E-Handbook: How to secure a multi-cloud architecture Article 2 of 2

WavebreakMediaMicro - Fotolia

This article is part of our Essential Guide: An IT pro's survival guide for multi-cloud computing

With more providers, security issues in cloud computing rise

We hear a lot about the pros and cons of a multi-cloud strategy, but a surprising number of organizations don't think they need to worry about it. They do.

The security issues in cloud computing are abundant, and they become more so when you engage with more than one provider. Multi-cloud usage is almost a certainty for most organizations, because one cloud provider will offer specific features and pricing that another won't.

A multi-cloud strategy becomes a challenge because of the specific problems with securing it. With the wrong approach to security, things will only get worse over time because application commitments to the cloud will grow, as will the number of public cloud providers in use.

There is only one best approach to application deployment and security, and that is to make all hosting resources look and behave the same. Any variations in how you operationalize your deployment and maintenance of applications will complicate the security procedures you adopt. This is because the implementation -- and even the capabilities -- will differ across your hosting options. That’s true for the hybrid cloud, and it’s especially true of a multi-cloud environment. Each cloud provider, and your own data center, has independent hosting frameworks that you'll need to secure. Plus, the workflows that pass among the providers and into your virtual private network (VPN) are part of that security challenge.

Facing the security issues in cloud computing

Multi-cloud security technologies must address four kinds of security.

First, they have to provide access security for the applications and components hosted in any public cloud, no matter which cloud is used and no matter how many applications are moved or spread among public cloud providers.

Second, security tools need to provide information security for company data hosted in or connected with each multi-cloud provider.

Third, they must maintain both types of security during redeployment of components when a failure occurs or when components are scaling under load.

And finally, security technologies need to accommodate new service providers or features as they are added.

The tool classes

A multi-cloud user has three classes of tools available to address security issues in cloud computing:

  • public cloud security services and features, which vary by provider;
  • network security and access and forwarding control features; and
  • application security tools built into, or added onto, the applications themselves.

Expect to use all of these in a multi-cloud security plan.

Application security tools are nice for multi-cloud users because they move with the applications. They go to as many different public cloud providers as you use. These tools, however, are often designed to protect only the points where users access the applications. They do not safeguard the places where application components connect with each other. Check your application specifications to see whether there are component-protection features. If not, it’s possible to use an API broker to secure those component interfaces.

Next, to overcome the security issues in cloud computing, look at tools from service providers. The major public cloud providers have entire sets of web services designed for security and access control, including tools for identity management and security auditing. These tools work best when the public cloud is used as a front end to traditional applications, which means in conjunction with remote and mobile worker features of each cloud provider.

If your multi-cloud has only a single front-end application provider, or if your front-end providers are grouped by the geographic area they serve, these technologies can be your first line of defense for user-access security.

Cloud-provider tools are great for user-access control. To secure applications, though, particularly microservices that scale across cloud provider boundaries or are used by multiple applications, you may need to look at API security tools. Microservices typically employ API brokers to control access; these also offer load balancing. Be aware that such tools add overhead to workflows among components. This can be a major issue where there are many application components or microservices, and thus many APIs.

Securing the components

Component security is a good place to explore the available network-security and access-control features.

Application scaling and failover across multi-cloud boundaries is a major security headache. Each time you move or add something, you have to remember to connect it in a secure way.

A corporate network is a fabric that connects users with applications and supports application and component interconnection across all the hosting options and cloud providers used. Your own fabric is constructed with a VPN, and each of the multi-cloud providers will have its own private address space for the applications you host there. The onramps or external APIs for these applications are translated -- network address translation, Amazon's Elastic IP addresses and so on -- to an address on your VPN.

Every application has two sets of workflows: the work within the application boundaries and the work that connects outside. The latter are the onramps that you'll see on your VPN, and these should be collected into a series of application subnetworks with blocks of IP addresses. That makes it easier for you to establish forwarding rules or firewall rules to restrict traffic by IP address; one entry will suffice for a whole block of applications.

Application scaling and failover across multi-cloud boundaries is a major security headache. Each time you move or add something, you have to remember to connect it in a secure way. One general solution to both moving and scaling is to use a load balancer. This tool advertises a single address onto your company VPN, but it can then be connected to any number of instances of an application or component. And, if you move a component around, the load balancer's address doesn't change. Tools like this are available for private cloud, Docker and other application deployment frameworks. And even if you don't scale applications under load, they can help when you move components in a multi-cloud scenario.

Application security principles are the same, no matter where you host the application. Public cloud computing and multi-cloud use add some dimensions to application security, and those can interfere with traditional techniques for handling security issues in cloud computing, including securing both information and access. The steps you need to take in order to make multi-cloud security work are as well-known as the problems, but the need to apply them and the means of application continue to change as the number of providers expands. The good news is that we know what to do in multi-cloud security. The bad news is that we need to do more of it, and we need to do it better.

Dig Deeper on Cloud infrastructure design and management

Data Center