ends and where its own begins. That problem is magnified in an environment with multiple clouds in play. Who’s in charge of what gets lost in the shuffle.
While cloud environments have matured and become more complex, security clearly has not kept pace. As work increasingly is done outside the enterprise data center and more traffic occurs in the cloud, securing access to applications without increasing friction for users requires migrating legacy perimeters to cloud-based, converged security capabilities — like those found under the Secure Access Service Edge (SASE) model — that support modern work.
By integratingtools that organizations already depend on, such as Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Firewall as a Service (FWaaS), and Zero Trust Network Access (ZTNA) with software-defined wide area networking (SD-WAN) capabilities and even 5G connectivity, SASE can protect users as they access applications no matter where they are or where they go online — and users are none the wiser. All they know is that they can access the applications they want, when they need them, without jumping through hoops. And the SWG at the heart of SASE also ensures that unauthorized applications are shut down, reducing and eliminating the risk of a security incident.
Driven in part by the pandemic, SASE adoption is well underway and, in fact, this timeline has been accelerated to five years from the previously estimated 10 years as organizations continue their digital transformations. But to put a SASE strategy into motion to protect access to apps in a multi-cloud environment, organizations should follow a few prudent guidelines[1] :
Start where you are.
No two organizations are at the same place on their cloud journeys. It’s critical that an enterprise invests in a solution that meets its current needs and supports a path for future growth, utilizing a shared platform where possible.
Prioritize the user experience.
In today’s modern work environment, in the midst of a “Great Resignation,” it’s all about users and giving them the tools — and apps — to best do their jobs. Security and networking teams should consult with all major stakeholders within an organization to understand how users work, then align the provision of secure access to applications that meet users’ needs.
Embrace Zero Trust Network Access (ZTNA).
The old joke goes “On the Internet, no one knows you’re a dog.” The same is basically true in the cloud. Zero Trust essentially assumes everyone is a “dog,” then grants access to apps as identity is confirmed. ZTNA solutions should be easily delivered to users either as clientless or as a client providing easy access while maintaining security policies at all times.
Find a solution with strong isolation capabilities.
Organizations need to identify threats and isolate them before they impact users — without changing the user experience, degrading users’ performance, or interrupting workflow. Isolation capabilities should be considered a foundational aspect of security solutions tied to SASE.
Ensure scalability.
If the last two years proved anything, it’s that change is inevitable — but unpredictable. Organizations must be prepared for whatever changes and growth opportunities come their way, and that means investing in a security solution that is scalable to future needs.
Find the right partner.
To streamline and simplify initiatives, organizations need to partner with a vendor whose platforms can integrate all elements of SASE. A shared management console provides ease of use for practitioners and centralized visibility and reporting across all solutions.
Regardless of where an enterprise is in its cloud journey — and make no mistake, all organizations are on a cloud journey or will be very soon — the time to secure applications is now. Whether a public or private sector organization has most of its workloads on premises today and is slowly moving to cloud, or is already very cloud focused and is expanding rapidly to a multi-cloud model, it’s crucial to implement security measures that support current needs but can scale as the cloud environment grows. Securing applications as they’re migrated to the cloud without placing undue burdens on users should be the centerpiece of any such strategy.
To learn more about the benefits of implementing Zero Trust Network Access, download this free white paper.
The post How to provide secure application access in a multi-cloud world appeared first on Menlo Security.