Locking It Down: Securing Multicloud IT Across Industries
Organizations engaged in digital transformation efforts are discovering the advantages of a multicloud strategy to meet new requirements for speed, agility and scalability. More than 80% of organizations have adopted a hybrid multicloud environment. However, security challenges abound, and compounding these challenges are the requirements and regulations imposed by market segment.
It is not unusual for a healthcare network to include the local hospital environment, the offices and clinics of doctors and other healthcare practitioners, and the personal devices of healthcare providers. Also, patients increasingly want to be able to access their data from a variety of locations and devices.
Cloud computing, especially multicloud networks, makes sharing data and connecting with patients more effective. However, a multicloud strategy can add complexity by expanding the network footprint while restricting visibility and control.
Because cloud networks often function as separate domains, they can impact an institution's ability to comply with HIPAA definitions of confidentiality, integrity and availability. A multicloud architecture makes it more challenging to have single line-of-sight visibility and control.
IT teams need to consider integrated security strategies that protect patient privacy regardless of where it is located, enable doctors to freely and securely access that information, and at the same time unify and centralize threat intelligence.
Connected medical devices, or IoMT, especially those connected to the cloud, compound this challenge. While the use of new connected devices has positively impacted patient care, many of these devices often lack up-to-date security provisions.
Financial services are under pressure to compete for and retain customers. Tech-savvy consumers want cloud-based apps and services to do their banking any time, anywhere. For many financial institutions, multicloud strategies provide the flexibility needed to deliver a wide range of internal and external services.
Simultaneously, the financial services sector is among the most heavily regulated verticals. Recent SEC regulations, for example, require that companies "adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure." NYSDFS cybersecurity requirements, which went into effect last year, go even further.
Creating a unified and consistent security strategy that can span local networks, mobile workers and consumers, and different cloud providers is a challenge that financial services organization will need to address.
The cloud is transforming education, from K–12 to universities, as faculty, staff, and students embrace new digital tools and methodologies.
Schools have embraced bring-your-own-device (BYOD) strategies and peer to peer (P2P) networking to allow students to more effectively conduct research or collaborate using their personal mobile devices connected to the campus WiFi network. Cloud-based networks allow schools to create flexible and elastic on-demand environments that enable collaborative learning and, as a result, many school districts now find themselves with multi-IaaS and multi-SaaS services running across both public and private cloud environments.
According to one report, the US education sector experienced more security incidents in 2016 than both the retail and the healthcare sectors. But schools, and K–12 institutions in particular, typically have fewer IT resources and have a harder time combating attacks, which means they have to be smarter and faster to stay ahead of today's threats.
Developing a multicloud security strategy
The opportunities provided by a cloud, and especially a multicloud, strategy far outweigh the risks. Fortunately, many of the challenges can be solved with the right security plan.
Good cyber hygiene: Network hygiene and device hygiene are perhaps the most neglected elements of security today, but they are critically important, particularly when networks and devices are connected to the cloud.
- Establish a routine for checking for updates and applying patches when they become available. Automate this process as much as possible.
- Replace vulnerable devices when new versions with better security become available.
- Establish IoT security protocols, such as making sure your AV and IPS solutions include IoT signatures.
- Implement sandboxing to discover unknown malware and compromised devices coming from your cloud connections.
Limit device access: Impose strict controls on which devices can access your network. Remember that wireless access only applies to some IoT devices. You will need to also have protocols in place for Bluetooth connections, radio frequency-based devices spanning nearly a dozen different protocols, and smart devices hardwired into your network. Many of these devices access the network behind the firewall.
Limit user access: Not everyone needs administrator privileges.
Limit applications in your environment: Use only those with a business need, and keep those applications and systems up to date and fully patched. Using unnecessary applications expands the attack surface and increases the complexity of protecting the environment.
Inventory authorized/unauthorized devices: This should include the cataloging of authorized and unauthorized connected devices within your environment, including consumer devices like cellphones and laptops. You have to know what you're protecting.
— Matt Pley, Vice President for Cloud, GSI, Carrier, Service Providers and Strategic Accounts for Fortinet.