Strategies for surviving in a multi-cloud world
Jun 21, 2022
Today’s enterprises face the challenge of securing the expanded attack surface of their sprawling multi-cloud footprint. Legacy approaches like adding firewalls and VPNs to protect an expanding perimeter do not adapt well to cloud computing services, SaaS, PaaS, IaaS, and others. Tackling new technologies with old security paradigms leaves businesses exposed and their defenses stretched thin.
Recently, Bryan Green moderated a panel discussion on ways zero trust and secure service edge (SSE) mitigate security risk in a multi-cloud world. Joining him were John Graham, CISO for private airline provider NetJets, and Michael Strause, director of security architecture at International Flavors and Fragrances (IFF).
Strategies that don’t work for moving to the cloud
Graham mentioned that before joining NetJets, the team used a traditional lift-and-shift strategy to move applications to the cloud. They migrated without redesigning or considering operational workflow. This created problems because nothing was properly organized for the cloud.
He also found that developers were building infrastructure as though projects were “pets” – perpetually requiring a high level of personal investment and care – and this needed to change. He reminded attendees that 20 or 30 years ago, people would build servers and put them under their desks. As CISO, he aimed to shift people from this protective mentality to one viewing infrastructure more like “cattle,” subject to rigorous and standardized production processes. He knew he had to correct how his team built software in the cloud, they needed to follow guardrails. Current processes were too ad hoc and informal to be effective or efficient.
Strause was in a similar boat. At IFF, workloads and applications reside primarily in Amazon Web Services (AWS), with some in Microsoft Azure. Apart from internal developers, IFF also works with partners who build things in unsanctioned clouds and cloud applications that need to be secure – essentially in shadow IT mode. Partners would often come to him with code they had already developed and say, “Hey, this is secure, right?”
No, this is not right. The correct approach is collaborating from the first stages of development and building a secure code base from the ground up. In this case, security was being treated as an afterthought. Strause also said the key to working with different groups at various stages is having multiple solutions in your arsenal. Likewise, it is critical to clearly explain the rules and criteria needed for each step of the software development life cycle to succeed.
Strategies that work for moving to the cloud
Graham shared the stages of maturity he’s been through with his team on the zero trust journey. He suggested that it’s best to work in stages linearly because teams can only consume so much at one time.
“The first part of the journey was to get Zscaler deployed everywhere – Zscaler Private Access, Zscaler Internet Access, and all of the solutions we acquired – which we’ve done. Next, we started working with developers on secure coding, something they’ve never done before. We introduced toolsets to help them and to educate them on that score,” he explained. “Then we added in a construct around digital certificate management and incorporated that into their pipeline. Now we’re moving to the next phase with Zscaler for workload management and protection.”
The next topic of discussion focused on gating and the approval process for checking in code. Graham said he is cautious about even using the term “gating” because he doesn’t want to imply that security is slowing things down. This can make it appear to be a bottleneck in the development cycle.
“It just creates too much consternation,” he said. Instead of “security gate,” he suggested using the term, “security approval” and framing it in terms of a quality assurance (QA) process: “You’ve got a process, you have a workflow, and you do your testing. Security should be a component of that.”
Strategies for securing critical data in the cloud
Graham's next goal is to segment who should be able to see customer information and who should not.
“The crown jewels are our customer’s information. We’ve got information on the top-tier people around the world – down to what kind of ice cube and what kind of bourbon do they want on our planes,” he said. Protecting this data is a major priority for Graham’s team.
Growing the multi-cloud footprint securely
Since both panelists primarily use AWS, Green asked them how they would approach expanding into other clouds.
“We would use common tool sets that work with other clouds,” answered Strause. One of the things his team does when containerizing things and delivering apps externally is to build them with a ‘headless’ architecture. This approach uses separate application programming interfaces (APIs) at the front end, decoupling it from the backend business and application logic.
“The application doesn’t have a place to phone home. API calls just go to an API front end, so the application is less vulnerable and therefore less prone to attack. That’s generally how I see things shifting, as we start to develop these apps, become more global, use the internet, and put computing closer to the edge,” said Strause.
“You have to have some kind of standard when it comes to security tools, and, right now, we don’t,” added Graham. With all of the different clouds out there, he continued, "it’s like the wild, wild west.” Nonetheless, he does require everyone on his team to attend AWS training – even the network staff – so they learn and understand the terminology associated with the cloud.
Strategies for securing traffic
Green asked both panelists about how they govern traffic that talks directly to the internet:
- Did their legacy security controls also get moved over in the lift-and-shift process?
- How do they mitigate threats to their workloads in the server infrastructure?
Graham said this wasn’t so much of an issue in his industry. The NetJets marketing team uses a mobile app and website, with identity on the owner’s side that is then pulled into Zscaler. They don’t have internet-facing workloads.
Strause uses Zscaler Internet Access as a catch-all at all of his organization’s data centers. Security is built into their pipeline for developers as well.
“It can’t move into production until they prove to us through automation that the application will be secure. And then there are other layers of defense in the mix. We rely on monitoring and have prevention policies in place,” he said. “Someone can’t just take a server, put a public IP address to it, and start allowing things to go outbound. We force everything through a tunnel from a workload perspective. If someone needs access to a resource, that access is automated. We make sure everything goes through the proper security controls before it goes out.”
Zero trust security as a competitive advantage
Graham and Strause also described how they view their roles in security and whether they see zero trust or security service edge (SSE) as a competitive advantage.
Strause perceives the role of both IT and security as supporting the business. His organization is increasingly interested in leveraging the cloud, especially in the R&D area. Hence, for him, it’s about ensuring users are secure and then getting out of their way.
“Security is seamless behind the scenes. The tools are becoming more flexible, giving us the visibility we need so we can pivot a lot quicker,” said Strause.
Graham added: “The way we positioned the controls, and especially with Zscaler, is to ask: What’s the value add? Honestly, we don’t talk about all the things that we gain from a security team. We talk about how do we get our users connected easier. We tell the executive team, that, ‘Hey, you can actually pull up Tableau now on your iPhone because you already have the ZPA connecting back.’ And they just love it. We get emails all the time from people saying, ‘This is amazing.’ This is fantastic because, as a security professional, you’re usually whacking people and they get frustrated with you.”
After hearing this, I considered whether we should rename the security department “The Department of Improving Business Agility and Business Outcomes.” When done right, cloud security accomplishes so much more than simply preventing attacks.
What to read next