In an increasingly multicloud world, enterprises are faced with the critical challenge of managing data security across different cloud environments.
Most organizations are no longer betting on one public cloud or one private cloud, but see deployment needs for multiple destinations given the increasingly diverse needs of their application portfolios. A recent study by IDC found that as of 2016, "68% of organizations have adopted cloud for enterprise apps," a 61% increase from 2015.
The differences between the clouds, their respective hosting needs and differences in applications still need to be managed in the aggregate. Increasingly that means enlisting the help of a cloud management platform (CMP), and Gartner provides market guides to help navigate that growing market of software that enables a central governing body to coordinate deployment and usage activities across different clouds from a single pane of glass.
Managing the multicloud environment also means addressing security challenges such as protecting access, ensuring data encryption and achieving consistency with data security across diverse cloud platforms.
Protecting data starts with defending access to the virtual machines on which the data resides. On a network level, that means port-level security so that the machine in question will only accept traffic over certain ports from certain destinations. Application components have commonly used ports, such as 80 and 443 for web servers, but cloud providers have very different ways of configuring those ports.
Some provide "security group" mechanisms where a set of open ports and valid sources can be defined once and then reused for many different machines. Other clouds require the IP tables of the individual virtual machines be set up accordingly. Because CMPs typically look at the world from an application perspective, it is much easier for them to keep track of which cloud supports which method of setting port level access, and then customize them for the specific virtual machine IP addresses involved in the application deployment. Not only does this save time, but it insures consistency in port-level access regardless of the cloud involved.
With network traffic secured, what about logging into a particular virtual machine? That typically is handled using SSH key pairs so that encrypted terminal emulation traffic can happen over port 22. But much like configuring port-level traffic, different clouds handle setting up those keys differently. Some assign you a key pair while others let you store your own to be reused across multiple VMs. But, not surprisingly, no cloud provider will help you coordinate utilizing a set of keys on a cloud other than theirs.
Again, this is where CMPs can help since they coordinate deployment activities and enforce policies across multiple clouds. By storing SSH keys in the CMP, they can be reused with different clouds and the detailed nuances of configuring keys is no longer of worry to the end user.
Now not only is the network secure, but command line access to the machine housing the data is as well. What's left is to encrypt data so if the first two lines of defense fail, unwanted intruders are still blocked from accessing the data. Typically, this is where CMPs stop offering formal support for differences between clouds like we saw for port-level of login access, because at this point, the user is operating at a Linux or Windows shell. CMPs typically provide scripting hooks, though, so that shell scripting can be used to interact with a hardware security module (HSM) vendor that stores keys used to encrypt local data.
CMPs can help manage different aspects of the security strategy for protecting your data in a multicloud world. CMPs can abstract cloud differences to easily enable consistent port-level security and login access. A wide variety of data encryption techniques can be leveraged using scripting hooks that CMPs typically provide at deployment time as well. When combined, these methods provide a comprehensive toolkit that enables anyone to develop a consistent security strategy across multiple clouds.
— Pete Johnson is Technical Solutions Architect for Cloud in the Global Partner Organization at Cisco.