AWS has long ruled the cloud platform game. But today more and more companies are branching out and using additional providers as well. Often this isn’t a matter of replacing one with another, but of different business requirements (such as managing risk and costs) being suited to different cloud vendors. Other factors for using more than one provider center on the fact that vendors work to price their offerings competitively and continually add new features. Additionally, many organizations that run Windows are offered free Azure credits. So why not take advantage and reduce your overall cloud costs?
There’s nothing wrong with running a multi-cloud environment — in fact doing so may be part of a well-crafted strategy — but when you do so, you want to make sure that you are taking appropriate security precautions. In this post, we’ll cover five principles you should strive for when you make the move to a multi-cloud environment. But first, let’s take a look at the major players.
The Public Cloud Market: Three Major Players
Three major players dominate the public cloud platform world: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform. AWS has been in the game the longest, and they have captured the largest market share with 57% of the market running their apps on AWS. Microsoft has 34%, and Google has 15% of the market running apps on their cloud platform.
The article Public Cloud War: AWS vs Azure vs Google provides an excellent rundown on how the three compare when it comes to these major factors:
- Computing power
- Storage and databases
If you are trying to decide how much and which aspects of your environment to run in each of these services, this article will give you a clear breakdown.
Now, let’s talk about what it takes to secure your multi-cloud environment.
How to Run Secure in a Multi-Cloud Environment
1. Avoid ShadowOps
It’s all well and good if the entire organization has agreed that it makes sense to run multiple cloud environments with different vendors. If the benefits of doing so outweigh the costs, then by all means, take advantage of the competition to reduce costs and get the features you need. That said, a lot of organizations wind up with several separate AWS accounts that are unconnected or a bunch of different instances scattered across AWS, Azure, and Google. This can happen when DevOps team members decide to do what is best for their particular use cases without looking at what is best for the organization as a whole.
As we explained in ShadowOps Isn’t Just Bad DevOps, doing so can make your organization significantly less secure. It’s interesting to note that by 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources (2017 Gartner Security & Risk Management Summit). So whether the organization decides to stick with one cloud provider or distribute infrastructure across multiple, make sure that everyone has bought in and understands why this is the best approach for the organization. That will reduce the amount of ShadowOps going on, and in turn, improve your overall security posture.
2. Prioritize Visibility
No matter what cloud platform(s) you choose, you need to ensure that you have complete visibility across all your instances. This means that when you go to choose a cloud security solution, you should prioritize selecting one that offers deep visibility, ideally at the workload layer.
Signature-based monitoring is not enough in the cloud. You should focus on increasing visibility through behavior-based monitoring instead. In other words, you want a solution that is able to hold a magnifying glass to behaviors across all your instances and quickly detect anomalous behavior.
Your security solution should be able to:
- Identify untrusted system modifications
- Catch threats with behavioral monitoring of users and processes
- Immediately detect anomalous user, process, and file activity
If you have complete visibility across your cloud instances, then it becomes irrelevant whether you’re using AWS, Azure, Google, or a mix of the three. You’ll still be able to run secure.
3. Follow Best Practices
Each platform comes with its own set of best practices. So if you are going to run instances across multiple platforms, make sure to educate yourself about best practices for each. AWS offers a guide to best practices on their platform (and you can also check out our top 10 AWS best practices). Azure lists (and updates) a series of articles that cover various cloud security topics in depth, and Google Cloud Platform shares a list of best practices. Of course, there is a good amount of overlap, and some general rules apply, such as:
- Know what is happening in your environment at all times.
- Set up alerts (prioritized by severity) that will notify you in case of out-of-policy behavior.
- Meet and exceed compliance requirements.
- Practice good hygiene: Keep everything updated and patched.
Best practices shared by the cloud vendors themselves are a great place to start because they know their technology better than anyone, and they have a responsibility to educate and support their customers. Beyond these, we’ve written extensively about cloud security best practices, so check out our previous content for more tips.
4. Focus on Automation
Humans are prone to error. Through 2020, 95% of cloud security failures will be the customer’s fault (2017 Gartner Security & Risk Management Summit). When it comes to security, human error can introduce all kinds of risk. Relying on machines to automate routine, repeatable tasks is a good way to ensure that you don’t damage your security posture, especially while running multiple instances across several cloud vendors.
We recommend that organizations leverage automation to become secure by design. To accomplish this, you should focus on:
- Updating your governance rules for the cloud
- Understanding the shared responsibility model (which we’ll cover below)
- Adopting a continuous risk treatment approach
Running in the cloud enables your DevOps teams to go faster. It enables continuous integration and continuous development cycles that can give you a real leg up on the competition. But it can also introduce risk, so you want to make sure you leverage automation to ensure that all security best practices are being managed efficiently and with minimal margin for error.
5. Uphold the Shared Responsibility Model
Finally, make sure you understand the shared responsibility model. We’ve written before about its implications and the state of the model today. 79% of businesses experienced risk that have actually translated into significant operational surprises in the past 5 years (2017 Gartner Security & Risk Management Summit). The bottom line is that when you take advantage of the public cloud — whether AWS, Google Cloud, Azure, or a combination — it’s up to you to secure everything in the cloud. You can count on AWS, Google, and Microsoft to secure the cloud itself, but you must make sure that your applications, data, and other systems are fully secured in the cloud. If someone logs into production without permissions and does something to put your organization at risk, that’s on you. So make sure you understand exactly where your responsibility begins and ends, and uphold it.
Final Words . . .
We think it’s great to see more organizations taking advantage of the competitive marketplace around cloud platforms today. While AWS has taken a clear lead, it’s worth exploring your options to understand which public cloud is right for your organization to accomplish its objectives.
As long as you keep security best practices at the forefront and take steps to ensure visibility across your cloud environments, you’ll be securely on your way to realizing the benefits of public cloud without getting tripped up by any potential drawbacks.
If you’d like to learn how Threat Stack’s intrusion detection platform (IDP) can help secure your cloud environments, please contact us today for a demo.
Looking to Secure Your Own Infrastructure?
See the Threat Stack intrusion detection platform in action with a demo – the first step to securing your journey in the cloud.