Multicloud services have become the norm rather than the exception as organizations shift to accommodate increasingly dynamic workloads. IDC has predicted that by the end of 2022, more than 90% of enterprises worldwide will rely on a mix of on-premises, dedicated private clouds, multiple public clouds, and legacy platforms to meet their infrastructure needs. As these changes continue to take root, the threat landscape has increased, and security approaches developed for the public cloud also need to evolve.
This is particularly true for government agencies. Cloud infrastructure delivers benefits including agility, mobility, cost control, and performance, but government agencies manage significant volumes of sensitive information. The stakes are higher when they move to the cloud and network traffic patterns change. As the Internet now serves as the network, firewalls, virtual private networks (VPNs), and the concept of perimeter security is obsolete. This dynamic requires a new security model, one that leverages the power and scale of the cloud.
Multicloud models enable new services for citizens and improve efficiency across the federal government; however, they also introduce new security challenges, including:
- Understanding and prioritizing cloud risk: Gartner predicts that by 2025, 99% of cloud security incidents will be an enterprise’s own fault, as cloud processes are managed by well-intentioned employees with little knowledge of secure cloud configuration or understanding of highly dynamic cloud environments.
- Applying security policies across multicloud environments: Agencies must ensure security across infrastructure, applications, and data in multiple clouds. But managing a multicloud architecture is extremely complex, as cloud providers can be very different in terms of access and resource management.
- Gaining workload visibility and understanding risk exposure: The whirlwind pace of cloud adoption creates new opportunities for threats as the attack surface expands. Security teams may find it difficult to keep pace with agile development methodologies and, in the process, lose visibility into infrastructure and risk.
- Ensuring misconfiguration does not expose private services or data: Continuous development, testing, and deployment improves efficiency, but can also allow misconfigurations to slip through the cracks and introduce security vulnerabilities.
- Achieving workload segmentation: IP-based network segments are typically configured to be open whether they need to be or not, which increases the attack surface. Workload segmentation, on the other hand, uses machine learning and cryptographic identity to segment application workloads and automatically update security policies.
- Routing traffic among multicloud environments: Multiple environments can mean fragmented security solutions across the various cloud and data center environments. Fragmented security creates points of weakness that can make agencies vulnerable to attack.
The federal community is working to improve multicloud security. The National Institute of Standards and Technology’s (NIST) Multi-Cloud Security Public Working Group explores best practices for securing complex cloud solutions involving multiple service providers and clouds. NIST has recreated a resource hub that includes free assessment tools (many developed by industry partners) to help agencies understand their cyber-risks. And, the General Service Administration Data Center and Cloud Optimization Initiative’s Program Management Office has released a Multi-Cloud and Hybrid Cloud Guide for agencies migrating and deploying various cloud services.
Multicloud Best Practices
You can reduce multicloud security risks with best practices including:
- Implement zero trust: Protecting government data in a cloud-based, mobile-enabled world demands a “trust nothing, inspect everything” approach as mandated by the May 2021 cybersecurity executive order. A recent survey of federal cybersecurity decision-makers found that 82% agree allocating staff and budget to zero trust is vital to national security.
- Securely connect users, devices, and workloads using business policies over any network: A cloud-delivered approach to providing fast, seamless, and policy-based access to external and internal applications can ensure employees work securely and productively from anywhere.
- Reduce risk of lateral threat movement: Identity-based workload protection prevents lateral movement of malware and ransomware across servers, cloud workloads, and desktops.
- Simplify cloud communications: Once lateral threat movement has been reduced, the next step is to secure workload communications to the Internet, other clouds, and data centers. Agencies need zero-trust connectivity across multicloud and hybrid cloud infrastructure, securing workload-to-Internet, workload-to-workload, and workload-to-data-center communications without the need for hubs, virtual firewalls, VPNs, or network-based policies.
Although implementing multicloud security can be a heavy lift for the government, agencies are making progress. The Technology Modernization Fund has invested in a total of 29 projects to secure and modernize IT across 17 federal agencies. And 91% of federal cybersecurity decision-makers believe the 2021 cybersecurity executive order has made US data and critical infrastructure safer.
To keep on this trajectory, government agencies need to apply lessons learned from each other, while also utilizing the expertise industry can offer.