Operationalizing Security Policy To Automate Multi-Cloud Network Security
By Steven Yurkunas, Tufin
Multi-cloud enterprise infrastructures are becoming more common for two simple reasons: organizations want to utilize the cloud solution that’s optimal for a wide variety of business processes, and each cloud vendor and service has their own specific sets of strengths and weaknesses.
Innovative companies are selecting - a la carte - the optimal mix of private cloud technologies and public cloud services for their business. This approach leverages each cloud provider’s platform for what they do best, which pays off with its ability to help companies optimize performance and better manage their expenses. Taking a multi-cloud portability approach to assets and tasks helps avoid vendor lock-in while supporting the needs of the business — a key benefit of a multi-cloud approach.
When it comes to managing security as a service or directly as the customer, ensuring compliance, and mitigating risk, however, multi-cloud enterprise networks introduce new challenges. Every new cloud environment and service adds additional security controls, management consoles, and potential threat vectors. Because there is no longer a perimeter, it becomes very difficult to protect. As a result, maintaining a consistent security posture across on-premises and multi-cloud environments proves challenging for many organizations; as does meeting audit requirements and regulatory reporting obligations.
Security needs to be the compass on your organization’s cloud journey. Without a policy-based, automated approach to network security management, organizations running multi-cloud and hybrid enterprise networks expose themselves to increased risk, and — due to cumbersome manual processes — can’t take full advantage of the speed and agility the cloud makes possible.
The Importance Of Policy-Based Network Security
In the modern enterprise, new cloud assets and services can be provisioned by an increasingly broad variety of people - from developers and engineers to marketing staff and finance teams. New cloud infrastructure can be provisioned with a few lines of code via CI/CD automation and may only exist for mere milliseconds. As a result, cloud assets and services are often “spun up” without appropriate network security controls — leaving the organization at risk of breach or outage.
In other instances, there are legacy technologies that may be wedded to on-premises tools, or even locked into a specific type of cloud. Even if the rest of the company moves to newer technology and updated platforms, there are always older processes that remain as they’re too valuable or too difficult to replace. Long live the mainframe! When companies merge or acquire one another, other opportunities arise for multiple different clouds to be inherited.
In all of these examples, each type of cloud added to the mix creates (or expands) a multi-cloud environment, but also exponentially expands the security, configuration, and compliance issues that have to be understood and solved. In a multi-cloud environment, you have to be able to see, understand and manage a large volume of changes at the same time — and that ability has to remain constant, no matter how many changes there are. The blind spots that are potentially created and hidden as a result of cloud expansions can come back to haunt an organization, carrying with them dire consequences.
This is why the establishment of a unified, consistent security policy is so important. But just establishing one isn’t enough — planning for the ongoing management and updating of the policy across the enterprise is a critical element of effectively applying security in a scalable way.
A Single Platform Approach
Organizations need a single toolset that can manage security policy across the organization. IT and security teams might be able to keep up with the settings and updates needed to keep one or two different cloud platforms secure and configured correctly, but even then, as usage increases, there are simply too many things to keep track of, and too many possibilities for something to go wrong. With the never-ending expansion of today’s enterprise environments — and fewer staff members to secure them — there is a need for a single unified approach to the security policy. Teams need a centralized view of their network landscape, one that gives insight into the real-time status of their cloud implementations. This insight accelerates the time it takes to discover problems and repair issues.
By adopting a single unifying platform that can maintain a security posture across diverse clouds and operations, your team can empower employees to take advantage of the speed and agility of the cloud, without exposing the organization to potentially dangerous and costly risks.
There are a few key features and capabilities that are necessary to ensure success with a security platform:
- Visibility: Having a single dashboard view of your entire hybrid network landscape is critical. You need real-time awareness and insight into what is happening at any time. Otherwise, it is nearly impossible to stay ahead of risks and make effective and informed decisions.
- Cost: Several aspects can drive up the cost of a platform beyond the sticker price. How much manpower does the solution require? Will you need to retrain your workforce, or add people to it to manage policy across your environment?
- Ease-of-Use: Closely tied to the above is considering the ease-of-use of the solution. Do my employees need to be highly trained? Is it easy to set up, manage, and add additional cloud instances as the company expands? Can it cover both legacy and new technologies? Does it enable you to automate policy design?
- Support: Does the platform come prepared to support every public cloud, asset, and service? Support for AWS, Azure, and Google Cloud Platform, among others, is necessary from an ease-of-use and visibility standpoint. You also need to make sure that choosing a platform doesn’t end up tasking your team with additional work to get it to operate as planned. Can this same platform support your legacy network in addition to the cloud?
- Compliance: Mandating compliance, enforcing it, and then proving it can be a headache of its own, especially in highly regulated industries such as healthcare and finance. Does your solution make it easy to track and enforce compliance? Does it have pre-built functionality for key industry regulations? Is it easy to update when changes are made to regulations? Does it have an easy reporting function to show regulators and your bosses just how compliant you are? If you’re not thinking about your overall footprint, then you’re not mapping compliance properly. As they say, ignorance of a problem is not a proper defense.
- Security: As a part of the platform’s visibility, does it enable automated real-time notifications? These are critical for helping IT and security teams identify and remediate any high-risk access and connectivity configurations before they become a problem. Does the platform support segmentation or a zero-trust approach? Your platform must enable new cloud instances to be added quickly – and securely. Time to protect is critical.
- Automation & Orchestration: Does the solution embrace automation and orchestrate the latest technologies found in the environment? By incorporating automation, the onboarding and offboarding of technologies and devices can be easier. The same can be said for cloud access, reviewing alerts, or the onboarding of new cloud environments. Automation can understand and set configurations, create security policies, or apply security policy changes across the enterprise, eliminating human error. Future automation solutions can even advise technicians on designing policies and specific adjustments that should be made.
Understanding Risk And Providing Opportunities
The visibility that a unified security policy platform delivers to MSSPs and customers alike enables teams to better understand and manage any risks to the organization quickly and easily. Automating the management of security policy across all aspects of your environment ensures that there are no misconfigurations or unsecured elements that can expose your company. Security policy management from a single platform empowers developers and business users to concentrate on the business goals, not the security, and still work the way they wish.
While it’s true that the attack surface is widened every time the organization expands with new equipment and new cloud instances, if you have visibility into how attackers could reach data, i.e., what segments of the network they’re coming from, then a true zero trust security posture can be realized.
One last advantage is that by making the security policy administration and compliance process easier to replicate and repeat, you allow your security team to act as true security professionals, spending time on more valuable actions, instead of wasting time and effort on mundane, repetitive administration tasks.
About the Author
Steven Yurkunas, Vice President, Business Development, Tufin, has been a cyber security thought leader and practitioner for over 20 years progressing from a programmer, network manager, and solution architect, to VP of Sales/Channels and now Heads Business Development at Tufin responsible for GSIs, Tech Partner Alliance, and MSSPs. He has been on the steering committee for the U.S. Secret Service Mountain West Cyber Fraud Task Force (MWCFTF) for 8 years.