Forward-looking approaches to security in the cloud

Drei Personen an einem Notebook diskutieren über Best Practices für Datensicherheit in der Cloud.

Security in hybrid and multi-cloud environments remains a challenge for CISOs and IT managers. But new solutions, such as CNAPP, are emerging to create transparency and meet these challenges. A look at best practices.

Text: Andreas Heer, Image: Swisscom, Date: 4 April 2024   5 Min.

For meteorologists, multi-layered cloud structures in the sky are undoubtedly an exciting event. In IT, on the other hand, such structures pose a security challenge – and yet, they’re a reality. According to the Thales Global Cloud Security Study 2023, 79 per cent of companies use hybrid or multi-cloud environments. From a security perspective, solutions are needed to overcome these challenges, says Raffael Peluso, Head of Security Product Management at Swisscom: ‘The basis for security measures is a clear objective: what data is stored in the cloud? And what are the requirements for this data, for example in terms of availability and compliance?’

Cybersecurity measures in the multi-cloud

In the case of public cloud services, it is also important to understand which security measures the public cloud provider pays for, and which ones the company as a customer has to take care of itself. This ‘shared responsibility’ model shows the division of tasks between provider and customer. Typically, the provider is responsible for the security and availability of the cloud environment itself, while customers take care of the protection of their own data and applications. Cloud providers do offer a range of security solutions for this upper part of the cloud stack. However, the challenge remains to determine which security aspects these solutions can cover for a company, and where additional solutions are needed.

In hybrid and multi-cloud environments, visibility across all cloud resources and workloads is key to meeting data security and compliance requirements. A strategic approach to the evaluation of appropriate measures involves a number of technical and organisational aspects. Among the most important are the following:

  • Focus on solutions that work across providers, offer a unified view and enable the enforcement of policies across the entire landscape.
  • Zero-trust approaches with Secure Access Service Edge (SASE) architectures to ensure the safety of access to cloud resources across networks, devices and users.
  • Training of employees to develop a security awareness in the handling of data and a security culture. This includes increasing security awareness among the IT professionals who are responsible for building and operating cloud environments.
  • Taking measures to address the shortage of skilled workers, such as retraining and offering further training to employees, improving working conditions, training professionals and working with external partners and Managed Security Service Providers (MSSP).

Conveniently read this article and the first article on the challenges of data security as a PDF.

What is Secure Access Service Edge (SASE)?

SASE helps devices and users securely identify and access cloud environments. To this end, the cloud-based security framework brings together SD-WAN functions and ZTNA (Zero Trust Network Access) solutions. This enables devices to be given controlled and protected access to cloud resources, regardless of location. The zero-trust approach ensures that devices and users are re-identified each time they request access, which makes it difficult for cybercriminals to access a company’s cloud resources using stolen access data or brute force methods.

Data security approaches and processes in the multi-cloud

The paradigm shift towards cloud computing has spawned new concepts that take into account infrastructure change and the security needs of companies at the technical and process level, in a shift away from mere perimeter protection. Or, as Raphael Peluso sums it up: ‘In multi-cloud environments, the processes at the interfaces of collaboration between different areas take centre stage.’ The main approaches are:

  • DevSecOps (development, security, operations) combines agile application development and maintenance with security measures and operations. This means that security is integrated into every phase of the software lifecycle and that testing takes place automatically within the CI/CD pipeline. The test includes application code and IaC (Infrastructure as Code). This process, also known as ‘shift left’, ensures compliance with security requirements even during short development and deployment cycles. DevSecOps also helps to increase security awareness among IT professionals by making IT security an integral part of every step of the process.
  • Cloud Workload Protection (CWP) protects VMs and containers during operation. CWP includes both protection against cyberattacks and monitoring of possible security loopholes, thus ensuring transparency across the cloud when it comes to the security status of workloads.
  • Cloud Security Posture Management (CSPM) can be thought of as the compliance level for CWP. While CWP is concerned about technical protection, CSPM checks workloads for configuration errors and compliance with security requirements (policies). This enables centralised monitoring of compliance requirements.
  • Cloud Infrastructure Entitlement Management (CIEM) manages identities and permissions centrally and consistently in hybrid and multi-cloud environments. In this way, CIEM simplifies complex identity and access management (IAM) across the different cloud providers’ various tools.

Protecting multi-cloud environments with CNAPP

Gartner, a market research firm, has coined the term ‘Cloud Native Application Protection Platform’ (CNAPP) for solutions that combine security features of this kind. CNAPP combines traditional security measures such as malware testing and vulnerability scanning with methods that address the specific security needs of all types of cloud environments. These include the above-mentioned approaches such as DevSecOps, CWP and CSPM.

CNAPP thus offers companies a platform to implement technical and organisational measures for compliance in one centralised place. This creates the necessary transparency and visibility for the secure operation of hybrid and multi-cloud environments across provider boundaries. Since CNAPP solutions are cloud-based anyway, they are usually purchased as a service from the provider or an MSSP.

Raffael Peluso, Head of Security Product Management, Swisscom

‘As part of CNAPP, DevSecOps is crucial for end-to-end security.’

Raffael Peluso, Head of Security Product Management, Swisscom

The great advantage of CNAPP is that, as a central platform, it offers a unified view to all user groups, and everyone is up to date on the same page. This allows, for example, the cloud infrastructure or DevOps team to react immediately to misconfigurations. And in the case of security events, the Security Operations Center (SOC) is alerted, which takes appropriate measures to respond to a possible incident.

To better identify vulnerabilities and misconfigurations, CNAPP solutions increasingly rely on machine learning and other forms of artificial intelligence. Due to the dynamic situation in the market for (generative) AI-driven solutions, companies need to keep an eye on developments, and before making a decision, they should clarify whether the AI features being offered effectively cover their needs.

Best practices for multi-cloud security

What security measures are implemented in hybrid and multi-cloud environments, and how do they affect best practices for cloud security? Generally, these best practices apply regardless of the complexity of the cloud landscape. Technical measures such as encryption, classification of data, multi-factor authentication and the like are mandatory anyway as a form of basic protection. 

In addition to basic protection, CNAPP offers additional technical and organisational protection measures that are required in complex cloud environments. ‘DevSecOps is crucial for end-to-end security,’ says Raffael Peluso. ‘Security awareness training is also important, and it should include IT specialists.’

These measures contribute to obtaining a holistic view of the company’s IT landscape. Continuous monitoring during operation, for example with Cloud Workload Protection, sharpens this view. The measures need to be reviewed as well, says Peluso: ‘With continuous monitoring and regular audits, companies can identify deviations and create transparency in the cloud environment.’ This enables companies not only to see different cloud structures as a challenge, but also to use them to get the benefits they want.

In the first article, you can read about the challenges CISOs face when it comes to data security in hybrid and multi-cloud environments. Download both articles now.

Download the “Data Security” article series now

Your personal download link for the document you require will be sent to you via e-mail.

You can find our privacy policy including the online data protection statement as well as the options for revoking permission to process data or unsubscribing from the newsletter here: Privacy policy(opens in new tab)