Security for the digital hybrid multi-cloud era
Security is a cross-cutting concern across the hybrid enterprise. In this section, we will discuss the challenges and opportunities for hybrid cloud security in the context of digitization trends. This will cover security aspects related to infrastructure, application, data, integration, secure engineering, and operations.
App modernization and security
Businesses must consider security from the beginning when building applications on cloud. They are also looking to take advantage of application modernization as an opportunity to better their overall security posture. threat modeling and secure engineering were always part of traditional application development practices. These practices merit even more importance in a hybrid cloud world, as the attack surfaces and threats are bigger. Clients adopting cloud-native and exponential technologies such as containers, blockchains, and AI need protection and look to secure these technologies as part of their modernization.
There is a need to catch advanced threats and be in a position to respond to them – you need to shift left with threat management in the agile DevOps pipeline. Traditionally, threat management and responding to security incidents are extended components of Security Information and Event Management (SIEM). In the modernization context, we will need to plan for all the ways to combat the different threats during the application development phase itself.
Data security
This important aspect will include how to manage security, protection, and governance of the data on cloud. The data security domain includes controls mapped to security threat landscapes and business contexts – encryption and key management, Identity and Access Management (IAM), vulnerability management, and data activity monitoring.
Another emerging aspect to protect sensitive data in all formats – in transit, at rest, and even in use – is becoming a necessity. This will ensure data in memory is also secure. Use cases such as cryptocurrency and digital assets drive this requirement for performing computation in a hardware-based trusted execution environment. Use cases such as the mining of cryptocurrency shifting the focus from data to computational issues drive the need for tighter security for data in use.
Security for integration, coexistence, and interoperability
Integration and interoperability are key enablers for enterprises to build business processes and enable data movement across internal, partner, and supplier systems. In a hybrid multi-cloud environment, integration cuts across applications deployed on-premises, applications in the same cloud, and applications deployed on different clouds, as well as SaaS solutions. Within integration modernization trends, companies are also building the shared intelligence backbone enabled through event streams. The secure transformation of this integration landscape is an essential part of enterprise’s digital journey. This will involve securing the different integration patterns leveraged for the purpose – such as API enablement of legacy systems and event-driven architecture, as well as the coexistence and interoperability components.
Shift left security – from DevOps to DevSecOps
With a move from just a few releases a year to weekly feature releases, security can no longer be ensured manually. Security needs to be part of the DevOps pipeline and be automated. There are plenty of security tools out there from various vendors than can integrate with the pipeline. The key things to be addressed in a DevSecOps pipeline include security tools that address the following.
Securing cloud-native development and operations
Securing the DevOps pipeline involves catching security errors early in the cycle and addressing the vulnerabilities of deployable artifacts, as well as performing configuration checks. These aspects are discussed in the following sections.
Helping developers address issues in the code early
A proper Integrated Development Environment (IDE) should come with source code analysis and code coverage tools that analyze the source code to find security flaws. The usage of security testing tools for identifying potential vulnerabilities (such as OWASP) is a critical element of DevSecOps. There are several open source and vendor tools to that integrate with your pipeline that can secure your application before you deploy to production and ensure they are vulnerability free.
Information
The Open Web Application Security Project® (OWASP) is a non-profit foundation that works to improve the security of software. The OWASP Top 10 is a book or referential document outlining the 10 most critical security concerns for web application security.
Securing deployable artefacts
Artifacts such as containers and third-party libraries need to be scanned for vulnerabilities. The cloud service providers and repository engines typically provide built-in security scanning for these artifacts. In the container space, you will see a lot of open source tools (among others) available that provide security for your end-to-end CI/CD pipeline. These tools can also benchmark your security against standards and best practices such as CIS security standards.
Configuration management
Cloud configuration checks are really important when you are continuously deploying to a hybrid multi-cloud environment. Businesses don’t want to leave this down to a developer’s wisdom or chance but ensure the environment is set up correctly instead. This includes checking that all the infrastructure, services, IAM (roles and access), and other service configurations are set correctly for the application. All clouds provide tools or scripts that you can leverage in your automation to perform these configuration checks. This confirms that you have secured your storage, compute, and network as well as your service on the cloud correctly. Another opportunity to shift security left is to check for certificate expiry before discovering it through an application outage. Data vulnerability and cloud configuration checks may also be automated as part of every release.
Security Orchestration, Automation, and Response
Security Orchestration, Automation, and Response (SOAR) is a core part of automation – identifying the risks, integrating the data that needs to be monitored, detecting the key event of interest, and being able to respond to it. Enterprises have many security tools in their landscape. Threat information from these various sources is one place for analysis. This calls for leveraging open standards such as the Open Cyber Security Alliance (https://opencybersecurityalliance.org/) and building a standards-based open ecosystem where cybersecurity products can share threat information without the need for customized integrations.
Integrated security and continuous compliance
Enterprises that have to meet industry and government regulations are taking a compliance-led approach to moving their workloads to the cloud. Clients have to deal with multiple certifications and compliance as separate efforts. When you have several controls to put in place and verify, it makes sense to automate the whole process. For the same reasons, the cloud providers offer a centralized facility such as the security and compliance center where clients can centrally manage compliance with organization and regulatory guidelines. In the cloud, it is possible to predefine groups of controls as profiles and use the results as a report for audit evidence and continuous compliance. To gain trust in the cloud, it should provide all the evidence and controls to meet industry-specific compliance and security requirements, specifically in industries such as banking, healthcare, and government.
Zero-trust architecture and security models
This is one of the most significant trends related to cloud security. This model considers a different model to addressing security compared to the traditional approach. More driven by multi-cloud scenarios, this is a new approach where the traditional perimeter-based protection with firewalls is changed to context-based access. This also supports one of the other macro trends that companies are trying to address – secure and remote access for the employees to enterprise resources.
The important aspects of this is you don’t trust anything – people, processes, technology, networks, computes, or storage – until it proves that it is trustable. Some of the capabilities you need to build a security system based on zero trust are adaptive identity, context-specific and policy-enforced data security, policy-driven access control, and secured zones.
Several companies have built systems and platforms on top of the zero trust principle to establish integrity and trust levels explicitly. This is based on an organization’s risk threshold and tolerance to provide access to assets and data systems. This requirement has been amplified during COVID times when most employees are accessing corporate resources from different places. Thin virtualized apps and workspaces are likely to back in demand to meet the security needs of employees logging in through the internet to access enterprise applications.
NIST has identified this requirement to access cloud resources from anywhere, on any device, and to expect a reliable and secure experience as able to be achieved through a zero-trust security model. The NIST publication discusses the various aspects of this model focused on protecting resources (assets, services, workflows, network accounts, and so on) and discusses general deployment models and use cases. Industries such as government and defense drive confidential computing and multi-level security requirements, which intersects with the overall zero-trust approach.
