Difference between revisions of "User:Shawndouglas/sandbox/sublevel45"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
"The public cloud services market has more than doubled since 2016," found International Data Corporation (IDC) in 2020, noting that "the worldwide public cloud services market, including [[infrastructure as a service]] (IaaS), [[platform as a service]] (PaaS), and software as a service (SaaS), grew 26.0% year over year in 2019, with revenues totaling $233.4 billion."<ref name="IDCWorldwide20">{{cite web |url=https://www.idc.com/getdoc.jsp?containerId=prUS46780320 |title=Worldwide Public Cloud Services Market Totaled $233.4 Billion in 2019 with the Top 5 Providers Capturing More Than One Third of the Total, According to IDC |author=International Data Corporation |publisher=International Data Corporation |date=18 August 2020 |accessdate=21 August 2021}}</ref> In November 2020, Gartner predicted global public cloud computing spend would increase more than 18 percent in 2021, with PaaS growth leading the way due to remote workers needing more powerful, scalable infrastructure to complete their work.<ref name="GartnerForecast20">{{cite web |url=https://www.gartner.com/en/newsroom/press-releases/2020-11-17-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-grow-18-percent-in-2021 |title=Gartner Forecasts Worldwide Public Cloud End-User Spending to Grow 18% in 2021 |publisher=Gartner, Inc |date=17 November 2020 |accessdate=21 August 2021}}</ref> Gartner added that "survey data indicates that almost 70% of organizations using cloud services today plan to increase their cloud spending in the wake of the disruption caused by [[COVID-19]]."<ref name="GartnerForecast20" />
The ''Flexera 2020 State of the Cloud Report'' and its associated survey found that 87 percent of respondents had already taken a hybrid cloud stance for their organization and 93 percent of respondents had already implemented a multicloud strategy within their organization.<ref name=WeinsCloud20">{{cite web |url=https://www.flexera.com/blog/industry-trends/trend-of-cloud-computing-2020/ |title=Cloud Computing Trends: 2020 State of the Cloud Report |author=Weins, K. |work=Flexera Blog |date=21 May 2020 |accessdate=21 August 2021}}</ref> A 2020 report by IDC predicted 90 percent of enterprises around the world will be relying on some combination of hybrid or multicloud with existing legacy platforms by 2022, though they may not necessarily have a sufficient investment in in-house skills to navigate the complexities of rolling out those strategies.<ref name="IDCExpects2021_20">{{cite web |url=https://www.idc.com/getdoc.jsp?containerId=prMETA46165020 |title=IDC Expects 2021 to Be the Year of Multi-Cloud as Global COVID-19 Pandemic Reaffirms Critical Need for Business Agility |author=International Data Corporation |publisher=International Data Corporation |date=31 March 2020 |accessdate=21 August 2021}}</ref> These complexities were discussed in Chapter 1; hybrid cloud reveals a greater attack surface, complicates security protocols, and raises integration costs,<ref name="CFWhatIsHybrid">{{cite web |url=https://www.cloudflare.com/learning/cloud/what-is-hybrid-cloud/ |title=What Is Hybrid Cloud? Hybrid Cloud Definition |publisher=Cloudflare, Inc |accessdate=04 March 2021}}</ref><ref name="HurwitzWhat21">{{cite web |url=https://www.dummies.com/programming/cloud-computing/hybrid-cloud/what-is-hybrid-cloud-computing/ |title=What is Hybrid Cloud Computing? |work=Dummies.com |author=Hurwitz, J.S.; Kaufman, M.; Halper, F. et al. |publisher=John Wiley & Sons, Inc |date=2021 |accessdate=21 August 2021}}</ref> while multicloud brings with it differences in technologies between vendors, latency complexities between the services, increased points of attack with more integrations, and load balancing issues between the services.<ref name="CFWhatIsMulti">{{cite web |url=https://www.cloudflare.com/learning/cloud/what-is-multicloud/ |title=What Is Multicloud? Multicloud Definition |publisher=Cloudflare, Inc |accessdate=21 August 2021}}</ref> Broadly speaking, these complexities and security challenges arise out of the fact more systems must be integrated.


These statistics highlight the continued transition and investment into the public cloud for organizations, and recent surveys of IT professionals appear to find a matching level of increased confidence in the public cloud.<ref name="PRNNewRes21">{{cite web |url=https://www.prnewswire.com/news-releases/new-research-reveals-it-professionals-growing-confidence-in-public-cloud-despite-security-concerns-301208046.html |title=New research reveals IT professionals' growing confidence in public cloud despite security concerns |author=Barracuda Networks, Inc |work=PR Newswire |publisher=Cision |date=14 January 2021 |accessdate=21 August 2021}}</ref> But as reliance on the public cloud continues to grow, organizations inevitably discover new security and networking challenges, including difficulties keeping services seamlessly available and scalable, and network costs more affordable while limiting complexity upticks<ref name="PRNNewRes21" />, which makes security more difficult.<ref name="BocettaProblem19">{{cite web |url=https://www.networkcomputing.com/network-security/problem-complex-networks-getting-harder-secure |title=Problem: Complex Networks Getting Harder to Secure |author=Bocetta, S. |work=Network Computing |date=09 July 2019 |accessdate=21 August 2021}}</ref>
As of April 2021, four providers of hybrid and multicloud technology and services stand out: Cisco, Dell, HPE, and VMware. These providers don't provide public cloud services but rather take a service-based approach to supplying hardware, software, and managed services to assist customers adopt a hybrid or multicloud approach for their business. From a security perspective, we have to ask at a minimum three questions about these companies:


As of April 2021, the bulk of public cloud market share is represented by 10 companies: Alibaba, Amazon, DigitalOcean, Google, IBM, Linode, Microsoft, Oracle, OVH, and Tencent. From a security perspective, we have to ask at a minimum four questions about these companies:
* How do they manage your data and security in a trustworthy way?
* How are cloud technologies and services developed and audited for security?
* What public CSPs do they publicly state their technologies and services support or integrate with?


* What are their compliance offerings?
In this context of trust, these companies should have a "trust center" that helps consumers and enterprises find answers to security questions about their cloud technologies and services. A trust center was found for three of the four CSPs; HPE's trust center could not be located. Whether through internal secure development processes or external auditing practices, the security of the technology and services offered by these providers remains vital, and they should be able to demonstrate by explaining their development and auditing processes. Additionally, hybrid and multicloud providers should make clear which public CSPs are supported for or integrated ideally with the provider's hybrid and multicloud services. Not all public clouds are fully supported by these providers. See Table 6 for links to these three security and interoperability aspects for each hybrid/multicloud CSP.  
* Where is their SOC 2 audit report?
* What is their shared responsibility model?
* What is their architecture framework based upon?
 
In this context, compliance offerings are the documented compliance certifications, attestations, alignments, and frameworks a public CSP boasts as part of an effort maintain security and compliance for their cloud services. Each of the seven public CSPs has a landing page introducing customers to those compliance offerings (Table 5), though some vendors' pages are more clearly organized than others. Each offering then links off to another page, document, or related certificate explaining compliance. In particular, the SOC 2 audit report should be viewed, though most providers require you to be a customer or inquire with their sales department to obtain it. The SOC 2 audit results outline nearly 200 aspects of a CSP's security, as audited by an independent third party, providing the closest look one can get to a CSP's ability to assist with regulatory compliance (more on this in Chapter 4).<ref name="HemmerTrust19">{{cite web |url=https://linfordco.com/blog/trust-services-critieria-principles-soc-2/ |title=Trust Services Criteria (formerly Principles) for SOC 2 in 2019 |author=Hemer, N. |work=Linford & Company IT Audit & Compliance Blog |publisher=Linford and Co. LLP |date=18 December 2019 |accessdate=21 August 2021}}</ref><ref name="TillerIsThe19">{{cite web |url=https://storage.pardot.com/468401/1614781936jHqdU6H6/Whitepaper_Is_the_cloud_a_safe_place_for_your_data.pdf |format=PDF |title=Is the Cloud a Safe Place for Your Data?: How Life Science Organizations Can Ensure Integrity and Security in a SaaS Environment |author=Tiller, D. |publisher=IDBS |date=2019 |accessdate=21 August 2021}}</ref> As previously discussed, a shared responsibility (or shared security) model is the common approach to clarifying who's responsible for what portions of security, and each CSP has indicated somewhere what that model is. (In the case of Tencent, it's unfortunately buried in a 2019 white paper.) Public CSPs also provide some sort of "architecture framework," though this varies from provider to provider. For example, AWS and Google Cloud provide a framework that allows customers to stably and efficiently deploy in the cloud based on both best practices and the organization's unique requirements. Linode, Oracle, and Tencent don't seem to offer this type of framework for customers but still discuss their overall cloud architecture in a broad manner. See Table 5 for links to these four security research aspects for each public CSP.


{|  
{|  
Line 16: Line 13:
{| class="wikitable" border="1" cellpadding="5" cellspacing="0" width="60%"
{| class="wikitable" border="1" cellpadding="5" cellspacing="0" width="60%"
  |-
  |-
   | style="background-color:white; padding-left:10px; padding-right:10px;" colspan="5"|'''Table 5.''' Public cloud providers and their compliance offerings, SOC 2 report, shared responsibility model, and architecture framework
   | style="background-color:white; padding-left:10px; padding-right:10px;" colspan="4"|'''Table 6.''' Providers of hybrid and multicloud technology and services, their trust center, their development and auditing practices, and supported public clouds
  |-  
  |-  
   ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Company and offering
   ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Company and offering
   ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Compliance offerings
   ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Trust center
   ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|SOC 2 report
   ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Development and auditing practices
   ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Shared responsibility model
   ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Public clouds supported (U.S.)
   ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Architecture framework
|- 
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.cisco.com/c/en/us/products/servers-unified-computing/ucs-director/index.html Cisco CloudCenter and UCS Director]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.cisco.com/c/en/us/about/trust-center.html Link]
   | style="background-color:white; padding-left:10px; padding-right:10px;"|According to a [https://www.cisco.com/c/dam/en/us/products/collateral/cloud-systems-management/cloudcenter-suite/cc-suite-saas-trust-center.pdf 2019 document], Cisco is "evaluating SOC 2 as a potential roadmap item" for CloudCenter.
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.cisco.com/c/dam/en/us/products/collateral/cloud-systems-management/cloudcenter-suite/at-a-glance-c45-741883.pdf Alibaba, Amazon, Google, IBM, Microsoft]
  |-
  |-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Alibaba Cloud
   | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.delltechnologies.com/en-us/cloud/dell-technologies-cloud.htm Dell Technologies Cloud]
   | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.alibabacloud.com/trust-center/resources Link]
   | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://corporate.delltechnologies.com/en-us/about-us/security-and-trust-center/index.htm#tab0=1 Link]
   | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.alibabacloud.com/trust-center/compliance-repository Link] (Must be customer/contact sales to access)
   | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.dell.com/en-us/shop/secure-development/cp/secure-development Link]
   | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.alibabacloud.com/solutions/security Link]
   | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.delltechnologies.com/en-us/data-protection/powerprotect-dd-series/cloud-tier.htm Alibaba, Amazon, Google, IBM, Microsoft]
   | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.alibabacloud.com/architecture/index Link]
  |-
  |-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Amazon Web Services
   | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.hpe.com/us/en/greenlake.html HPE GreenLake]
   | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://aws.amazon.com/compliance/programs/ Link]
   | style="background-color:white; padding-left:10px; padding-right:10px;"|Unknown
   | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://aws.amazon.com/compliance/soc-faqs/ Link] (Must be customer/contact sales to access)
   | style="background-color:white; padding-left:10px; padding-right:10px;"|Unknown
   | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://aws.amazon.com/compliance/shared-responsibility-model/ Link]
   | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.hpe.com/us/en/solutions/cloud.html Amazon, Google, Microsoft]
   | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://aws.amazon.com/blogs/apn/the-5-pillars-of-the-aws-well-architected-framework/ Link]
  |-
  |-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|DigitalOcean
   | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.vmware.com/ VMware Cloud]
   | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.digitalocean.com/trust/ Link]
   | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.vmware.com/trust-center Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.digitalocean.com/trust/certification-reports/ Link] (Must email company to access)
   | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.vmware.com/trust-center/compliance/soc Link] (Must be customer/contact sales to access)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.digitalocean.com/trust/faq/ Link]
   | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.vmware.com/cloud-solutions/hybrid-cloud.html Amazon, Google, IBM, Microsoft, Oracle]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://docs.digitalocean.com/products/platform/availability-matrix/ Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Google Cloud
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.google.com/security/compliance/offerings Link]
   | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.google.com/security/compliance/compliance-reports-manager Link]
   | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.google.com/anthos/docs/concepts/gke-shared-responsibility Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.google.com/architecture/framework Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|IBM Cloud
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.ibm.com/cloud/compliance Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.ibm.com/cloud/compliance/global Link] (Must be customer/contact sales to access)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.ibm.com/docs/overview?topic=overview-shared-responsibilities Link]
   | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.ibm.com/cloud/architecture/architectures/ Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Linode
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.linode.com/legal-security/ Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Unknown (Presumably must be customer/contact sales to access)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.linode.com/legal-security/ Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.linode.com/global-infrastructure/ Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Microsoft Azure
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://docs.microsoft.com/en-us/compliance/regulatory/offering-home Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3?docTab=7027ead0-3d6b-11e9-b9e1-290b1eb4cdeb_SOC_/_SSAE_16_Reports Link] (Must be customer/contact sales to access)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://docs.microsoft.com/en-us/azure/architecture/framework/ Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Oracle Cloud Infrastructure
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.oracle.com/cloud/cloud-infrastructure-compliance/ Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Unknown (Presumably must be customer/contact sales to access)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://docs.oracle.com/en-us/iaas/Content/Security/Concepts/security_overview.htm#Shared_Security_Model Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.oracle.com/cloud/architecture-and-regions/ Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|OVHcloud
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://us.ovhcloud.com/overview/certification Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://us.ovhcloud.com/overview/certification/soc Link] (Must be customer/contact sales or legal to access)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://us.ovhcloud.com/legal/service-specific-terms Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://us.ovhcloud.com/about/company/data-centers Link]
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Tencent Cloud
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://intl.cloud.tencent.com/services/compliance Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Unknown (Presumably must be customer/contact sales to access)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://main.qcloudimg.com/raw/ea77661307adc3825990e159d851d406.pdf Link]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://intl.cloud.tencent.com/global-infrastructure Link]
  |-
  |-
|}
|}
|}
|}


Chapter 1 noted that for public cloud services, organizations tied to strong regulatory or security standards ... must thoroughly vet the cloud vendor and its approach to security and compliance, as the provider may not be able to meet regulatory needs. For example, public CSP will allow you to enter into a HIPAA-compliant business associate agreement (BAA) with them, as required by the U.S. Department of Health & Human Services<ref name="HHSGuidance20">{{cite web |url=https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/index.html |title=Guidance on HIPAA & Cloud Computing |author=Office for Civil Rights |work=Health Information Privacy |publisher=U.S. Department of Health & Human Services |date=24 November 2020 |accessdate=21 August 2021}}</ref>, but that does not mean you'd be running in a HIPAA-compliant fashion. If your organization is handling PHI protected by HIPAA, that organization is still responsible for having internal compliance programs and documented processes that support HIPAA, while also using the CSP's services in ways that align with HIPAA.<ref name="MSHealthHIPAA21">{{cite web |url=https://docs.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech |title=Health Insurance Portability and Accountability (HIPAA) & HITECH Acts |work=Microsoft Documentation |publisher=Microsoft |date=17 February 2021 |accessdate=21 August 2021}}</ref><ref name="DashNav20">{{cite web |url=https://www.dashsdk.com/hipaa-compliant-cloud/ |title=Navigating HIPAA Compliant Cloud Solutions |publisher=Dash |date=2020 |accessdate=21 August 2021}}</ref> That includes ensuring that the services your organization will utilize are indeed in-scope with HIPAA and other such regulations; not all services offered by a CSP are in-scope to a specific regulation. The BAA should make clear which services are covered for handling PHI and other sensitive or critical information. Additionally, your organization will still need to ensure the correct technical security controls are implemented to ensure compliance.<ref name="DashNav20" /> Remember, you're working under the shared responsibility model.
Managing your share of security in the hybrid cloud has several challenges. Most of those challenges involve attempting to manage and control multiple distributed systems. Giving administrators the ability to see into this complex network of components, at all levels, is critical. This is typically accomplished with a centralized management tool or platform based on open standards, providing automated management and control features that limit human error. Automation is also useful when scanning for and remediating problems detected with security controls, which in turn allows for documented changes and more reproducible processes. Disk encryption and network encryption tools may also need to be more robustly employed to protect data at rest and data in motion between private and public clouds. And of course, segmentation of services based on data sensitivity may be necessary.<ref name="KasperskyWhatIs">{{cite web |url=https://usa.kaspersky.com/resource-center/definitions/what-is-cloud-security |title=What is Cloud Security? |work=Resource Center |publisher=AO Kaspersky Lab |date=2021 |accessdate=21 August 2021}}</ref><ref name="KernerFour18">{{cite web |url=https://techbeacon.com/security/4-hybrid-cloud-security-challenges-how-overcome-them |title=4 hybrid-cloud security challenges and how to overcome them |author=Kerner, L. |work=TechNeacon |date=2018 |accessdate=21 August 2021}}</ref>
 
Multicloud has its issues as well. "The challenge that multicloud presents to security teams continues to grow," said Protiviti cloud consultant Rand Armknecht in December 2020. "The number of services that are being released, the new ways of interacting, the interconnecting of services and systems, all of that continues to advance and all of these add new complexities into the enterprise security model."<ref name="PrattBuilding20">{{cite web |url=https://www.csoonline.com/article/3584735/building-stronger-multicloud-security-3-key-elements.html |title=Building stronger multicloud security: 3 key elements |author=Pratt, M.K. |work=CSO |date=14 December 2020 |accessdate=21 August 2021}}</ref> Given the differences in tools and security approaches between cloud providers, stitching together services cohesively requires strong skills, knowledge, and attentiveness. It also requires a security strategy that is well-defined and unified in its approach to data management, minimization, anonymization, and encryption when considering multiple CSPs. Middleware placed between the enterprise and the CSP—in some cases referred to as a cloud access security broker (CASB)—that can "consolidate and enforce security measures such as authentication, credential mapping, device profiling, encryption and malware detection" adds an additional layer of semi-automated security for multicloud.<ref name="PrattBuilding20" />


==References==
==References==
{{Reflist|colwidth=30em}}
{{Reflist|colwidth=30em}}

Revision as of 19:05, 21 August 2021

The Flexera 2020 State of the Cloud Report and its associated survey found that 87 percent of respondents had already taken a hybrid cloud stance for their organization and 93 percent of respondents had already implemented a multicloud strategy within their organization.[1] A 2020 report by IDC predicted 90 percent of enterprises around the world will be relying on some combination of hybrid or multicloud with existing legacy platforms by 2022, though they may not necessarily have a sufficient investment in in-house skills to navigate the complexities of rolling out those strategies.[2] These complexities were discussed in Chapter 1; hybrid cloud reveals a greater attack surface, complicates security protocols, and raises integration costs,[3][4] while multicloud brings with it differences in technologies between vendors, latency complexities between the services, increased points of attack with more integrations, and load balancing issues between the services.[5] Broadly speaking, these complexities and security challenges arise out of the fact more systems must be integrated.

As of April 2021, four providers of hybrid and multicloud technology and services stand out: Cisco, Dell, HPE, and VMware. These providers don't provide public cloud services but rather take a service-based approach to supplying hardware, software, and managed services to assist customers adopt a hybrid or multicloud approach for their business. From a security perspective, we have to ask at a minimum three questions about these companies:

  • How do they manage your data and security in a trustworthy way?
  • How are cloud technologies and services developed and audited for security?
  • What public CSPs do they publicly state their technologies and services support or integrate with?

In this context of trust, these companies should have a "trust center" that helps consumers and enterprises find answers to security questions about their cloud technologies and services. A trust center was found for three of the four CSPs; HPE's trust center could not be located. Whether through internal secure development processes or external auditing practices, the security of the technology and services offered by these providers remains vital, and they should be able to demonstrate by explaining their development and auditing processes. Additionally, hybrid and multicloud providers should make clear which public CSPs are supported for or integrated ideally with the provider's hybrid and multicloud services. Not all public clouds are fully supported by these providers. See Table 6 for links to these three security and interoperability aspects for each hybrid/multicloud CSP.

Table 6. Providers of hybrid and multicloud technology and services, their trust center, their development and auditing practices, and supported public clouds
Company and offering Trust center Development and auditing practices Public clouds supported (U.S.)
Cisco CloudCenter and UCS Director Link According to a 2019 document, Cisco is "evaluating SOC 2 as a potential roadmap item" for CloudCenter. Alibaba, Amazon, Google, IBM, Microsoft
Dell Technologies Cloud Link Link Alibaba, Amazon, Google, IBM, Microsoft
HPE GreenLake Unknown Unknown Amazon, Google, Microsoft
VMware Cloud Link Link (Must be customer/contact sales to access) Amazon, Google, IBM, Microsoft, Oracle

Managing your share of security in the hybrid cloud has several challenges. Most of those challenges involve attempting to manage and control multiple distributed systems. Giving administrators the ability to see into this complex network of components, at all levels, is critical. This is typically accomplished with a centralized management tool or platform based on open standards, providing automated management and control features that limit human error. Automation is also useful when scanning for and remediating problems detected with security controls, which in turn allows for documented changes and more reproducible processes. Disk encryption and network encryption tools may also need to be more robustly employed to protect data at rest and data in motion between private and public clouds. And of course, segmentation of services based on data sensitivity may be necessary.[6][7]

Multicloud has its issues as well. "The challenge that multicloud presents to security teams continues to grow," said Protiviti cloud consultant Rand Armknecht in December 2020. "The number of services that are being released, the new ways of interacting, the interconnecting of services and systems, all of that continues to advance and all of these add new complexities into the enterprise security model."[8] Given the differences in tools and security approaches between cloud providers, stitching together services cohesively requires strong skills, knowledge, and attentiveness. It also requires a security strategy that is well-defined and unified in its approach to data management, minimization, anonymization, and encryption when considering multiple CSPs. Middleware placed between the enterprise and the CSP—in some cases referred to as a cloud access security broker (CASB)—that can "consolidate and enforce security measures such as authentication, credential mapping, device profiling, encryption and malware detection" adds an additional layer of semi-automated security for multicloud.[8]

References

  1. Weins, K. (21 May 2020). "Cloud Computing Trends: 2020 State of the Cloud Report". Flexera Blog. https://www.flexera.com/blog/industry-trends/trend-of-cloud-computing-2020/. Retrieved 21 August 2021. 
  2. International Data Corporation (31 March 2020). "IDC Expects 2021 to Be the Year of Multi-Cloud as Global COVID-19 Pandemic Reaffirms Critical Need for Business Agility". International Data Corporation. https://www.idc.com/getdoc.jsp?containerId=prMETA46165020. Retrieved 21 August 2021. 
  3. "What Is Hybrid Cloud? Hybrid Cloud Definition". Cloudflare, Inc. https://www.cloudflare.com/learning/cloud/what-is-hybrid-cloud/. Retrieved 04 March 2021. 
  4. Hurwitz, J.S.; Kaufman, M.; Halper, F. et al. (2021). "What is Hybrid Cloud Computing?". Dummies.com. John Wiley & Sons, Inc. https://www.dummies.com/programming/cloud-computing/hybrid-cloud/what-is-hybrid-cloud-computing/. Retrieved 21 August 2021. 
  5. "What Is Multicloud? Multicloud Definition". Cloudflare, Inc. https://www.cloudflare.com/learning/cloud/what-is-multicloud/. Retrieved 21 August 2021. 
  6. "What is Cloud Security?". Resource Center. AO Kaspersky Lab. 2021. https://usa.kaspersky.com/resource-center/definitions/what-is-cloud-security. Retrieved 21 August 2021. 
  7. Kerner, L. (2018). "4 hybrid-cloud security challenges and how to overcome them". TechNeacon. https://techbeacon.com/security/4-hybrid-cloud-security-challenges-how-overcome-them. Retrieved 21 August 2021. 
  8. 8.0 8.1 Pratt, M.K. (14 December 2020). "Building stronger multicloud security: 3 key elements". CSO. https://www.csoonline.com/article/3584735/building-stronger-multicloud-security-3-key-elements.html. Retrieved 21 August 2021.