News
Best-Practice Action Items for Multicloud Security
Multicloud security is a paramount enterprise concern these days as cybersecurity attacks such as ransomware continue to rise.
With cybersecurity affecting everyone, a multicloud environment might be of special concern because of all the moving parts and associated system and their connections, possibly introducing new attack vectors or specialized attack strategies.
With all that in mind, Virtualization & Cloud Review has been sponsoring online summits with multiple presentations from cybersecurity experts to educate IT pros.
One such expert is Chris Spinks, Head of Operations for CTI company Cyjax. He also is CEO of his own cybersecurity consultancy, Cyber Force Services.
His latest presentation was a deep dive into multicloud security best practices, aptly titled "Multicloud Security Deep Dive: The Best Practices You Need To Implement Today," an event attended by hundreds os IT pros that is available for on-demand replay.
He set the stage with an explanation of exactly multicloud is in today's (Feb. 28) live event.
[Click on image for larger view.] Multicloud(source: Chris Spinks).
Before he launched into his best practices, he set the stage with the importance of diversity and inclusion, but in a different context than that which is in the news today for different reasons, rather being the area of neurodiverse skills.
He revealed more in a slide that noted he is an advocate of diversity inclusion -- cyber defenders must attackers mindset better. "Now, the reason that's important is because I do believe that the cyber defenders need to understand the mindset of the attacker, those that are really going after us. These are the people that well, we need to be good at security to mitigate them. And that is bringing in diversion and diversity into a workplace. And I'm not talking about a color thing, I'm not talking about a race thing. I'm talking about everything, and I'm specifically, in my mind as I am neurodivergent, talking about bringing in people with neurodiverse skills. Often those are the people that can see holes, can see things, can think naturally in ways that a number of others can't."
Moving on, he ranged over a wide spectrum of concerns and best practices, which we boild down into a set of action items for multicloud security.
Implement a Unified Identity and Access Management Solution Across Cloud Providers
"Implementation of a unified identity and access management solution across all the cloud providers is really going to help centralizing authentication. If it has to be a strong password, then it's going to be password, but really driving towards SSO is going to be key."
In cybersecurity, SSO stands for Single Sign-On, an authentication process that allows users to access multiple applications or services with just one set of login credentials (username and password).
"And of course, all clouds should be integrated with an IDP identity provider," Spinks said. "If we're on Microsoft Intra, yeah, it's great, it works. SSO comes through it really nicely. It even works alongside OIDC. It's fantastic to use these SSO approaches."
Establish a Cloud Security Posture Management Program to Continuously Monitor and Assess Security Risks
"Cloud security posture management: absolutely vital. We really need to know what our security posture is in our environment, and that includes having a look at what our exposure looks like, because there could well be many high severity misconfigurations. You will have some level of misconfiguration. This is inevitable."
"The first thing to run right now is a software which can identify any misconfigs involved across your estate. It will give you an immediate idea of the volume of risk associated with each platform. What you do not know will hurt you. What you do know might hurt you. What you mitigate might not hurt you. I think that's really important piece to come to, because we don't want to get hurt. Because hurt is money. Hurt is fines. Hurt is business going down. Hurt is losing our jobs. So prioritize across those vulnerabilities and misconfigurations. Really identify what work needs to be done, how quickly, and then use the cloud you're in and the support within that to put it right."
Later in his summarization, Spinks said his recommendations include, "Looking to establish that cloud security posture management program that continually monitors and assesses security risks across all the environment, and it can be automated. Security assessments that are automated are going to be reliable with compliance monitoring and real time alerting for security violations."
Deploy Centralized Key Management Systems to Handle Encryption of Data at Rest and in Transit
"And I'm going to say this, although surely by now it shouldn't need to be said: encrypting sensitive data at rest and in transit is vital."
He explained more: "Encryption strategies need to be there, and key management across all cloud providers, it's always going to be there. We need to deploy centralized key management systems to handle encryption across all the cloud providers, and that ensures all data is encrypted, both at rest and in transit, and uses industry standard encryption protocols, which really are going to give us strict control over their maintenance and vitally, over the key access and rotation. This is the only way that you're ever going to reach meet compliance with the requirements under GDPR or HIPAA in a multicloud environment."
He touched on key management further in his summary: "We're going to deploy deploy centralized key management systems to handle all the encryption. Really, this is going to ensure that the encryption at rest and in transit is an industry standard and that protocols and strict key controls on rotation are maintained."
Maintain Comprehensive Network Security Controls Including Cloud-Native Firewalls and Network Segmentation
"Maintaining comprehensive network security controls, including cloud native firewalls, absolutely vital. Network segmentation and micro segmentation, if we like to go there, is going to allow us to have those ACLs across the cloud environment and control traffic flow, and we need a regular test and development process to look at incident response plans and how the company will respond to those incidents when they come up."
Establish a Secure CICD Pipeline with Integrated Security Testing and aStandardized Configuration Management Process Using Infrastructure-As-Code
"And if one deploys infrastructure, it shouldn't change in each deployment or be affected unless there's a change in the IAC code itself, which you should really be picking up, and this would be achieved by the use of stack tracking mechanisms."
Again he provided more in his summary: "We're going to be looking at creating that standardized configuration management process across all cloud providers using IAC and maintain comprehensive backups, no matter where they are, looking at a disaster recovery."
"And a final couple of points really are to establish that secure CICD pipeline with integrated security testing, remembering to shift left and validating across all the cloud deployments," he added.
Again, Spinks' presentation kicked of an event titled "Multicloud Data Protection Essentials Summit," now available for replay thanks to Rubrik, a leading data security specialist that has been quite active in letting us provide these events.
Of course, one of the benefits of attending such presentations live (in addition to $5 Starbucks gift cards, for today's example!) is the ability to ask questions of the presenter and actually get some one-on-one advice from a subject matter expert. With that in mind, here are some similar events coming up from Virtualization & Cloud Review.
About the Author
David Ramel is an editor and writer at Converge 360.