3 Strategies for Securing Multicloud Networks

The migration to multicloud environments forces security and risk management leaders to rethink their network security architecture. They must understand what mix of cloud-native controls, virtual network firewalls and physical firewalls at colocation hubs is optimal to secure this new architecture.

Overview

Key Findings

·        While network security principles remain largely the same, the underlying architecture and operations of hybrid environments are often vastly different (for example, the concept of Layer 2 switching does not apply to public cloud networking). Security teams sometimes struggle to have principles applied uniformly across the many options available to their multicloud computing environments.

·        Organizations adopting a public cloud expect to benefit from increased agility, platform modernization and greater operational efficiency, but securing a public cloud with a poorly designed security architecture negates these benefits. Adding third-party controls can introduce operational friction and negate some of the benefits inherent to public cloud adoption.

·        Cloud-native security controls are increasing their efficacy over time, but they have not yet reached parity with traditional appliance-based security controls.

·        In a multicloud scenario, organizations often choose third-party security controls to unify security policy and management across on-premises and cloud instances. This unified approach decreases management complexity at the cost of increased operational complexity.

Introduction

Most organizations have already embraced public cloud computing. Others are in the process of migrating to public cloud services. Infrastructure as a service (IaaS) is currently a $79 billion market and is estimated to be the fastest-growing public cloud market, with a forecast compound annual growth rate of 29% for the period 2020 through 2025.

Many organizations initially try to “forklift” their on-premises controls to the cloud, without much success. Conversely, cloud operations teams often enable cloud-native security controls without the oversight of the security team, which leads to poor orchestration and inconsistent security. Further complicating these problems is the fact that many organizations repeat their mistakes with multiple cloud providers, due to the trend for multicloud adoption. Gartner’s 2020 Cloud End-User Buying Behavior Survey found that adoption of multicloud infrastructure is prevalent among 76% of respondents. As a result, security and risk management leaders need to establish or reset their network security strategy. This research highlights three design models for network security for the growing multicloud world.

Security and risk management leaders must adapt to how fast their organizations choose to embrace cloud computing. They may be forced to compromise with development teams to ensure operational efficiency. Most organizations start with cloud-native security controls as development teams and line-of-business IT organizations typically adopt cloud computing with minimal involvement of the security team. But as organizations mature their public cloud use, they realize that cloud-native security may not meet all the requirements of a security architecture. This leads many security teams to look at third-party security controls or, in some cases, deploy physical security controls at a colocation hub for the most direct control over the network security stack. Security and risk management leaders need to integrate standardized security architectures into the software development life cycle, so that security controls can be deployed at the scale and speed required by development teams. They also need to ensure that operational friction is minimized, so that security compliance is not viewed as an impediment to development progress.

The three multicloud security designs that Gartner recommends choosing from are (see also Figure 1):

1.     Cloud-native controls with no third-party security solution: Cloud-native controls with a common automation plane for CI/CD pipelines. Cloud-native controls are used to secure both east/west and north/south traffic. This architecture is the most “cloud-native” as it uses native security controls with a common automation tool like Terraform or Jenkins.

2.     Third-party virtual appliance: A virtual appliance is used to secure north/south traffic flows, while cloud-native controls secure east/west traffic. This architecture integrates a third-party perimeter gateway at the edge (firewall, web application firewall [WAF] or VPN) of each public cloud. It provides a common management framework for cloud edge security and greater security efficacy and granularity over cloud-native controls. For increased security, an identity-based microsegmentation platform can be deployed for east/west traffic (typically, an agent-based approach that performs segmentation based on server tags is used for public cloud IaaS deployments).

3.     Physical security stack at a colocation hub: A physical security stack at a cloud-adjacent colocation hub is used to secure north/south traffic, while cloud-native controls secure east/west traffic. This architecture serves as a bridge between legacy deployments and newer cloud-centric deployments. Teams from more traditional industries may prefer the idea of having a physical appliance stack or a network function virtualization (NFV) stack to act as a “digital edge” for public cloud access. This physical security appliance can support a multicloud deployment as most colocation hubs are geographically adjacent to the three main public cloud service providers.

Recommendations

Security and risk management leaders responsible for infrastructure security should choose from the following three network security architecture approaches to public cloud design:

·        Adopt the cloud-native security control design as your starting point when cloud-native security controls satisfy your organization’s minimum security policy and the increased granularity offered by third-party virtual appliances is not required. Also adopt this design if minimizing operational friction for continuous integration/continuous deployment (CI/CD) pipelines is a major requirement.

·        Adopt the third-party virtual appliance design if your organization’s minimum security policy for north/south traffic cannot be met with cloud-native controls and your organization is geographically dispersed with moderate bandwidth and high-availability requirements.

·        Adopt the colocation hub design if your organization’s minimum security policy for north/south traffic cannot be met with cloud-native controls and you require very high bandwidth and subsecond high availability. We recommend adopting this design selectively for regions where your user density is very high.