A CISO GUIDE TO MULTI-CLOUD SECURITY Achieving Transparent Visibility and Control and Enhanced Risk Management

INTRODUCTION 1

SECTION 1: MULTI-CLOUD COVERAGE 2

SECTION 2: MULTI-CLOUD VISIBILITY 5

SECTION 3: MULTI-CLOUD CONTROL 6

SECTION 4: MULTI-CLOUD COST OF OWNERSHIP 7

CONCLUSION 8

CONTENTS

If your organization is one of the 95% of enterprises

that operate in the cloud, you are already grappling

with cloud security. And if your organization is one of

the 85% of companies that use multiple Infrastructure-

as-a-Service (IaaS) and Software-as-a-Service (SaaS)

clouds, you have additional issues to consider.

Compared to the days when organizations managed

everything on-premises or only had a handful of cloud

deployments, this new multi-cloud world exacerbates

the expansion of the attack surface and makes threat

containment and accountability more difficult. Further,

pressure on security teams to protect everything in

the multi-cloud environment is leading to reactive and

expensive threat management.

If you are a security leader tasked with meeting the

challenges of a multi-cloud environment, eventually

you’ll find that siloed cloud security strategies fall short

of the mark. But don’t wait. Now is the time to consider

a holistic security approach that reclaims control from

disparate cloud security functions, and gives you the

means to see your entire corporate security posture

clearly so you can manage it more competently. You

can achieve this through a security fabric approach,

using a comprehensive suite of threat prevention,

detection, and mitigation tools that integrate with all the

major cloud services and can be managed within the

enterprise from a single pane of glass.

INTRODUCTION

1 INTRODUCTION

01

The public cloud market is dominated by five

Infrastructure-as-a-Service (IaaS) and Platform-as-

a-Service (PaaS) providers. Amazon Web Services

(AWS), Google, and Microsoft Azure are the three

hyperscale vendors in the market, followed by Oracle

and IBM, which are also major players.

Most companies are running applications in more

than one of these vendors’ clouds, believing that their

corporate infrastructure is stronger if they choose

the right cloud for the right application. The same

argument applies to security: You need the right

security capabilities for each cloud.

MULTI-CLOUD COVERAGE

For IaaS/PaaS. Public cloud providers typically

employ a shared responsibility model, where the

provider secures the service (infrastructure or platform)

but the customer is responsible for what runs on

top. To deploy security for applications you run in

the public cloud, you need to be able to interface

with the specific architecture of each cloud. Because

developing these interfaces can be time-consuming

and expensive, it makes sense to look for security

vendors that have already made that investment and

offer cloud-specific versions of these key tools:

2 MULTI-CLOUD COVERAGE

§ Next-generation firewalls

§ Secure web gateways

§ Sandboxing technology

§ Security management tools

Of course, all these cloud-specific functions must be able to communicate with one another and be managed from a single pane of glass. (More on this in the next section.)

For SaaS. The situation may seem simpler here, since each SaaS provider takes responsibility for the security of its cloud-based applications. Unfortunately, enterprises run, on average, 13 different SaaS applications.1 If a cyber threat affects one application in one cloud, it can potentially affect your entire organization. Business continuity and compliance are in jeopardy if you don’t have security for all your information assets under your direct control.

Like IaaS and PaaS providers, SaaS providers vary in their technology implementations. For example, the most popular SaaS applications, Microsoft Office 365 and Google G Suite, are similar in function, but their security frameworks are very different.2

Complicating matters further, some SaaS applications, such as Salesforce, run in public clouds (AWS in this case), while others run in private data centers. Microsoft, for example, historically ran Office 365 from private data centers, but it is working to move that SaaS app to its Azure cloud.3

1 Chris Burt, “Slack May Be Sexier, but Office 365 Most Used Cloud-Based Business App,” The WHIR, March 29, 2016. 2 Steve Riley, “Office 365 and Google Apps for Work: Security Comparison,” Gartner, accessed December 14, 2017. 3 Mary Jo Foley, “Microsoft is on a quest to move more of its cloud services to Azure,” ZDNet, April 21, 2016.

3 MULTI-CLOUD COVERAGE

The solution here is to apply an overlay of security at the connection points to your SaaS applications, or, for even better performance, from within the cloud service itself. In the case of Office 365, an email gateway that you control from the Azure cloud provides antispam and antiphishing, identity-based encryption, and more

on top of the Office 365 security provisions.

You can apply cloud-based security to other SaaS

apps as well if your cloud provider offers cloud access

security broker (CASB) subscription services for your

security vendors’ products. These services typically

provide visibility, compliance, data security, and threat

protection for any CASB-compliant SaaS application

you use. The question now becomes, Can you find

such tools for every cloud and SaaS application? More

important, can they all work together?

4 MULTI-CLOUD COVERAGE

02

Visibility is a major point of distinction between

single- and multi-cloud security. It is challenging

enough to coordinate threat management between

the corporate network and a single private or public

cloud. With applications running in, and accessed

through, multiple clouds, the challenges multiply, so

coordination and consistency become paramount to

achieving a defensible security posture.

Consistency and coordination start with a centralized

view. You undoubtedly already use one or more

security device management consoles. To avoid

asking security staffers to learn yet another

MULTI-CLOUD VISIBILITY

management tool, an easy first option is to check

whether your current next-generation firewall (NGFW)

management tool enables staff to view and control

other network devices, including those of other

vendors. Some security vendors have several network

operations center (NOC) or security operations

center (SOC) management tools that can provide

single-pane-of-glass management for multi-cloud

environments. The key is to make sure that the

management tool you select does not limit your view

of the multi-cloud network or your ability to deploy

security policies, perform content security updates and

firmware revisions, and configure individual devices.

5 MULTI-CLOUD VISIBILITY

03

Centralized management affords visibility, but

on its own it doesn’t enable coordinated threat

management. The security functions you manage—

cloud-specific firewalls, web access firewalls, email

gateways, sandboxes, and security information and

event management (SIEM) tools—all need to be able

to communicate with one another to accelerate threat

detection and response. Security platforms play a

coordinating role, but they work in a hub-and-spoke

fashion, first collecting information from connected

devices and then processing it, which takes time.

With today’s rapidly disseminating threats, those

precious minutes, and even seconds, can make all

the difference in detecting an active threat. You can

achieve that only if every device communicates with

every other device in real time.

One way to minimize latency in threat detection and

response coordination is to use virtual security tools that

MULTI-CLOUD CONTROL

have been approved by your cloud provider and are

made available in the cloud environment. For example,

a cloud-integrated sandboxing tool that is a component

of your security fabric can receive incident objects

directly from your email gateways or web access

firewalls, execute any suspicious code, and rapidly

disseminate the results to your management console

and to SIEM tools throughout the multi-cloud fabric.

The same coordination considerations apply to

threat intelligence. To gain the upper hand on zero-

day threats in an era of shrinking intrusion-to-breach

windows, you must ensure that all your security

tools draw on the same threat intelligence and can

share information about threats that they detect.

Furthermore, they should provide consistency in

policy enforcement, and in their approaches to impact

mitigation in the case of successful exploits.

6 MULTI-CLOUD CONTROL

04

According to RightScale, optimizing cloud costs is a primary concern for most cloud users.4 As you adopt multiple clouds, a security fabric can help you minimize the security aspect of your cloud spend through more efficient administration and automation of threat detection and response.

When it comes to administration, the centralized management component of the security fabric helps security staff attend to multiple clouds more efficiently, which may allow you to delay hiring additional staff or outsourcing security services. Automation, however, probably deserves a greater portion of your attention, not only because AI-assisted tools are maturing but also because your human staff can’t hope to keep pace with AI-assisted cyber crime.

Automation covers a wide swath of capabilities, ranging from scaling capacity up or down on demand, to automating failover, to automatically classifying

MULTI-CLOUD COST OF OWNERSHIP

segmenting workloads. Virtualized versions of enterprise and web application firewalls can be automated easily with Fabric-Ready tools, as well as unified threat management functions for smaller organizations.

For private clouds, opt for tools that offer integration and orchestration with SDN controllers, such as Cisco ACI and VMware NSX, while in public clouds, look for security solutions that use native orchestration and scripting—for example, AWS CloudFormation scripts.

For threat detection and response, look for sandboxes that automatically share real-time updates to disrupt threats at the origin, subsequently immunizing the entire organization and the global community. These and other tools are linked through the fabric to threat

intelligence services.

4 Kim Weins, “Cloud Computing Trends: 2017 State of the Cloud Survey,” RightScale, February 15, 2017.

7 MULTI-CLOUD COST OF OWNERSHIP

Whether you’re already operating in multiple clouds or just considering doing so, now is the time to plan for broad, integrated, and automated multi-cloud threat protection. A security fabric can provide the basis for such protection, enabling you to move beyond prevention to more realistic detection and response strategies.

As you assess various multi-cloud security options, keep in mind that a continuous, concerted effort—involving you, your security technology vendors, and your cloud providers—is the best defense against unpredictably evolving cyber threats.

CONCLUSION

8 CONCLUSION

Copyright © 2018 Fortinet, Inc. All rights reserved. 01.26.18www.fortinet.com167340-0-A-EN