By By Alain Sanchez, Joe Robertson, and Troy Ament
CISO on CISO Perspectives
In the last year, organizations have come to rely more on hybrid and multi-cloud environments to help support their evolving digital transformation requirements. According to a recent report from Fortinet, 76% of organizations surveyed reported using at least two cloud providers. The result is that applications can reside anywhere – from on-campus to branch to data center to cloud. And now that the era of work from anywhere is upon us, organizations have had to rethink how they secure network edges both on-premises and in the cloud.
What does this mean for cybersecurity and the future of work? Fortinet’s Alain Sanchez, Joe Robertson and Troy Ament join us to explore the impact of hybrid and multi-cloud on organizations and discuss the need for adaptive cloud security solutions to enable a holistic platform approach to cybersecurity.
What are some of the key learnings CISOs have had in the last year when it comes to building an effective multi-cloud security strategy?
Joe – One of the key factors CISOs are taking into account is the difference between each of the cloud platforms. If we focus on the security aspect, each of them has different built-in security tools and functions with different command structures, different capabilities, different syntax and logic. The data center, too, is yet another environment. Beyond that, organizations may be migrating into and out of clouds. Each cloud offers unique advantages, and it’s critical that the organization is capable of leveraging whichever ones support their business needs. Cybersecurity mustn’t hinder that. However, with each cloud provider offering different security services using different tooling and approaches, each of your clouds becomes an independent silo in a fragmented network security infrastructure – not an ideal prospect.
By having a common security overlay across all of these clouds, you provide an abstraction layer above the individual tools that gives you visibility across the clouds, control of them, and the ability to put in place a common security posture regardless of where an application may be, or where it may move to. Fortinet’s virtual security acts as that overlay. It can be a “United Nations” for cloud security, bridging the diversity, joining up the silos, and enabling these discrete entities to come together.
Alain – Last year operated as a catalyst of many pending decisions. Multi-cloud migrations are amongst these. The numbers speak for themselves; the global cloud computing market grew 17.5% in 2020 and is expected to reach $436B by the end of 2021 (Source: Research and Markets, Aug 2020). However, I still sense this fear from my CISO colleagues to be stuck into a vendor roadmap as you embark your company on a cloud journey. What if the data explosion of all these OT devices translates into huge cloud storage costs? What if the compliance context evolves and I find myself in a situation where I need to repatriate significant amounts of data to avoid crossing the legal line?
As these pros and cons were weighed—and more rapidly than usual during the months of the pandemic—CISOs realized how important it was to adopt a security posture that transcends the individual cloud offerings and protects their cloud strategy as a whole. When your policy sits on top of the multi-cloud diversity, you can avoid putting all your eggs in the same basket, knowing you will not have to manually reconfigure, redeploy, and retest your policy every time you take advantage of a new cloud provider offer.
Troy – Healthcare security and technology executives are leveraging multi and hybrid cloud computing to position their organizations to be more agile and resilient while at the same time increasing security posture. The reality for industries like healthcare is that the complex computing environments require alignment with hybrid cloud computing and multiple-cloud partners. Virtual Visit, Electronic Medical Record, ERP, and ancillary clinical systems are the primary systems that healthcare systems are prioritizing for cloud adoption.
How has today’s work from anywhere reality impacted multi- and hybrid cloud security?
Alain – More than ever, the massive home working wave operated as a wake-up call that one single policy had to be delivered everywhere. Regardless of the location, the device, and the network, users need to be granted access to their application environment. This access though, needs to be granted smartly, through a context-sensitive mechanism and this applies particularly to distributed architectures such as hybrid and multi-cloud. Simply put, do not design your multi-cloud architecture and your Zero-Trust Access strategy separately.
Joe – Where today’s users are and where the applications reside are actually two sides of the same coin. Because in both cases the item we’re dealing with – whether a user or an application – could be anywhere. So we have to change our old networking paradigm to a new one. The old paradigm focused on where things were. Where is the user connecting from? Where is the application sitting? In what server, in which data center? The problem is that by focusing on where we weren’t focusing on what was most important: the actual users and applications. Those are what we really care about. So user identification, authentication, authorization, and access permissions have become critical. This is what Zero Trust Access is all about: never assume anything can be trusted simply because it is “inside the perimeter.”
What are the key technologies CISOs should look to invest in to protect work from anywhere?
Alain – Multi-cloud deployment is an opportunity to take a step back, move away from the point solution approach and design your cybersecurity in a holistic manner. Otherwise, you may end up adding to the typical chaos, too many products, too many management platforms, too many vendors. In fact, regardless to the private/public/SaaS balance that they adopt, CISOs need to embrace the three critical layers of security: network, platform and application. Application is the era of email security, sandboxing, and web traffic controller. At the platform level you need Control Access Service Broker (CASB), and Cloud Workload Protection (CWP). And finally, the network level requires Secure SD-WAN, microsegmentation, and virtual machine security.
Joe – Work from anywhere requires connectivity plus security. That is already complicated for CISOs. You have to add in the fact that working from anywhere is about people. People who are not security experts, and who generally are not very patient with whatever hinders them from doing what they need to do. So security teams need to weigh convenience against utility. A good place to start is with multi-factor authentication, such as with FortiAuthenticator and FortiToken, because people have gotten pretty used to needing to authenticate for other applications, and these tools are very easy to use. You also need to focus on protecting the endpoints. Anti-virus is necessary, but it is not sufficient. You need to be looking at an Endpoint Detection and Response tool, like FortiEDR, that can run in the background and look at unusual activity that can signal an attack or ransomware. The end user doesn’t have to do anything, but the device and the network are protected.
Troy – It is critical for CISOs to ensure that workforce mobilization technologies are scalable and eliminate security blind spots to enable greater protections for the remote workforce as bad actors pivot to take advantage of an increased threat landscape.
