Multi-risks in the Multi-cloud: An Industry Perspective

istock 614342566

Not long ago, it was foolhardy to suggest that a bank, school, or healthcare provider might migrate some of its mission-critical or sensitive data and applications to a public cloud. Today, organizations in many industry sectors are welcoming the idea, subscribing not only to one, but to multiple clouds. In fact, one survey found that enterprises use an average of 1.8 infrastructure-as-a-service (IaaS) clouds; another discovered that companies averaged 16 cloud-based software-as-a-service (SaaS) applications.

Cloud diversification adds a measure of redundancy, which can help enterprises meet their business continuity commitments, while also helping to avoid cloud vendor lock in. Migrating to the cloud raises concerns, of course, and security ranks high on the list. And though most cloud providers have multiple security measures in place, they generally apply to the security of the clouds. Subscribers bear the responsibility for their activities in the cloud.

Isolated Clouds Are Less Secure

Even if the enterprise security team has a handle on its individual clouds, multiple secure clouds are not the same thing as a secure multi-cloud. This requires a single secure enterprise network that spans the data center (physical or software defined) and all the private and public clouds to which an organization subscribes.

That’s an important distinction, because increasingly, workloads are moving between clouds, or connecting from the data center to a public cloud. When clouds run in silos, CISOs are constantly on the defensive, and in many cases, running blind. Here are some of the obstacles they face:

  • Poor visibility. Cloud-specific portals let CISOs see into each cloud individually, but not into all clouds at once, with no comprehensive view across all north-south and east-west directions.
  • Lack of coordination. Siloed clouds preclude integration between security functions and centralized orchestration. Which means that when an attack occurs, CISOs cannot mount a coordinated response to mitigate the impact.
  • High TCO, reactive security. Spending hours matching and aggregating data from different cloud management portals or comparing signals from different clouds and then deciding on appropriate actions takes time and resources that CISOs often don’t have, especially with zero-day threats and shrinking intrusion-to-breach windows.

Let’s consider how these multi-cloud security challenges play out in three real world scenarios.

Financial Services: Digital Transformation in the Cloud

Online banking owes its popularity to much more than customer convenience. Banks can achieve savings of as much as 40% by moving their back-office applications to the cloud. Digitally transforming banks are adopting cloud-based SaaS solutions such as Fiserv and Salesforce, for example, to improve customer service, transactional processes, and decision-making efficiency. These SaaS applications, however, run in different cloud environments. Robust security provisions, such as Salesforce Trust and Fiserv’s Sentry, are meant to allay security concerns. But it’s up to the bank’s security team, however, to figure out whether the standards provided by these security provisions match those of their internal network, and whether they can ensure PCI compliance when personally identifiable data traverses multiple cloud boundaries.

Education: Resourced Constrained

The collaborative educational environment that has eluded education policymakers for generations, technology has managed to achieve in a few short years. Education is being transformed as faculty, staff, and students are embracing a slew of new digital methods and tools, from whiteboarding and creative apps such as Adobe Creative Cloud, to class management and analytics apps such as G Suite for Education and Microsoft Office 365 Teams. Schools are also a hotbed of bring-your-own-device (BYOD) usage, as teachers increasingly allow students to conduct research using their personal mobile devices connected to the campus Wi-Fi network. As a result, school districts find themselves with multi-IaaS, multi-SaaS, and emerging private cloud environments.

With all these clouds, apps, and endpoints in use, schools are prime targets for cyber attacks. According to one report, in early 2016 the U.S. education sector experienced more security incidents than both the retail and the healthcare sectors.

But K-12 schools are at a disadvantage in combatting attacks when compared to their private sector counterparts due to typically more limited IT resources. What’s needed is well-integrated threat prevention, and automated, orchestrated threat detection and response. In the absence of these, however, it’s not reasonable to expect that a district network administrator hopping from one cloud dashboard to another, and checking and hand-correlating event logs, to be able to pinpoint the source of a potential threat in the time that today’s threats require.

Healthcare: IoMT Threats

Like their multi-cloud peers in education, IT staff in hospitals and other healthcare facilities serve a variety of users, including clinical and administrative staff, patients, and third-party healthcare partners. Like school staff and students, many healthcare network users are highly mobile and wield a variety of devices, through which they reach both into the core of the provider’s data center as well as out into public clouds.

Although healthcare providers are generally better staffed for cybersecurity than educational institutions, they face a more pernicious attack vector: a whole host of distributed connected devices, such as blood pressure monitors, glucometers, CPAP breathing devices, wireless ultrasound monitors, dialysis pumps, and more, which constitute the Internet of Medical Things (IoMT). SaaS platforms such as Kaa and Harman then collect the clinical data generated by IoMT devices and make it available to medical staff and other healthcare providers, as well as to the patients themselves.

Often lacking in up-to-date security provisions, while also operating around the clock, IoMT endpoints present easy targets for hackers who use them to gain access to the IoMT cloud platform. Through that platform malicious code can then infect the healthcare provider’s network, as well as other clouds that access repositories of clinical data. Without an end-to-end view of the entire multi-cloud environment—and the tools necessary to coordinate a network-wide response—healthcare security staff are ill-equipped to protect their patients’ data, comply with regulations, or even guarantee the availability of networked applications and data in the event of a large-scale DDoS or ransomware attack. And such events are highly likely: According to one report, 88% of ransomware attacks are directed at the healthcare sector.

A Fabric Ties Up the Loose Ends of Multi-Cloud Security

In education, financial services, healthcare, and other industries, meeting the challenges of a multi-cloud environment requires a more holistic approach—an adaptive, integrated, and automated system that makes it practical for security teams, large or small, to achieve a competent security posture. That’s the idea behind the Fortinet Security Fabric. To learn more about the Fabric and how it supports multi-cloud enterprises, click here to download the new paper “What Is Multi-Cloud? Its Opportunities and New Security Challenges.”