Ask the Expert – Multi-Cloud: Keep Security Front and Center
What we’re seeing in the industry today is that most of our customers aren’t adopting a single platform for all of their workloads. Depending on a plethora of factors (RTO/RPO, application requirements, latency requirements, etc.), it truly is becoming a multi-cloud world.
But with lots of options comes complexity.
In this blog series, we attempt to tackle some of the key considerations when making workload placement decisions. This month, we’re talking with Derek DeHaan about multi-cloud security considerations when deciding the best execution venue for your workloads.
You spend a lot of time with OneNeck’s customers, helping them understand their options for their workloads, as well as the potential risks and rewards. Based on your unique perspective, what do you see as the most important consideration when looking at security’s impact on a workload platform choice?
The most important consideration we’re seeing with our customers today is understanding what security framework you need to comply with. And what I mean by that is, for instance, the NIST framework has a definition of cloud computing and how cloud security should be applied in cloud-like workloads. If that’s what you’re going to conform to, we can absolutely help you with that. Azure and AWS both conform to that, and we at OneNeck are going down that same path. Big key here is that you need to understand first what you are trying to achieve, and then identify what platforms will help you achieve that security framework.
What about regulatory compliance?
If you have PCI, or HIPAA or SOC compliance mandates, it’s important to understand those workloads that are subject to those compliance needs. If those workloads are subject to say SOC 2 or PCI level 1, some of the platforms may not be a good fit for those workloads. It will help you determine which workloads can reside where and help you setup the appropriate connectivity between platforms to ensure a successful multi-cloud strategy.
We hear a lot these days about endpoint protection. Why is it such a critical part of an organization’s multi-cloud security strategy?
Endpoint protection can really be divided into two areas: servers and end-user devices. End-user devices are a little bit different, but always need to be a consideration. The servers however are extremely important. Some of the private cloud managed service providers will provide antivirus and some of those end-point server protections as part of their managed services offering. It’s key to understand if that’s a necessity for your company, and who will be providing the necessary licensing – the MSP or your organization. But this needs to be part of the upfront conversation with any service provider you’re considering partnering with to ensure you have it covered when you go to implement your chosen solution.
With today’s threat landscape continually becoming more sophisticated, we all know a layered approach of defense is critical, so that if an attacker is able to bypass one layer, another layer stands in the way to protect the organization. Two of the more common tools used to secure networks are firewalls and intrusion prevention systems. What should be considered here?
With all the security threats out there today, this is becoming much more of a hard-fast requirement for many of our customers. Some companies already have this implemented in their own hosted data center or hosted virtualized infrastructure, but service providers are moving towards making this a requirement.
You can sign up for this on the hyperscale, public cloud provider side as a virtual machine or appliance that runs in your environment. At OneNeck, we go ahead and provide that as dedicated firewalls to ensure that you’re getting those services. So, it comes back to understanding those workloads, and do we need to have intrusion prevention? What type of firewall services are going to be important? Do we want packet inspection or layer 4-7 detailed packet analysis to understand what our internal employees or customers are doing with transmitted data? All important questions to ask.
Does segmentation of the business applications impact platform choice?
This takes us back to the security frameworks and regulatory compliance discussion. First off, it’s important to understand your application dependencies, and then how you can segment out chunks of the business.
Maybe a simple example is your web servers. There may be a web server connected to a database server, and those two don’t connect to anything else in the business – they serve up your web page and can be a standalone group of servers. That would then be considered a segment that would be an ideal candidate for a hyperscale public cloud, because it can easily and automatically scale for seasonality, and it doesn’t need to be connected to any of the other infrastructure. This can be very cost effective, and you can go ahead and let it do its thing in the public cloud.
As any provider like OneNeck sees on a regular basis, one of the biggest multi-cloud security challenges is around management. What would you recommend as a solution to an IT team looking at centralizing their security management?
When you start looking at all of the different platforms that you can put your workloads on, centralized security management becomes key. You have to understand how you’re going to bring back security data that’s going to be overarching on your public cloud, your hosted private cloud and your on-premise workloads – all of them might have different security software that is analyzing and watching for intrusion and things like that. So, you need to know what’s going to sit at the top and give you that single pane of glass that allows you to look at or tap into all areas and provide appropriate correlation of the events to ensure best response possible should a breach occur.
What’s an example of a common solution you’re seeing our customers use today?
OpenDNS is one that many of our customers are adopting. It allows them to go out and basically make their domain name available in multiple places for redundancy reasons, as opposed to going to a single DNS registrar. So, as you look at security for DDoS attacks and other things that are happening to websites and customer’s environments, OpenDNS is one of those solutions that’s a consideration to prevent that from causing your organization an unwanted outage/down time.
Any final thoughts for our readers?
Remember this is just one small area that needs to be considered in the overall picture, but when you break it down like this, it makes it much easier to tackle. It is always important to do the best you can to define your requirements up front to ensure you get the correct solution and platform for your workloads. Be sure to also vet out the providers and platforms you choose ahead of the final move, as you want to do the best you can to reduce any unwanted surprises around capabilities after a decision has been made. This due diligence will help guide you to the most appropriate solution and will help your organization succeed when it comes to your overall cloud strategy.
Want to learn more? Download our Multi-Cloud Toolkit.