The move to cloud and multicloud has unlocked some transformative operational practices for enterprises of all shapes and sizes as workloads migrate from centralised data centres to any number of incarnations of cloud. But as the application environments shift—from on-premises to public cloud, from bare metal to containers—so too does the security landscape. Enterprises looking to take advantage of this technology transition will need to ensure that security is a top-tier consideration, evolving their security practices alongside the broader industry move.
The perimeter still exists
While it is true that security has moved beyond the perimeter, it’s not the case that perimeter security doesn’t matter anymore. It’s necessary but not sufficient.
In a multicloud environment, the notion of the perimeter changes. When workloads are distributed across physical data centres and one or more public cloud instances, the perimeter must expand from on-premises to in-the-cloud. This typically means deploying secure routing at the cloud gateway (usually as part of the VPC gateway).
The key to managing this transition well goes beyond merely deploying firewall capabilities in the cloud. If resources are to be fungible, security policy needs to be uniformly applied regardless of where the workload resides. Whether an application is in AWS or Azure or even on premises ought not matter. While the syntax might change, the intent does not. And that means enterprises will want to adopt multicloud orchestration platforms capable of setting security policy across the diversity of infrastructure that exists across the multicloud architecture.
Of course, that architecture exists both today and tomorrow. As multicloud evolves, it seems obvious that the options will only increase. Planning from the outset for diverse, multivendor environments seems a prudent safeguard against whatever the future of multicloud might hold.
Connecting the islands
The multi in multicloud suggests there will be different islands of resources that ultimately need to be brought together. The connections between these pools of infrastructure will need to be sure, and that means scalable encryption over the wide area that serves as the backbone connecting the multicloud.
Of course, different sites will have different needs. A large data center will operate at a different scale than a remote branch, which is again different from an application instance running in the cloud. As with the perimeter, the key here is managing the WAN such that operations are uniform despite underlying diversity.
Ideally, enterprises will leverage multicloud orchestration platforms capable of managing both the perimeter firewalls and the secure routers that make up these gateways. This implies a convergence of multicloud and SD-WAN over time. Again, failing to plan for the likely future adds risk to the longevity of enterprise infrastructure investments.
While perimeter security and encrypted transport are important, the centrepiece of multicloud security is segmentation and micro-segmentation. The ability to isolate applications, tenants, devices, and beyond is key to any mitigation strategy.
There are three challenges with micro-segmentation in the context of multicloud. First, granularity matters. It is important to be able to take the right action at the right place. The right action is reasonably straightforward: block, redirect, log, and so on. But doing this only where targeting is important. That means segmentation needs to be enforceable on a link, or on a port, or in a VM, or in a container, or in a cloud instance. Too broad and the cure is worse than the disease. Too narrow and the threat remains.
The second challenge is operational. If policy has to be managed across a sprawling set of infrastructure spanning cloud to data centre and beyond, then operations need to be efficient. Again, the key is in a common orchestration platform that has hooks into diverse underlying infrastructure, granting visibility and control across the entire end-to-end environment.
The third issue that has to be accounted for is that this entire security approach needs to be implemented across a heterogeneous environment. It’s not just that there are workloads on bare metal servers and in containers across private and public clouds. It’s also the fact that these diverse environments are likely served by multivendor solutions, which means that whatever security approach is used, needs to consider multivendor as a necessary condition.
Security is never done
If the last few years have taught us anything, it’s that security is never a completed task. Even with all of the pieces in place, threats will still emerge. Being able to perform advanced threat detection effectively across this diverse environment is critical.
Again, diversity places requirements on the design. The currency of any multicloud security approach is open. Threat intelligence feeds need to source information from wherever it resides. Solutions need to be able to make quick sense of the information available and then take mitigating actions across whatever infrastructure is deployed.
If solutions work only over specific domains or even subdomains within the multicloud architecture, the Défense is porous. Multicloud is necessarily multivendor, and that means enterprises need to plan differently.
Connectedness in a multicloud architecture
If the goal is providing defense in depth, it is clear that enterprises will need every bit of the infrastructure to work together in concert. It’s not about disparate devices, each playing their role. It’s about the coordination of resources in a connected security ecosystem.
Ultimately, the key to providing a connected security layer is going to be operations. Enterprises should pay careful attention to the operational implications of point decisions they make, ensuring that each decision moves them one step closer to a secure and automated multicloud.
Michael Bushong, vice president, enterprise marketing, Juniper Networks