Cloud

It can be frustrating when you ask if an IT system is safe, and your expert resource responds, “It depends,” followed by a quip that the only secure system is one that’s powered off. Not so helpful.

Most IT teams are proficient in working with one cloud service provider (CSP) or on one facet of cloud computing, but increasingly, they are being asked to manage multiple cloud environments. The shift is substantial, especially because when it comes to security, the devil is in the details.

We know that risks are involved with multicloud Infrastructure as a Service implementations. It’s critical to know what they are and how to manage them. Let’s start by examining how we got here, and why there’s no turning back now.

As many organizations shift elements of their IT infrastructures to the public cloud, they must be aware of the new risks this move carries. Often, organizations make the false assumption that, in outsourcing the ownership of hardware and data center operations, they have also outsourced security to the cloud service provider.

While this is partially true because the organization is no longer required to deal with physical and infrastructure security, stakeholders are still responsible for compliance, data security, application security and possibly platform security if they are managing their own virtual machines or containers. A CSP’s documentation of the shared responsibility model will explain in more detail where it delineates responsibility.

Change is the only constant in life, even when it happens at a slow pace. And the same is true for Microsoft. With two decades of customers purchasing perpetual licenses through the same portal, this licensing program was due for a change.

Earlier this year, Microsoft announced it will sunset its Open Licensing program. This is a big change for a lot of our customers, but it will make things much easier for them by streamlining the available licensing programs from CDW and Microsoft.

Before your organization gets too far into a multicloud environment — using some combination of hyperscale providers such as Microsoft Azure, Amazon Web Services and Google Cloud Platform, along with private clouds — it’s wise to develop a management strategy. Proper multicloud management supports long-term optimization and amplifies a DevOps culture, which is complementary to this strategy. As we discuss on the CDW podcast Simplifying DevOps, when multicloud and DevOps are deployed together, the whole is greater than the sum of its parts.

In general, organizations should take existing IT best practices and extend them to cloud platforms, adapting as necessary. The same security and resiliency objectives that apply elsewhere also hold true for the cloud, particularly given the shared responsibility model that governs public cloud arrangements. Beyond that, organizations should focus on four key areas.

As organizations build multicloud environments, it’s important that they think strategically about guiding principles and capabilities. Multicloud may involve any combination of the major hyperscale public cloud platforms — Microsoft Azure, Amazon Web Services and Google Cloud Platform — or a hybrid that also includes private clouds.

For many organizations, multicloud works because it lets them use the provider that offers the best features, security, resilience or cost-effectiveness for a specific workload, without limiting them to a single option. Multicloud also facilitates the DevOps objective of providing rapid time to value for features or products. The ability to accelerate the frequency and quality of releases is a paramount goal of DevOps, and a well-maintained multicloud solution can help organizations achieve that objective.

Both multicloud and DevOps thrive on rapid-response flexibility, and that makes it essential to have a strategy that can guide important decisions.

When organizations first deploy a cloud security posture management tool, it’s often the first time IT staff members are seeing their cloud environment from a security perspective. When they learn that a certain port was unintentionally open, or that a misconfiguration has left data unprotected, one of the most common reactions I hear is, “I didn’t know that!”

That’s not a position anyone wants to be in with their cloud environments. Yet it happens frequently, especially as more organizations engage multiple cloud service providers. Luckily, CSPM tools provide the centralized visibility that IT staffers need to keep cloud environments secure. They can run automated audits to check configurations against security and compliance rule sets, identify critical vulnerabilities and even fix them, as directed, via auto-remediation.

The cloud is both powerful and potentially complex, so it’s difficult to perform a comprehensive, continuous check on a cloud environment manually. That’s where CSPM tools come in.