Multi-cloud is often referred to as a solution to cloud vendor lock-in. While this is certainly true, this is not the only or the most important advantage of a multi-cloud strategy.
| This is post 3 of 4 in the Amazic World series sponsored by F5. 1. F5: from Code to Customer 2. Containers and CI/CD 3. Multi-cloud 4. Security & Data Centers |
Going the multi-cloud route is often not a conscious decision. The reality of multi-cloud is often that it just happens, and poses serious security and compliance risks security teams have to deal with.
Unconscious multi-cloud
In other words, security teams, as well as application development and infrastructure platform teams are often confronted with a multi-cloud reality after the fact: different teams have already started using different cloud services from different cloud vendors.
This unconscious evolution of multi-cloud usage means organizations need to manage the operational complexity across these clouds, for application security purposes.
With the complexity of using multiple adjacent and overlapping technologies in each cloud, the chance of human error increases, and visibility goes down. As the impact of these errors grows, visibility into the state of the ever-evolving application landscape deteriorates.
The 2020 State of Application Services Report
The application landscape evolves as organizations transform to meet the ever-changing demands of the market. For the sixth annual survey, F5 compiled the State of Application Services Report.
With low visibility and no automated compliance checks or security policies, it’s hard to keep track of security and operational compliance, complicating troubleshooting, and root-cause analysis.
Moving to a pro-active multi-cloud approach
When moving to a pro-active, conscious multi-cloud approach, the key is to regain visibility across clouds and apply security policies consistently.
By providing app development teams with a catalog of easy-to-use, consistent, and vetted security, compliance, and performance policies—built by the security and NetOps teams, security and compliance can be enforced without imposing limitations on the teams using public cloud technology.
By standardizing these building blocks and security configuration, the NetOps teams can centrally manage policies while letting each application team deploy across the clouds and services they require.
This doesn’t limit the speed or flexibility in choice for application teams while maintaining the security posture across the multitude of cloud services. Teams can decide to use a new cloud service, without being held back by security. This enables quicker innovation, delivering customer-facing features and improvements more often and more quickly, without compromising security.
Single Security Perspective
Looking at this challenge from a security perspective, we see that the sheer amount of different cloud services and multiple instances of service in use poses a visibility and manageability risk. How do you secure it all, and stay in control of compliance in this continuously changing world?
Manually configuring security policies, or even manually checking policies is not feasible at this scale and becomes error-prone: NetOps teams need a way to automatically apply security policies and check security compliance across clouds.
Instead, this problem needs an automated, uniform, and consistent way of implementing and dealing with security and compliance audits across clouds and cloud services.
With F5, there are a few ways of achieving this, depending on the starting point of your organization.
Consistent multi-cloud security across on-prem and public cloud
Many organizations have an on-prem datacenter presence secured with F5’s BIG-IP, and are migrating apps to the cloud. For these hybrid cloud approaches, it makes sense to extend the security domain (and perimeter) from on-prem into the cloud using BIG-IP policies.
By deploying pre-configured virtual or cloud editions of BIG-IP and re-using the security policies, security teams do not have to invest in new technology to be able to apply essentially the same policies. This is a cost-effective way of applying security policies consistently across the on-prem datacenter and the public cloud uniformly.
By using BIG-IQ, F5’s single-pane-of-glass centralized management product, managing the increasing number of BIG-IP appliances is easy and allows for policies to be applied everywhere from a single interface. This prevents an unmanageable sprawl of security appliances.
By automating the bootstrapping, deployment, and configuration of BIG-IP, as well as automatically applying the right security policies, being secure by default is a trivial, non-blocking task for application development teams. This way, teams do not have to spend time installing and configuring security appliances. Instead, they are automatically deployed, and teams can focus on bringing their app to the cloud.
Knowing that teams will deploy a consistent set of security policies, and the ability to manage policies from a centralized portal, help security teams trust their multi-cloud deployments. It raises visibility across the board, making sure the security team has visibility into the entire cloud estate.
Cloud-native security
As teams start to refactor applications to cloud-native architectures, NGNIX is probably the best-suited tool for the job. It integrates more seamlessly into Kubernetes-deployments and is offered as a standard service for application delivery and security in many of the public clouds. NGINX is available as an open-source web server, or as the fully supported NGNIX Plus package with load balancing, web server, content cache, and API gateway functionality. NGINX App Protect extends F5’s Web Application Firewall technologies into NGINX.
Summary
Multi-cloud is something that, oftentimes, just happens. It’s a fact of doing business at any scale. The trick is to make multi-cloud a conscious, pro-active strategy, and a security approach that allows teams to make the most of multi-cloud while not decreasing the security posture is critical.
With F5, it doesn’t matter if you come from an on-prem datacenter and are using F5’s BIG-IP security stack, or if you want to start fresh with an NGNIX-based cloud-native application delivery and security architecture.
Equipping your networking and security teams with the tools they need to take responsibility for securing cloud resources across cloud vendors, cloud services and cloud service instances is a key step to ensure consistency of security policies, manageability with centralized policy management, and visibility into the security compliance for each.
