Nicolai Solling, CTO, Help AG, shares insights into how regional organisations can develop a strategic approach to securing multi-cloud environments.
Cloud computing is really making inroads in the UAE – and not just the public cloud environments. Customers are also starting to explore the benefits of modern compute and application environments, which private and public cloud deliver.
It is expected that the UAE public cloud market will reach a $290 million by 2020. Major technology vendors including AWS, Microsoft, Alibaba, and SAP have been quick to recognise the region’s cloud-readiness and have begun investing in Middle East-based cloud data centres.
All of this is intriguing and the numbers staggering, but we are still in the early days of cloud – particularly when it comes to cloud security. I am often surprised to find that regional enterprises either believe that the cloud is secure by default, or that the native controls delivered by cloud providers are good enough. Therefore, we continue to see higher levels of security investment being made to secure legacy environments.
Unfortunately, cloud and the applications we deploy there are not secure by default – in fact security in the cloud is as complex, and as much of a requirement, as in any traditional data centre infrastructure.
Organisations need to build competence and understanding of cloud related security challenges, meaning we currently find ourselves with a competence gap – especially as cloud platforms and the attacks against those are often very different. For example, growing cloud adoption is causing attackers to focus more intently on client-side attacks and phishing, as the lack of a natural perimeter means that our user, endpoint and authentication are the new perimeters.
From a security perspective, this means that endpoint-security, identity control and user awareness are now becoming increasingly critical elements in a robust security strategy.
Then there is also the question of multi-cloud architectures. Whether by choice or by circumstance, more and more, organisations are finding their resources, applications and data deployed across multiple cloud environments with highly different security properties. The approach offers them unmatched power of choice and the freedom to run different workloads in different environments as per the best interests of their business, as well as helping them avoid vendor lock-in, increase reliability and robustness, and distribute their attack surface.
However, just as the cloud itself changes how we think about security, so does multi-cloud.
The primary issue is that when we move to the cloud, we may not be able to provision the same security controls as we had on-premises – and for multi-cloud scenarios, the controls may also differ.
While the native security controls may work well enough in one cloud, they may ultimately not expand to other cloud providers, which causes inconsistent controls, policies, management and the need to understand events and build competence on multiple tools.
Developing a multi-cloud strategy
Given the inevitability of multi-cloud adoption, it is critical for businesses to start taking steps to secure their future in the multi-cloud. The first of these is to acknowledge that the responsibility for the security of their sensitive data rests with them, rather than with any cloud provider.
This means that having full visibility and control over data flows – even across different cloud applications and environments – is imperative. Similarly, organisations must ensure that data and applications can only be accessed by those users who they are intended for.
Understanding cloud security also entails ensuring that you deploy technologies that can deliver solutions for both immediate and future requirements – and very importantly the cloud vendors that your organisation plans to utilise. It would be very unfortunate if you cannot deploy your applications securely because your security products do not support the cloud environment, or do not integrate very well with it.
The immediate capabilities of a vendor but also their long-term roadmaps and vision is therefore a key selection criteria. After all, your choice today may not be the choice of the future.
With the right access controls, end-to-end visibility and other security solutions in place, businesses can then start to understand and evaluate which cloud providers they should be focusing on – some may be geographically more attractive than others.
As we move to PaaS and serverless compute, and benefit from the features of containerised applications a whole new set of requirements will evolve, where security will be much more tightly coupled in the application and focus will be around ensuring that the developed application is bulletproof. Unfortunately, in this area, we are still in the infantile state. A good example is that the top 10 most popular docker images available on GitHub contain more than 30 vulnerabilities. These images are gladly trusted by developers as ‘sources of truth and security’ when they download them and build their applications on them.
But PaaS and Serverless compute also completely change how we store, and compute data as opposed to Infrastructure as a Service, where we take a much more classic approach to data and compute and just deliver it in a cloud format.
Even with all these security concerns, the cloud future for the region looks highly promising. And just as we see organisations increasingly leverage cloud platforms, we will hopefully also see an increased awareness and focus on the security implications. There is already an indication of this as Gartner has predicted that through 2019 cloud security spending in the MENA region will total $9 million, representing a staggering 108 percent year-on-year increase.
As has always been the case in cybersecurity, ensuring that this spending is directed into the right plan and the right technologies is what will determine the long-term success of an organisation’s multi-cloud strategy. There is no doubt that we are looking at great opportunities, but also great responsibility.