February 15, 2017

5 steps to secure your multi-cloud environments

Simo Nurmi

Head of Enterprise Cloud Business Development, Tieto

Security management in multi-clouds might feel like an imposing prospect to many of us. Indeed, it is a complicated and intimidating concept, but it can be managed with the same kind of processes and practices that you probably have in place already with your hybrid cloud configuration or even with your data centres.

Analysts say that 70 per cent of chief information officers (CIOs) think that online security is a top three priority for them, yet only 40 per cent will actually invest in it during 2017.

Perhaps this conflict of concern and will to act reveals that investments aimed at improving data security are more difficult to be appreciated as business benefits, or maybe that improvements are considered to be so expensive yet so hard to quantify and measure that it’s easier to spend the money in other area.

Analysts add that by the end of 2017, 65 per cent of capacity will be off-site. Understanding may be hazy surrounding multi-clouds, but they are here, now, and already causing positive effects.

I have put together five steps that you can carry out to secure your multi-cloud environments. You can start somewhere, get more experience and improve. Some of the practices are not expensive to implement, but might need a change in your processes. It’s worth noticing, that they might also increase your efficiency.

1. Implement a security model

As with your own data centres, you should have a security framework to rely on in multi-cloud. In the ‘security onion’ model pictured above, the thinking is that the more levels an attacker has to penetrate to access a valuable resource, the better the chances are that the attack will not be successful.

Consequently, you should design your service to have numerous layers protecting any sensitive data. This way, you can ensure that if one security measure is breached, other obstacles will be in place to keep the attacker at bay.

2. Introduce a data classification process
Data classification is the process of organising data into categories for its most effective and efficient use. The benefit of this practice is that it identifies and highlights which data is most valuable to you and it can be a very efficient way of finding and retrieving your data. Of course, it also helps you with risk management and compliance.

Usually, organisations have three or four categories in their classification scheme. Like this for example:

  • Highly sensitive data: this has a direct impact on your business and customers. Example: business transactions, credit card details, personal information.
  • Sensitive internal data within an organisation: this may impact operations. Example: contracts with suppliers or logistics partners, R&D plans, forecasts, market analysis.
  • Less sensitive internal data: information not intended to be seen by customers or third parties. Example: organisational chart, HR guidelines, hour reporting
  • Public data. Example: content on your company’s web page

3. Centralise some operations
This step is not only linked to security enhancement, but can also bring efficiency to your operations - something that should always be kept in one's mind when planning investments.

It’s important in some cases to know who did what to your systems, as well as when and why. These systems can be centralised somewhere to have common access control, auditing and storage of logs.

Let’s take a closer look at access control and explore how it can be a secure solution that introduces new efficiencies to your operations.

By managing accesses to private and public clouds through integration with enterprise directories and role-based access rights, you can prevent unauthorised access to services and have control over user access.

Also, cloud services that have federated user management reduce the number of passwords you use, and therefore the risk of them being compromised.

But it’s not only about security, as it also allows the possibility of integrating your services to your IDM, meaning you never have the situation where a former employee still has access to your systems. It also means new employees can be handled automatically and more efficiently.

4. Authenticate your workloads
It has become widely accepted that using SSH keys is essential, especially to grant access to your public cloud workloads. In many cases, this is secure enough as long as you ensure that old keys don’t remain on servers. Here, we come back to automation and centralised operations. This is quite familiar to most of us but it’s also very important to ensure that hackers breaching your continuous deployment chain don’t also gain access to your production environments.

One way of tightening security in public cloud production environments is to dedicate some time to designing your service catalogue and consider accepting only certified access. This might sound like a big task, but many organisations are using this already in relation to mobile devices to allow access to emails and calendars, but notably, not production environments in public clouds. It really is worth thinking about where your most valuable data is stored.

5. Have consistent policies
Sometimes dealing with global public clouds is difficult, in terms of their flexibility. We all know that based on industry or country, there are some regulations that you have to follow. Of course, in multi-cloud environments, you can choose a local player when you need it.

In some cases, you need that flexible local partner to follow governmental regulations, and set up a PCI compliant environment. A local partner who will continuously monitor and update the content of the services, based on the regulations of the environment you are doing business in, and is aware of your multi-cloud strategy.

Download our whitepaper and get to know Tieto’s multi-cloud management solution, Tieto OneCloud, offering you a secure way to all the cloud benefits. 

Stay up-to-date

Get all the latest blogs sent you now!