If you take a new application or idea to your DevOps team what’s the most common response? Probably hesitation. Even if they do say yes, the security team is likely close behind putting up more resistance. You can’t blame either of them. New deployments introduce change and the potential for code to break and things to go down. For the InfoSec team, their biggest incentive is the security of the business, and your idea poses a potential threat. 

Unfortunately, the way development teams work and the way DevOps and security teams work don’t always align. Developers are ready to deploy daily, or even more often. DevOps would prefer to deploy every 2-4 weeks. Security is managing more networks, identities and technologies than ever, making security complicated and time consuming.

Security is a path, not a destination. Your team needs to be all-in on the journey in order to elevate your abilities to operate more seamlessly and securely. The six steps we’ve outlined below are a foundation, that if followed, can help you refocus your energy and resources on what is most important.

Identity is the first fundamental. If someone can get root then nothing else matters. A key, albeit difficult, place to start is a centralized identity source for who people are and how they authenticate. Role-based access control should be administered to groups to avoid one-off permissions.

A common identity threat is passwords. To be frank, people are horrible with passwords. They either make them too simple, forget the password or write it down somewhere insecure. Multi-factor identification makes a lot of sense for securing multi-cloud systems.

Finally, develop strict security management to bolster privileged accounts. Think of your cloud administrators for Azure, Salesforce or an active directory. Pair multi-factor identification with a time limit within the account and keep a log of entries and activity.

Identity is used to access data. When it comes to data security, it’s more important to protect the data than the data store. Only the data is portable. It’s unlikely someone in a ski mask is going to walk into your building or data center to physically steal a hard drive. To that end, you should encrypt data when it’s at rest, in transit and even when it’s memory. A lot of major clouds already come with this level of encryption, which handles most of the data security issues. 

However, once it’s on a desktop, it becomes harder to ensure it’s secure. One major issue is classification. Don’t get out of hand with how you classify data—the names will only get muddled and lose their meaning. Make clear and simple classifications and try to have less than 3-5 different levels and maybe another 1-2 for client facing classifications.

A common best practice for infrastructure security is to layer your defense. Try to layer firewalls and other infrastructure. But just like data, keep it within reason. If something breaks, you’ll spend less time troubleshooting if you don’t overcomplicate the security layering.

Consider developing infrastructure templates so if someone wants to deploy an app, the security is already baked into the load. Finally, listen to users. If they can’t use your system they’ll go around it. As you know, that’s when breaches happen.

Out of all these fundamentals, exercise the most caution with automation. A small mistake on one server could bring down the whole company. Where you should automate is in your policy and compliance. Put that right into the system so that pipeline updates deploy with the security in place. 

Regardless of how much you choose to automate, still place some sanity checks and manual gates in the process. Getting real human eyes on a deployment will help you catch serious errors that automation may have overlooked. Always ask the question, “Is this really the action we want to take?”

This one should seem a little obvious given the current state of multi-cloud security, but seek to collaborate across teams. Shift the InfoSec team into the development process. They often come in too late which leads to timely redesigns and frustration. If you get DevOps and security into the same room right at the start, you can set clear goals that guide the entire process.

Clouds are chatty, and in a multi-cloud environment, it’s easy to get log exhaustion. Aim to standardize on a platform to ingest and analyze your logs. Of course, each cloud has its own log, but a third-party platform is the best way to go when dealing with multiple clouds. It’s also not a bad idea to farm out the analysis to a company who specializes in finding threats and understanding the activity across all your clouds.

Maintaining a strong security posture is a multi-cloud architecture necessity. Align your DevOps, InfoSec and development teams around these core principles to pave the pathway to a more secure organization. 

For more insights on how to tackle multi-cloud security challenges head-on, check out our webinar Addressing security in a multi-cloud world by security expert Ned Bellavance.