GCP – Cloud CISO Perspectives: It’s a multicloud jungle out there. Here’s how your security can survive — and thrive
Welcome to the second Cloud CISO Perspectives for October 2023. This month, David Stone and Anton Chuvakin, colleagues from our Office of the CISO, are talking about what security and business leaders need to know about securing our multicloud present and future.
As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.
It’s a multicloud jungle out there. Here’s how your security can survive — and thrive
By David Stone, solutions consultant, and Anton Chuvakin, security advisor, Office of the CISO
One of the inevitabilities of the modern cloud ecosystem is that multicloud — when you use services from more than one public cloud provider — is happening across your infrastructure.
David Stone, solutions consultant, Office of the CISO
Organizations should have an executable strategy in place to better manage the security risks associated with multicloud systems based on this foundation: Securing multicloud doesn’t mean you need to multiply the number of engineers you have, their skills, or even the size of your security team by the number of clouds you have. Instead, it’s about securing the clouds you use and the connections between them.
Anton Chuvakin, security advisor, Office of the CISO
An overwhelming majority of organizations are using or plan to use at least two cloud infrastructure providers, and nearly one-third are using four or more, according to an Oracle and 451 Research report published earlier this year. Yet securing clouds is not a one-size-fits-all proposition, especially in highly-regulated environments such as those that financial services organizations operate in.
A multicloud environment allows your cloud environments to be private, public, or a combination of both. The primary goal of a multicloud strategy is to give you flexibility to operate with the best computing environment for each workload.
We believe that it’s best to approach securing multiple clouds with a beginner’s mindset, by relearning cloud capabilities and security control mechanisms. An effective approach to securing those workloads is to run multiple cloud services as a unified multicloud infrastructure-as-a-service. Based on our conversations with financial services organizations, here are five steps and three bonus tips on how to better secure multicloud from an organizational and operational perspective.
1) How to make the most of multicloud
Cloud service providers including Google talk a lot about and implement security by default — but there is no “multicloud secure by default.” Each cloud has their own set of defaults and guiding principles that may not be harmonized internally or with each other, so you need to baseline each, see where the gaps are to your ideal, and augment each cloud’s defaults as needed.
One way to improve secure-by-default outcomes in multicloud environments is to develop inside the cloud so you lay a more secure foundation. Building individual cloud tools from the ground up that are secure by default and secure by design leads to less add-on work after the fact.
When it comes to integration, most cloud providers have APIs and all the other things you need to “glue it all together” from a security perspective.
Be aware of complexities that can evolve around identity and access management, and data governance. Maintaining data governance and secure access across multiple cloud environments can be challenging and play out in different ways. For instance, some organizations rely on their on-premise Active Directory for all their identity management, including that in all their clouds. That makes their modern cloud environments critically reliant on a 1990s piece of technology.
Secure each cloud using the best available tools and approaches, and prepare to build additional safeguards to reduce the risks your multicloud system might face.
2) Integrate CI/CD pipelines with common security controls
Security as code for multicloud can create one pipeline that integrates common security checks. This is applicable even when you have adopted an agnostic configuration language or technology, such as open policy agent (OPA). The agnostic control statements need to be mapped to your particular cloud realities.
Google launched a risk and compliance as code (RCaC) solution to allow organizations to enable security and continuous compliance through code. The key building blocks of the solution are tools and best practices that allow you to strengthen your capabilities for preventative controls, detections, and drift remediation.
3) Leverage cloud-born tools
Adopting an Information Security Management System for multicloud (or any cloud) infrastructure is a must for maintaining and operating a secure environment. For example, a bank operating in a traditional legacy environment that is moving now to the cloud might conclude that there’s no need to take a new approach to their security information and event management (SIEM). But the truth is, you really do need a cloud-born SIEM. Otherwise, your teams often will keep using existing on-premises tools, which creates problems and ultimately increases your technology debt.
While it’s true that on-premise tools are usually cloud-agnostic, and so can be used with any cloud, they often lack any awareness of modern cloud technologies and practices and therefore are rarely the best option for cloud security.
This all-encompassing cloud security thinking applies to every tool within your multicloud environment, even your browser choice. Google Chrome Enterprise is a prime example of a cloud-born tool that combines the business capabilities of a modern web browser (such as Chrome) and secure OS (like ChromeOS) to power your cloud workforce and enable them to work safely and securely in any and all cloud environments.
4) Choosing the right security tools and technology
When it comes to the tools and technology for monitoring cloud security, you need to choose multicloud solutions designed to monitor multiple environments. It’s ideal to align with the common frameworks from NIST and the Cloud Security Alliance (CSA) to provide a gauge for different standards. Start with your cloud service provider’s tools, and then use third-party cross-cloud tools only if you need them.
Many cloud service management tools used by cloud service providers focus on keeping an eye on the production environment. But more tools are starting to focus on how those workloads get deployed to production based on the pipelines — and the protections that are needed there. Essentially, a shift left for these controls. This means that tools are increasingly also being aimed at the preventive side of controls, rather than just the detective side, to help pinpoint when something that went into production isn’t right.
5) Finding and training the right multicloud team
It’s no surprise that the search for talent with the right cloud skill sets can be frustrating. What you’re really dealing with is a division of teams and talent — with a need for, say, Google Cloud experts, AWS experts, and Microsoft Azure experts. It’s equally vital for your management team to have the right skills to assess the operational model and make corrections where necessary. Finding leaders and experts who understand multiple cloud platforms is a daunting task.
Of course, training is an important piece of this. But questions arise: What’s the optimum strategy? Do you get your current staff trained in the new technology? Do you bring in experts to jump-start that process? Do you rely on vendors? All are valid strategies for upgrading cloud security tools and technology training.
As your need to support multicloud infrastructure-as-a-service increases, you need to think through how to train individuals on multiple clouds. Training experts in all cloud services is, perhaps, unrealistic. Few organizations can afford security experts who also know more than one cloud really well.
A more realistic approach is to train teams on relevant operational components, and then rely on those experts for key functions. For example, to detect threats across Google and another cloud, you need to hire detection experts who can then consult with cloud-specific experts for support. Within your own organization, offering specialized training and certifications is a good incentive.
Three multicloud bonus tips
Be prepared: Plan for how your security team can start on Day 1 with a multicloud strategy.Be deliberate: Set a clear strategy around when to use which cloud providers for the best capabilities and the best business outcomes.Be ready for change: Expect changes to cloud platform security (and best practices) for each cloud, and prepare to adapt rapidly to cover emerging threats.
Next steps
Your multicloud path may differ from your competitors or your partners. Some start off as multicloud enterprises. Others come to it from mergers and acquisitions, distributed decision making, or even independent (and possibly uncoordinated) internal purchasing.
Now is the right time to consider the operational processes, technology tools, and people that best meet the multicloud security needs of your infrastructure. We’re here to offer you our insights and recommendations to help you address your multicloud security requirements – and ways to maximize security across your multicloud environment.
In case you missed it
Here are the latest updates, products, services, and resources from our security teams so far this month:
Google Cloud and E-ISAC team up to advance security in the electricity industry: Google Cloud partners with E-ISAC as the first major cloud provider in the Vendor Affiliate Program. Read more.Cloud and consequences: Internet censorship data enters the transformation age: Censored Planet Observatory is transforming the way we analyze censorship data to be more informative. Here’s why. Read more.Shining a light in the dark: Measuring global internet shutdowns: Data ingestion from multiple sources helps the researchers see where governments are blocking access to websites. Read more.From turnkey to custom: Tailor your AI risk governance to help build confidence: Business and security leaders have questions about how generative AI models affect their risk-management strategies. Here’s a primer. Read more.Empowering all to be safer with AI: As part of Cybersecurity Awareness Month, we’re sharing more on how AI has the potential to vastly improve how we identify, address, and reduce cybersecurity risks. Read more.Building core strength: New technical papers on infrastructure security: Based on principles laid out in Building Secure and Reliable Systems, we are excited to announce a new series of technical whitepapers on infrastructure security. Read more.New learning lab can help address security talent gap: To help address the chronic shortage of security talent, Google Cloud has introduced a new virtual, lab-based training for Security Command Center, that can be completed in just six hours. Read more.What’s new with Cloud Firewall Standard: We are excited to announce the general availability of the fully qualified domain name (FQDN) feature for Cloud Firewall. Read more.Introducing Actions and Alerts in Advanced API Security: Shift your security approach to proactively identify and act on security threats with security actions and alerts. Read more.How we’ll build sustainable, scalable, secure infrastructure for an AI-driven future: Google products have always had a strong AI component, and we’ve spent the past year supercharging our core products with the power of generative AI — including security. Read more.Improve Kubernetes cost and reliability with the new Policy Controller policy bundle: Our new GKE Policy Controller Cost and Reliability policy bundle automatically identifies potential workload improvements so you can achieve greater reliability and cost efficiency. Read more.
News from Mandiant
Remediation for Citrix NetScaler ADC and Gateway vulnerability: Mandiant is providing additional steps for remediating and reducing risk related to a Citrix NetScaler ADC and Gateway vulnerability, which we have observed being exploited at professional services, technology, and government organizations. Read more.Mandiant Threat Intelligence product updates for October 2023: Mandiant Threat Intelligence has added a number of new and updated features and capabilities that can help you save time and gain more insight into the threats targeting you. Read more.
Now hear this: Google Cloud Security and Mandiant podcasts
Weighing the benefits and risks of LLM for security: Securing foundation models is a complex process that requires more holistic thinking. Hosts Anton Chuvakin and Tim Peacock talk about the challenges and nuances of foundation model security with Kathryn Shih, group product manager and LLM lead, Google Cloud Security. Listen here.How to cure one of cloud security’s biggest headaches: Why is cloud security remediation such a headache for so many organizations? Whether the remediation problem stems from process failures, internal team friction, or technology snafus, Anton and Tim talk with Tomer Schwartz, CTO, Dazz, about how security pros can evaluate solutions for prioritizing, triaging, and fixing issues. Listen here.Threat Trends: DHS Secretary Alejandro Mayorkas in conversation with Kevin Mandia: DHS Secretary Alejandro Mayorkas and Mandiant CEO Kevin Mandia discuss collaboration between the private sector and government, improving the talent gap in cyber, and ongoing DHS initiatives to foster greater cybersecurity. Listen here.Threat Trends: Addressing risk in the cloud with Wiz: Host Luke McNamara is joined by Amitai Cohen, Wiz’s attack vector intel lead, to discuss trends in cloud security, managing risk, and more. Listen here.
To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.
Read More for the details.