Most organizations are pursuing a hybrid or multi-cloud strategy these days, for several reasons, including integration of multiple services, agility, accelerated innovation, and business continuity.
According to Fortinet's 2021 Cloud Security Report, 71% of organizations that responded to the survey said they were taking these approaches, while only 27% said they relied on a single cloud deployment. Those using hybrid or multi-cloud were about equally split between the two approaches.
While the hybrid and multi-cloud approaches obviously offer many business benefits, they also come with their own set of security concerns.
The survey found that for 58% of respondents, one of the biggest challenges when working with a multi-cloud environment is the need to ensure data protection and privacy for each environment. For 67% of cybersecurity professionals, misconfiguration of cloud security remains the biggest cloud security risk. This is followed by exfiltration of sensitive data (59%), and unauthorized access and insecure interfaces/APIs, tied at 49%.
Another major challenge (according to 57% of respondents) is having the right skills to deploy and manage a complete solution across all cloud environments, followed by struggling with how the different solutions all fit together (52%). And with cloud overall, 53% said that a lack of visibility was hindering cloud adoption.
For modern businesses, it’s cloud-forward all the way. Today, 33% of surveyed organizations are running more than 50% of workloads in the cloud; in the next 12 to 18 months, that figure will grow to 56%, the survey found. That’s because cloud computing is delivering on its original promises; organizations are experiencing faster time to market (53%), increased responsiveness (51%), and cost reductions (41%).
Clearly, the benefits that a hybrid or multi-cloud strategy offers far outweigh the risks, and fortunately, many of the security challenges can be solved with the right approach. Here are three best practices that will help define that plan.
1. Limit access to need-to-know basis
Not everyone needs administrator privileges. It’s important to limit user access to just what users really need to do their jobs. Consider imposing strict controls on which devices are allowed to access your network. Remember that wireless access only applies to some IoT devices.
You’ll need to also have protocols in place for Bluetooth connections, radio frequency-based devices spanning nearly a dozen different protocols, and smart devices hardwired into your network. Many of these devices access the network behind the firewall.
2. Use only what’s needed, and patch, patch, patch
Use only the applications with a business need and keep them up to date and fully patched. Using unnecessary applications expands the attack surface and increases the complexity of protecting the environment. Regularly check for updates and apply patches when they become available. Automate this process as much as possible. As with software, replace end-of-life devices that are no longer supported as new versions with better security become available.
3. Do the fundamentals right
Good old-fashioned security hygiene and simple-to-intermediate controls are possibly the most neglected elements of security today, but they’re crucial, especially when networks and devices are connected to the cloud. Also, remember to periodically review your security hygiene protocols, since controls and technology are perishable. These reviews include:
- Instituting IoT security protocols, such as making sure your AV and IPS solutions include IoT signatures
- Taking inventory of authorized and unauthorized connected devices within your environment, including consumer devices such as cellphones and laptops; you have to know what you're protecting
- Sandboxing to discover unknown malware and compromised devices coming from your cloud connections
In terms of tools, the most requested capability in a cloud security solution is third-party security certifications (54%), followed by integration with security scanner tools (52%), and the ability to write custom rules and remediation actions (49%). More than three-quarters (78%) of those surveyed said they would find it very helpful or extremely helpful to have one cloud security platform that provides a single dashboard while allowing for configuration of policies to protect data consistently and comprehensively across the cloud.
Get adaptive with your strategy
What’s needed is an adaptive cloud security strategy that enables security to follow applications and data wherever they’re located. Cloud security needs to be adaptable to any cloud deployment and consumption model. As organizations increase their cloud maturity and expand their networks, they need for solutions that can grow and adapt with changing technologies and business requirements.
Organizations are recognizing the importance of converging security, network, and computing, breaking down operational silos to more fully reap the benefits of the cloud without compromising security and user experience.
Hybrid and multi-cloud strategies are clearly the way to go. But while so much of the industry seems to agree on this point, how to make it successful is a much murkier discussion. The issues of security and complexity are real, as the survey data shows, and every organization needs to consider which path will serve it best going forward. An adaptive cloud security strategy will help your organization manage the cloud’s security and complexity issues as well as adapt to future needs.
Keep learning
Get up to speed on Zero Trust security with TechBeacon's Guide.
Understand why API security needs access management with this Webinar.
Learn how how privilege and policy management improves your cyber resiliency in this Webinar.
Find out why Zero Trust means rethinking your security approach.
Answer this question: Is your environment adaptive enough for Zero Trust? Get this free white paper.