Does cloud complexity make us unsecure?
Deloitte on Cloud Blog
Multiclouds are all the rage these days. They provide the ultimate in enterprise flexibility by allowing you to mix and match cloud services to meet the exact needs of the business.
April 3, 2018
A blog post by David Linthicum, managing director, chief cloud strategy officer, Deloitte Consulting LLP.
Multiclouds are all the rage these days. They provide the ultimate in enterprise flexibility by allowing you to mix and match cloud services to meet the exact needs of the business. Thus cloud use supports business agility and operational cost efficiency. But are there any downsides?
Of course, there is a tradeoff. The use of multicloud means more complexity by the simple fact that there are more cloud services that you leverage. Moreover, you mix the cloud services with existing legacy systems that still reside on premises, not to mention other systems outside of the enterprises such as exchanges.
The biggest issue with complexity is that, in many instances, it makes security a challenge. If security is a challenge, that may make your cloud-based systems and data less secure. Thus, we can state that the more complexity that’s present in our cloud solution, the less secure it’s likely to be. That is,if we don’t take steps to employ the right resources and tools to deal with the complexity.
The issue is that traditional public IaaS cloud computing security was handled using native security tools and services. That means you have to deal with native security services such as encryption, identity access management (IAM), key management, etc.. If you leverage more than one public IaaS cloud, you multiply the number of security tools and services you must deal with. This is on top of compliance and governance tools and processes, as well as monitoring and management activities.
So, how do we solve this complexity problem? It’s a matter of thinking about security in terms of abstraction. In other words, plan to leverage security services that operate above the multicloud public services you manage, as well as your traditional systems.
This means having common directory services to support an identity and access management (IAM) system that can span all systems, cloud and not, as well as common key management and common encryption management. In addition, good data integration must occur between all clouds and traditional systems, as well as the means to encrypt the data in flight as well as at rest.
If this sounds like we want to solve the problem of complexity with more complexity, that’s really not the case. The overarching security systems replace most of the native ones, and we don’t manage security using a single pane of glass.
This should be more effective since we can better secure all systems using more proactive monitoring and responses. Moreover, since we’re dealing with many systems that use the same policy sets, it’s more likely that we’ll keep the threat management database up-to-date.
The good news here is that we have the capabilities to manage the security of many clouds, as well as traditional systems, using a single abstraction layer, meaning a single set of tools and services. The bad news is it’s unlikely we truly understand what those tools are, as well as how they are implemented.
My advice is to get smart now because complexity will just be a part of the end state IT solutions.
Interested in exploring more on cloud?