How to Best Protect Multi-cloud and Hybrid Environments

Take security into your own hands to protect applications, workloads and data across complex IT environments.

Cloud computing
iStock/da-kuk

After a recent prolonged AWS outage (which was followed by “aftershocks” on subsequent days), a CNBC story encapsulated one of the significant conversations stirred by the event: Can big businesses rely on a single vendor, or do they need to spread their workloads in case something like this happens again?

Our answer is that organizations are already spreading their workloads across multiple environments. The more pressing question is: How can enterprises best protect those multi-cloud and hybrid environments as they evolve and change?

Every multi-cloud environment is unique and complex

A rapidly growing number of organizations worldwide are decommissioning their traditional data centers and moving applications to multiple cloud-hosted environments. This makes their security architectures uniquely more complex, because what’s needed to secure one cloud will differ from the requirements of another. At the same time, threat actors — well aware of these rapid migrations to colocation facilities and the public cloud — have no shortage of attack techniques and tools (think booters, DDoS for hire) to target vulnerabilities introduced by inconsistent security policies and requirements.

This inconsistency is impossible to avoid. Security controls (WAF, DDoS, bot management, API protection, etc.) are unique to each environment. So as customers attempt to reduce risk, improve performance, or gain specific features by spreading their workloads across multiple clouds, they’ll inevitably end up with multiple security solutions, increasing the likelihood of misconfiguration and mismanagement — a leading cause of compromised data. Another layer of difficulty (both frustrating and costly) arises when enterprise IT starts troubleshooting across a disparate and fragmented cloud-hosted infrastructure. 

(If you’re thinking you’ll avoid this complexity by sticking with one solution, in our view this makes the least sense; it’s wastefully expensive and introduces unnecessary performance issues and points of failure.)

More significantly, troubleshooting across a multi-cloud environment is sometimes impossible. Many cloud-hosted IPs fall outside of an enterprise’s direct control, leaving it vulnerable — as we clearly saw on December 7 — to a successful DDoS attack. (Read more in our ebook DDoS Defense in a Hybrid Cloud World.)

Considering the increasing intensity and variety of cyberattacks, and the inevitability of further migrations to multi-cloud and hybrid environments, enterprises are best protected by taking cloud security into their own hands.

Cobbling together CSP solutions is less secure and more expensive

If your organization uses multiple public cloud providers, in addition to hosting on-premises workloads, you need flexible DDoS attack protection across hybrid architectures — especially since responsibility for security within public cloud environments can be inconsistent from provider to provider. Making a false assumption about who’s responsible can leave you exposed to huge risk.

In general, the customer is ultimately responsible for application security in the public cloud, as you can see in this shared responsibility model from AWS, which is similar to that of other public cloud providers. That responsibility includes DDoS protection, but also extends to higher-level security controls like protecting against data exfiltration, hacking, and bots.

Hyperscale cloud providers offer some of the required security controls, but not all. Web application firewalls, security lists, API protection, IP reputation, and bot management solutions are available to varying extents, but they are additional purchases that generally operate independent of one another. Relying on this “click-to-add” architecture instead of a single, purpose-built security platform does three problematic things: It adds another layer of complexity, increases cloud costs, and reduces the overall security of the application. In addition, this scenario forces IT staff to dedicate time to managing security, which also adds to the overall cost.

For enterprises to integrate, deploy, and manage DDoS defenses within each cloud service provider’s (CSP) unique environment — and with many internet-facing assets located across multiple clouds — operational complexity quickly compounds. Adding to the pressure, many CSP in-house DDoS mitigation solutions fall short in providing what enterprises most need to protect themselves: 

  • Reporting and visibility into events before and after they happen, including post-attack analysis
  • A time-to-mitigate service level agreement (most only offer service credits to the affected organization after a breach or outage)
  • On-demand access to SOC support from a 24/7 global security operations center

The last point, proper support, is critical to maintain business continuity and mitigate impact. Because staffing of security positions is increasingly difficult (and this is true across global regions), many enterprises have no in-house experts to turn to, and most CSP security solutions don’t have a security services support option.

How to best protect your multi-cloud and hybrid environments? At the edge.

Your mitigation strategy should empower your cloud strategy, not be at the mercy of it. Akamai’s purpose-built security solution protects applications and stops malicious bots and account fraud at the edge instantly, before they reach applications, data centers, and infrastructure. It offers four layers of defense in a single platform, fine-tuned to the specific requirements of your web applications or internet-based services.

Edge defense: The Akamai edge CDN delivers and accelerates web traffic using HTTP and HTTPS protocols. Every Akamai edge server operates as a reverse proxy, forwarding legitimate HTTP/S traffic on ports 80 and 443, and dropping all other traffic at the network edge. This means that every Akamai customer inherently gets instant mitigation of all network-layer DDoS attacks — built into their web delivery. This brings up the other advantage of edge-security solutions: you won’t need to maintain a separate CDN and you also get out-of-the box egress savings via caching.

DNS defense: The same technology applies to Akamai’s authoritative DNS service, Edge DNS, which instantly drops all traffic not on port 53. Unlike other DNS solutions, Akamai specifically architected Edge DNS for availability and resiliency against DDoS attacks (in addition to improved performance) with architectural redundancies at multiple levels, including name servers, points of presence, networks, and even segmented IP anycast clouds.

Cloud scrubbing defense: Our Prolexic solution protects entire data centers and internet-facing infrastructure from DDoS attacks — across all ports and protocols. By routing both legitimate and malicious traffic through Prolexic, we are able to build both positive and negative security models that proactively and instantly mitigate DDoS attacks with high accuracy.

Human defense: Akamai Security Operations Command Center (SOCC) experts act as an extension of an enterprise’s incident response team to balance automated detection and response with human engagement. This layer of defense adds huge benefits to business, including:

  • Proactive monitoring of behavioral anomalies for early threat detection
  • Expert-crafted defense with scalable protection
  • Visibility into existing and emerging threats, so you can mitigate them faster
  • Enhanced security intelligence to address the growing attack surface

Finally, responding at the edge also reduces the actual cost of fighting the DDoS attack because scaling up is not necessary. Roll-your-own solutions (like a WAF AMI from AWS or a mod security-based solution) run on compute nodes, which means the bigger the attack, the more they have to scale up to fight that attack. And the more they scale up, the higher the costs.

Think you’re a low-risk target? No such thing in multi-cloud environments.

According to IDC, DDoS attacks are expected to grow at an 18% CAGR through 2023 — a clear indicator that it’s time to increase investment in robust mitigation controls. And while some organizations may believe they’re low-risk targets for a DDoS attack, the AWS outage makes one thing clear: Our growing reliance on internet connectivity to power business-critical services and applications leaves everyone exposed to downtime and diminished performance — if their environments are too complex to manage, protect, and troubleshoot. Learn more about security at the edge.

About the author

Pavel Despot, Senior Product Marketer for the cloud in Akamai’s Edge Technologies Group, has more than 20 years of experience designing and deploying large-scale cloud solutions for global carriers, financial institutions, and other enterprises. Previously, as Principal Solutions Engineer at Akamai, he designed secure and fault-tolerant cloud solutions. He holds two patents in mobile network design and has held various leadership roles on the CTIA Wireless Internet Caucus, the CDMA Developers Group, and the Interactive Advertising Bureau. Pavel lives in Boston.

Related:

Copyright © 2022 IDG Communications, Inc.