Drive increased innovation and agility with any cloud.
Cloud-based IT adaptation is accelerating as IaaS, PaaS and SaaS solutions mature and companies seek to make their IT infrastructure more agile and cost effective. Currently the biggest factors limiting cloud adaptation are security and compliancy. Recent studies have shown that 90% of organisations that are moving to the cloud, or are considering a move, are either concerned or very concerned about security. Specific concerns are about general security, data loss and leakage and loss of control. Regulations such as GDPR place constraints on where data and applications can be placed and what level of protection is required.
Traditional security architectures are based on a separation between public and private networks where one or a limited number of connection points exist. These connection points are secured with perimeter defense solutions, and internal data and applications are not accessible from the outside, except through an extension of that perimeter such as a VPN connection to a secured host or location.
Cloud solutions only provide physical security and security features aimed at system availability such as DDoS protection. System, data and application security is the responsibility of the user of the cloud solution. While security tools are provided, they need to be configured and only provide basic levels of (network) security.
A new approach to security.
“A chain is only as strong as its weakest link” is a popular saying and very relevant when it comes to security. Most cloud deployments (71%) are hybrid, which means that data and applications can be inside or outside of your corporate perimeter at any time. Regardless of where they are, security must be at the same robust level. Different security concerns require different approaches to implementing security. It also creates new challenges in terms of visibility, management and reporting.
While it is possible to make the cloud a virtual part of your inside perimeter as shown in the above diagram, it would only be applicable for IaaS cloud solutions and counteracts most of the benefits of cloud-based solutions. Implementing this type of security is relatively easy and can be done with standard functionality offered by most cloud providers.
A more scalable approach is to create direct access points to the Cloud. This offloads access to your data centre and is more resilient, but creates additional entry points that need securing. Creating a protection layer between the two silos is also recommended.
The type and extent of security measures required depends on what needs to be secured. Applications and data are accessed from outside the perimeter with devices that are not always under your control, which means that security decisions are no longer about who has access to what, but also with what, from where and what they can do with that data.
Various solutions for securing multi-cloud architectures are available today, ranging from simple network security to full content and context aware security. Each come with a price tag in terms of acquisition, but more importantly in terms of (operational) complexity. Some of the most common security solutions in use today are:
- Stateful firewalls provide basic network security allowing connections to form between endpoints using sanctioned protocols
- NextGen firewalls take network security a step further. In addition to allowing sanctioned protocols, they can inspect the actual application being used and the type of data being transferred. NextGen firewalls also make it easier to map users to endpoints, making it easier to control who has access to what and how.
- Data Loss Prevention (DLP) increases the security level provided by a NextGen firewall in that it not only allows or blocks an application. It actively inspects the data being transferred and can flag data that is prohibited. It also can provide visibility into what data is located where, allowing security measures to be aligned accordingly.
- Content Access Security Brokers (CASB), in addition to getting grips with what data enters and leaves your organization CASBs also can control where it is sent to and in what format. Can it be stored on Box.com without being encrypted and shared with all users that have a corporate Box account or only with specific groups?
- End-point security. Traditionally end-point security solutions were limited to ensuring that malicious content is blocked on the end-device. The current generation also controls what data is stored on the endpoint and what can be done with it. In case of an issue with the device (stolen or otherwise compromised) the data can be made inaccessible thus limiting the impact of such an event.
Each of these solutions offer different security levels at the possible expense of performance and application usability, and they all have different levels of CAPex and OPex for your organisation. Each need to be placed in strategic locations within your IT infrastructure to maximise efficiency. Multiple solutions in multiple locations throughout the infrastructure also requires a management solution that ensures security consistency, visibility into possible weak spots and the immediate reporting of anomalies. Additionally, the security management platform can be the point where compliancy audits are automated.
How can Infradata help?
Infradata has 13 years of experience in security solutions. We can help you to assess the challenges that arise when expanding your IT into the cloud. We have the know-how to design a multi-cloud security solution that is effective, addresses all risks and can easily be implemented, managed and expanded. This can be a solution that you build yourself, a managed solution or a hybrid of the two.
Talk with an Expert
Speak with a solutions expert or architect. Give us a call or leave a message. Our team is ready for your business.