In our first part of “The 4 Stages of Cloud Security”, we’ve covered the following stages:
- Security best practice in the cloud
- Scale & automation security
Today we will further our discovery into organizations with multi-region, multi-cloud deployments and organization with compliance regulations. In addition, we will provide guidelines for choosing the right IaaS security solution.
Stage 3 – Multi-Region, Multi-Cloud Deployments
Stage three features companies that are fully immersed in the cloud. These organizations often deploy in multiple data centers (a.k.a. regions), sometimes on multiple clouds, or they may have adopted a hybrid scenario to maximize the cloud’s potential. While capitalizing on the benefits of the cloud, securing multi-location environments presents a new layer of complexity.
For starters, how can a company securely connect all cloud (compute) resources on multiple data centers? Resources need to not only be accessed, but often data needs to travel through multiple data centers for effective deployments. To add to the complexity is the likelihood that a certain level of redundancy has been established to abide by best practices (i.e. data is duplicated in multiple data centers in case of an outage). In short, data is flying around, all over the place, and it’s up to the company to ensure its path is secure. While automation is likely in place, the risk of error in such complex environments is rather high.
So with data flying left, right, and center, different infrastructures requiring different security configurations, and multiple locations to be considered – it’s imperative to implement a security layer that can define and enforce network-wide policies over different infrastructures (including firewall, access control, and encryption). This enables the company or organization to configure security policies network wide – across data centers and deployments – regardless of the number of data centers or physical locations.
Stage 4 – Compliance with Security Regulations (i.e., PCI, HIPAA)
The first 3 stages could potentially be different stages of the same company’s development. Stage 4, however, refers to companies that need to comply with external security regulations – for example, PCI compliance for businesses handling credit cards information or HIPAA for organizations dealing with sensitive personal health records and information. Ensuring compliance with these regulations is a given as failure to do so will trigger various civil penalties, including exorbitant fines and the possibility of imprisonment.
It is important to know that no public cloud vendor offers fully compliant infrastructure services. Thus, companies in Stage 4 must implement additional security tools to guarantee their business meets the government-mandated compliance. These include:
- Encryption of data-in-motion
- Complete access logs for servers holding sensitive data
- Identity-based access management and control
- File and configuration integrity checks
Yet this is only a partial sample of the laundry list that needs to be addressed for full PCI or HIPAA compliance.
Addressing the Security Challenges Head On
From the most basic cloud infrastructure users – companies looking for best practice security – to the most complex ones – multi-cloud or compliance-driven – the cloud presents security challenges that were not prevalent, or at least were easier to address, when everyone was investing in an in-house data center.
In order to guarantee a secure IaaS environment, however, companies falling under all four stages may be required to add an additional security layer, on top of the basic infrastructure offering, to bridge the gap between their network security needs and their in-house capabilities. What is the right cloud security solution for your organization?
A crucial facet of any security infrastructure is the ability to scale and keep pace as your business scales. The first 3 stages outlined in this post are not static roles to define an organization but rather can be looked at as a natural progression of growth and development. The right security solution needs to be able to take your organization through these 3 stages incrementally and without disruption.
The right IaaS security solution should allow for the following:
- A network-wide, policy-based configurations as well as automation of the configured security to the cloud infrastructure.
- A strong integration of identity-based management will ensure stronger security as well as unified behavior across the organization’s on-premise and cloud deployments.
- A robust solution should also support flexible and secure ways to connect to the cloud – for individual employees, for remote offices, and for private or enterprise clouds (i.e. such as a hybrid scenario).
Further, it’s important that the security solution will enable the organization to extend beyond the boundaries of a single data center in order to allow deployment across multiple clouds, multiple data centers, and multiple types of infrastructures.
Last but not least, the solution needs to have the right check list of security features to match the organization’s level of data sensitivity or regulation.
While it is clear that the business market is on steady path to cloud adoption, it’s also unmistakable that the road getting there will not be a smooth one. There have been far too many security breaches and DoS attacks, and these instances are likely going to continue. The good news is that there is a new wave of security vendors, such as 40Cloud, surfacing to introduce a pioneering approach that blends software defined networking (SDN) and software defined security (SDS) technologies. This new approach arms even non-security experts so they can easily configure granular security policies across an entire global network deployment. It’s a jungle out there but the good news is that this jungle can indeed be tamed.
Subscribe to our newsletter to get the latest on cloud security news and updates
* A light version of this blog post was initially posted on SC Magazine