In our last post on cloud security, we discussed some of the challenges of distributing security to the edge and how to impose cloud security controls. Over the last year, pressure mounted on companies to manage data more effectively and securely to comply with evolving privacy regulations, such as GDPR and CCPA. Then came the COVID-19 pandemic, forcing more than 16 million U.S. knowledge workers to suddenly start working from home[i], which has increased the risk to data.
The good news is that our ability to improve data management and security in hybrid multicloud environments is also improving. The latest foundational strategies for building out security in these environments include:
- Cloud agnosticism – Ensures security solutions will work in any private or public cloud environment.
- Application and technology neutrality – Allows security solutions to work across multiple vendor technologies, as well as an array of edge network functions virtualization (NFV) security services.
- Secure Access Service Edge (SASE) – Converges networking and security services into a single cloud delivered platform. It identifies users and devices and enables secure access to the appropriate applications. Combined with SD-WAN, this provides network security from the cloud to protect users, applications and data regardless of location.
Distributed Security – Digital Edge Playbook
Get the playbook that outlines how industry leaders are distributing security to solve scale and integration challenges. See how using interconnection and colocation enables industry leaders to deliver new command and control capabilities as part of their digital edge strategy.Download
With these foundations for hybrid multicloud security in mind, you can implement the following recommendations to eliminate three critical threats to your data.
- Avoid the public internet by creating direct, private connections to cloud services
As data moves between on-premises systems and the cloud, you can’t rely on the public internet for security or performance. The data is more vulnerable to hacking, and you have little control over bandwidth. By leveraging interconnected colocation data centers with dense partner ecosystems, you can build exchange points in proximity to clouds, customers, employees and partners. You can then move data where it needs to be to optimize performance without it ever crossing the public internet. You can also deploy and connect security controls at the edge to provide security where it is needed while easily scaling these controls to meet evolving bandwidth demands.
Equinix International Business Exchange™ (IBX®) data centers are vendor-neutral facilities that help you safeguard mission-critical data. These data centers offer the highest levels of physical security (5-layers, including biometrics and 24-hour surveillance) and operational reliability, with an industry-leading uptime track record of greater than 99.9999%.
With Platform Equinix®, the world’s largest global platform of interconnected data centers and business ecosystems, you can take advantage of Equinix Cloud Exchange Fabric® (ECX Fabric®) to create direct and secure, private software-defined interconnection between your enterprise’s distributed infrastructure and a comprehensive digital ecosystem of business partners and service providers, including more than 1,800 networks and 2,900+ cloud and IT service providers.
- Encrypt all traffic
SASE makes it easy to push security services to the edge, and with the increasing dependence on at-home and remote workers, you need to secure the traffic that flows between them and the cloud services they access. Corporate VPN solutions were never architected to support the amount of traffic generated today, so you need a new VPN solution that is flexible and rapidly scalable. NFV services enable you to deploy, scale and centrally manage VPN and firewall connectivity – on-demand – close to dense user populations to ensure performance.
For example, with Network Edge services from Equinix, you can take advantage of virtual network services on Platform Equinix from multiple industry-leading vendors without the time or cost of adding space, power or hardware. Creating an SD-WAN Edge SASE-enabled device can be accomplished within minutes.
Many companies use Network Edge to take advantage of IPsec tunneling for cloud-to-cloud routing, securing traffic between clouds while maintaining high performance through direct interconnection.
You can also use Network Edge to set up a firewall in front of a cloud and create an IPsec tunnel through that firewall to ensure that if a cloud environment is ever compromised, the data in your data center is still protected.
- Secure your encryption keys
While encrypting data in the cloud is essential, it isn’t enough. You also need to ensure the encryption keys are safe and secure by keeping them separate from the data in a cloud service. In a multicloud environment, keeping encryption keys separate prevents a compromise of one cloud from spreading to the other clouds. Each cloud service provider (CSP) has a way for you to bring your own key (BYOK) and decouple key management from data encryption, but managing keys across multiple CSPs can be tough. In addition to a centralized way to manage multiple keys, you want to be sure the key itself is encrypted when it is sent to a particular cloud service.
Equinix SmartKey®, a SaaS-based key management service (KMS), offers a workflow that makes it easy to manage multiple keys and keep them secure. Offered on Platform Equinix, SmartKey ensures you keep complete control over your keys. Not even service providers or governments have access to them. Even if your organization must provide data to a third party – in response to a subpoena, for example – the third party will not have access to the keys. SmartKey also helps organizations comply with governance and compliance requirements, such as the GDPR, while offering the agility, ease of use and predictable pricing of a cloud service.
There’s no doubt that evolving hybrid multicloud infrastructures are complex, but managing security for them doesn’t need to be complicated. With centralized, scalable services like ECX Fabric, Network Edge and Equinix SmartKey, IT managers gain a single, centralized environment for ensuring the security of cloud data while also maintaining optimal performance.
For more information on developing a comprehensive cloud security strategy, read the Distributed Security – Digital Edge Playbook.