The promise of multi-cloud is a pool of resources and connections to seamlessly manage workloads anywhere. This is a stark contrast to current enterprise architectures, which are typically comprised of infrastructure islands that are architected, deployed, and managed independently. Given this, the transition to multi-cloud will certainly stretch operational practices in new and interesting ways, particularly as multi-cloud and DevOps-style automation intersect.
But how will security be handled in a multi-cloud world? As architects grapple with the question, it will be important to collaborate with operations teams to determine not just the devices but also the operational practices required to guarantee the secure operation of an expansive infrastructure.
Perimeter Versus Pervasive
The security world generally defines a well-built security infrastructure as strong perimeter security paired with capabilities that protect within the boundaries. In a networking context, this is why microsegmentation as a means of protecting east-west traffic is important. Within multi-cloud, though, the notion of east-west extends a bit further.
Where microsegmentation has been a data center use case, in a multi-cloud world, these distributed firewalls have to account for workloads that might exist in multiple locations — from public or private clouds out to customer premises. As technologies like multi-access edge computing (MEC) take deeper root, the cloud will be more than a centralized pool of resources. And that has very real implications on security strategies.
Even though they’re not yet in the multi-cloud, enterprises must begin making their security decisions with it in mind. If they don’t, they risk some of their decisions quickly becoming obsolete. And the most expensive path to multi-cloud will be one that repeatedly requires a rip-and-replace approach to key layers within the architecture.
Everything is a Source of Information
While the industry often talks about security as a single thing, it’s really a collection of activities coming together to make infrastructure more secure. For example, to identify threats in networking engineers must be able to correlate information across a distributed set of (likely) heterogeneous devices.
Not every device is a security device, but every device can be a part of a secure posture. If every device is a source of information, this means security architects need to consider things like streaming telemetry as a top-tier architectural requirement.
Of course if information is being streamed, collection mechanisms to process all of this data into unique and actionable insights need to be in place. Therefore, architects should consider monitoring as an integral part of any security strategy. If this is to extend to multi-cloud, then monitoring, streaming telemetry, and collection need to be designed explicitly for cross-domain use to allow the security umbrella to extend from the public and private data centers to the cloud on-ramps in both the campus and branch.
While most security talk is about new capabilities being driven by new companies with new approaches, the biggest changes in security need to be based on some age-old pain points.
Most enterprises deploy literally dozens of security products today, each with its own set of experts managing varying solutions. However, this can create an unsustainable operational load for teams — adding on doesn’t always add up when it comes to IT. There will be a day of operational reckoning for enterprises that have allowed their operations practices to grow wild and free.
This especially rings true in a multi-cloud world. Consistent policy and control from end-to-end is a hallmark of strong security. In an infrastructure island, end-to-end might stop at the boundaries of the campus or the WAN or the data center. But in a multi-cloud world, those boundaries extend much further. This means policy and control must be consistently applied across the entire infrastructure, which naturally consists of different devices deployed in different roles across the whole of the enterprise.
Therefore, a common orchestration layer that sits atop the enterprise as a whole will play an increasing role in security, meaning areas that have been typically part of the operations team will have a part in securing the enterprise. Architects responsible for overall security should begin developing the architectural relationships with their operations colleagues to prepare for how these two worlds will come together — both technically and culturally.
Bringing it All Together
The very nature of multi-cloud means some of the complex coping mechanisms that have allowed enterprises to scale will have to come down. For an end-to-end experience, infrastructure cannot exist in pockets. And this has very real implications on how to handle security, especially since security tends to map to the underlying architectural components.
Not everyone will be building explicitly for multi-cloud, but everyone ought to consider it as they evolve their IT practices. Failing to do so could create future roadblocks that make modernizing the infrastructure cost prohibitive. And no one wins when evolution stalls.