The best security is by design. But that raises a problem when securing a multicloud.
Multiclouds rarely originate from a conscious design. More often than not, they are an attempt to bring architectural coherence to disparate systems, networks and applications that were deployed independently and interconnected haphazardly.
Securing a multicloud requires that information technology professionals focus on architectural elements that facilitate effective monitoring and control, in several respects:
- Security rides DevOps workflows: To be effective on the multicloud, security needs to be built right into the pipeline of application development, testing and release tasks that distribute fresh application code. In other words, it must be integral to the DevOps workflow. If that were in place, developers would have no choice but to build containerized and serverless apps. “DevSecOps” refers to approaches for delivering “security as code” in the continuous integration/continuous deployment or CI/CD workflow. To be effective, DevSecOps must be adopted in common across application development, IT operations and security teams in the various interconnected public and private clouds. In a DevSecOps workflow, developers must have tools to help them identify and prioritize vulnerabilities as they are writing code.
- Security orchestrates over Kubernetes: On the multicloud, security code must be orchestrated over containerized Kubernetes backbones at all layers, including applications, networks and systems. Software-defined wide-area networking on a Kubernetes backplane is a powerful way to integrate security in application-level routing. Infrastructure components must be able to introspect containerized application payloads and thereby enforce more intrusion detection and other content-aware security functions. This would ensure consistent processing of policy-driven routing decisions across hybrid private and public clouds. Kubernetes-based controllers will translate enterprise private-cloud network and security policies into equivalent instructions governing the behavior of network components — including virtual switches and firewalls — that run in target public clouds. Wikibon expects that AIOps tool vendors will rapidly adopt an emerging open-source DevOps project called as Kubeflow. This will enable automated updating of security and other policies that were built in TensorFlow and other AI models to containerized network and policy management systems anywhere on the multicloud. As this trend intensifies, vendors will embed closed-loop, automated security into a growing range of edge gateways, on-premises computing/storage racks and device-level container runtimes on distributed Kubernetes backplanes.
- Security harnesses AI-powered adaptivity: Multiclouds must be secured through use of AI-enhanced software-defined networking infrastructure. Without AI-powered DevSecOps, it will become fearsomely difficult for cloud professionals to deploy and manage microservices, containers and serverless apps securely across the cloud. These data-driven algorithms are essential components for automating the prevention, detection and remediation of security issues throughout the application lifecycle. The AI-powered smarts enable dynamic security responses such as intent-based networking, application-aware firewalling, intrusion prevention, health monitoring, anti-malware, API-consumable security, 24×7 proactive security monitoring, continuous exploit testing, closed-loop network self-healing, shared threat intelligence and URL filtering. Automated tools must predict the likely behaviors of code in the target, production environments, rather than simply scan builds for the signatures of known issues seen in the past. Tooling must identify and remediate potential vulnerabilities through embedding of security rules into their normal CI/CD workflow. Blockchains will persist the immutable logs of network, system and application-level data that will be needed to train AI-driven multicloud security controllers dynamically.
- Security gains topological agility: Security must permeate the hub-and-spoke, mesh and edge-facing topologies that increasingly define enterprise multiclouds. As cloud providers ramp up their support for managed services that simplify interconnection of software-defined wide-area networks over complex multicloud architectures, security must be built into the routing, traffic management, and policy tools that enables end-to-end management of these environments, in spite of their shifting perimeters. Adoption of cloud-native industry service-mesh initiatives — most notably, Istio — will enable enterprises to proactively monitor, control and optimize meshes through the proverbial single pane of glass. As the perimeter of meshes grows fuzzier toward the edges of the “internet of things,” end-to-end security must remain in force through such post-perimeter techniques as continuously adaptive risk and trust assessment. Essentially, this approach moves the software-defined security “perimeter” to wherever the requested content happens to live in the multicloud. Every node must always have access to the relevant identities, credentials, permissions, context variables, code-based policies and other security assets needed to strongly authenticate and authorize access to managed resources while also ensuring confidentiality, tamper-proofing, audit trails and other security controls.
Wikibon sees many signs that cloud providers understand the new shape of security in the multicloud. Consider these industry announcements within the past six months:
- Google LLC announced an update to Google Kubernetes Engine that brings integrated support for the open-source Istio service mesh, which integrates, secures and manages traffic routing among distributed cloud microservices, over orchestration services such as Kubernetes.
- Cisco Systems Inc. announced a solution that enables closed-loop automation of security, policy, segmentation, performance and network health monitoring on workloads and data running in any application domain anywhere in the multicloud. This new offering encompasses integrations between Cisco’s Application Centric Infrastructure, SD-Access, SD-WAN, AppDynamics, DNA Center and Identity Services Engine solutions.
- VMware Inc.’s new Service-Defined Firewall validates multicloud application behavior based on microservices variations over time. Eschewing the need for installed agents on monitored environments, it uses AI to build a map of how a distributed app should run. Leveraging the visibility that VMWare’s NSX and AppDefense solutions have into multicloud infrastructures and applications, it automatically models application behavior and automates shrinkage of cloud applications’ attack surfaces in the likelihood of an intrusion or other threat. VMWare has announced plans to extend its firewall to hybrid clouds, including AWS Outposts, in the future.
- Lookout Inc.’s new Post-Perimeter Security Alliance is building a vendor-agnostic framework for seamlessly integrating security and identity across clouds, edge devices and other IT platforms and tools. Its aim is to help enterprises protect their data all the way to the edge without crimping user mobility and experience. In addition to Looker, the group’s members include leaders in cloud computing, identity and access management, mobile device management and endpoint protection, such as Google Cloud and VMware.
- A10 Networks Inc. announced its multicloud secure service mesh solution for applications deployed in Kubernetes, incorporating integrated security, analytics, auto-scaling, policy management and elastic load balancing for traffic to and among microservices.
For an in-depth discussion of how best to address comprehensive multicloud security with automated tooling, check out my recent Wikibon article.