CISO Explainer: Hybrid- and Multi-Cloud Security

Michael Krigsman: We're discussing hybrid and multi-cloud security strategy with Anand Oswal from Palo Alto Networks. 

Hybrid-cloud and multi-cloud security challenges

Anand Oswal: Many, many years ago when there was no public cloud, applications were predominantly on-premises in your data center. But now, applications have started moving to the public clouds: AWS, Azure, GCP, Oracle, Alibaba, and so on and so forth. When applications are in multiple public clouds, people call it multi-cloud architectures. 

When we talk about hybrid cloud, it means that you have applications on-prem and in the public cloud. Most organizations have a hybrid and multi-cloud environment, which means that they have some applications on-premises in the data center (or what we call the private cloud) and applications sitting in multiple public clouds. 

Michael Krigsman: Given this kind of adoption for hybrid and for multi-cloud environments, what are the security issues that arise? 

Anand Oswal: As these applications get distributed (in your private data center, in the public cloud, in multiple public clouds), the most important thing is to have visibility into what applications are there, where they're running, et cetera. If I can't see something, I can't secure it.

The second thing is, how do you manage all of the security infrastructure, these policies, these constructs consistently? How do you ensure that all the data residing on-prem and the public cloud is secured consistently? How do you have the unified manageability views and having that run in a very simplistic manner? Those are some of the challenges that we come in security because, with all of this distributed environment, the attack surface is increasing. 

Michael Krigsman: Given the complexity of this kind of environment, how does that change the security posture and the general approach to security? 

Anand Oswal: In the past, applications were predominantly in your data center. You secured that by having a next-generation firewall or network security appliance at the DMZ, did all your security inspection, and maintained your posture. 

Now, as applications are in the data center, but also in multiple public clouds, we need to ensure that the data we access is secure, the applications are protected, but also you manage all of these consistently because now some of them are in the data center, some in AWS, Azure, GCP, et cetera. You're able to manage all of this consistently, so you have a consistent security architecture across the entire enterprise. You have a single policy definition, a single manageability for the network, and a cloud security admin across all of these constructs.

Hybrid- and multi-cloud security presents complexity challenges

Michael Krigsman: How is this different from security in a traditional data center?

Anand Oswal: They've generally been secured by a hardware-oriented stack on a next-generation firewall, multiple security services layered on the next-generation firewall, and potentially additional point products to do additional services. Now, as you look into the cloud, to protect the cloud networks, we've had software firewalls, a virtual machine, a containerized firewall, or a cloud-native firewall in these public cloud environments.

These are different environments, but you still want to manage them consistently because it's one enterprise. The applications are just everywhere. You want to have a single view of policy. You want to have a single network security administrative view of when you set policies and rules across all of these constructs. Ensuring that you don't recreate these stacks or have disjointed stacks of very complex, operational architecture is very important. 

Michael Krigsman: The architecture of security needs to address all the configurations, all the clouds that you're now addressing. 

Anand Oswal: To have different public clouds, you have your private cloud or the data center, and now you want to make sure that your security policies, your security architecture is consistent. You have the same policy for the users accessing different applications sitting in different locations, different users. 

At the same time, we don't want to have more and more operational complexity. You want to have a simplified view for the netsec [network security] or the cloud sec [cloud security] admin, all of these constructs. 

Solving the complexity of multi-cloud security requires consistency across cloud platforms

Michael Krigsman: You're trying to drive a straightforward, simple view, despite the behind-the-scenes complexity of the fact that you're dealing with multiple cloud providers.

Anand Oswal: There are two things. One is, of course, we want to have a simple view for the administrator to configure policies. But more important, we also want to have a consistent, best-in-class security.

If I'm accessing an application in the data center, I'm going through a certain stack. I want that, of course, to be best-in-class. But I also want that to be consistent when I access applications sitting in the public cloud or different public clouds. 

So, I want the consistency. I want that best-in-class behavior. And of course, I want the simplicity. All of this should be done without compromising the end-user experience. 

Michael Krigsman: From a compliance, from a regulatory standpoint, does multi-cloud add additional complexity as well? 

Anand Oswal: It does. We have new regulations coming in our industry every so often. We have data residency requirements where customers would want data to be within their country. 

You have requirements for compliance. Healthcare industries have compliance requirements. 

Utilities and other industries have their own compliance requirements. Retail, financial, each industry has different compliance requirements.

We want to ensure that we are making it easy for these industries and these customers to adopt these services and also make it easier for them to get compliance from the infrastructure.

Michael Krigsman: Anand, can you give us an example of a security incident relating to multi-cloud, hybrid-cloud environments that could have been prevented?

Anand Oswal: A real large customer that came to us, they had a multi-cloud environment, and they also had a hybrid cloud environment. They had consolidated the data centers and public cloud environments and had breaches in their public cloud environments because of command-and-control connections from their instances in the public cloud to the outside world.

Of course, they're protected now as they install software firewalls across multiple clouds but a consistent policy to ensure that we can look at all of the threats – command and control, software exploits, DNS exploits, URL filtering, threat prevention, sandboxing – and these are done consistently across the two public clouds that they had, but also consistently from the data center they had. Now they have a consistent policy across their entire infrastructure, and they're protected.

Michael Krigsman: The key is consistency across all the different clouds as well as the data center. 

Anand Oswal: Yes, and also the best-in-class security capabilities. 

Threats are getting more and more evasive. Attackers are getting more and more sophisticated, so we want to have the best in class security capabilities powered by AI and machine learning, which is not database and signature-oriented approaches, but powered through AI/ML. These are now consistently applied across your hybrid multi-cloud environment.

Michael Krigsman: Again, consistency is essential but you also need the ongoing support of AI and ML to be current with the threats that are constantly evolving. 

Anand Oswal: Absolutely right.

Strategy for managing hybrid- and multi-cloud security

Michael Krigsman: Given all of this, what are the basics of security strategy for hybrid and multi-cloud environments?

Anand Oswal: It's a six-point strategy. 

• First is around visibility, which means that you need to have complete visibility into which applications reside where, which environments they are in, and what you need to protect them. You can only secure something if you can see it.
• Second, you need to ensure that now you have unified manageability and unified policy across the infrastructure. 
• Third, you want to have the best in class security. 

The old approach of a database or a signature approach to solving security will not work. You want to have the new approaches of using the power of AI and ML. Stop the attacks, day zero attacks, stop them exactly when they happen because you don't want to give the attackers that window of opportunity from when an attack is detected to when it's patched.

• Fourth, help customers around all things around compliance and regulations. Make it easy for them to have consistent, best-in-class security.
• Next, make sure that all of this is done in a simplistic manner. 

Ease of use is important. Visibility is important. Ensure that they'll be able to configure these things and manage these things consistently as things are dynamic and change happen.

• Last but not the least, bring the network security and the cloud security teams together (especially as you talk about the public cloud) to have unified goals around security. 

In a lot of companies, they are different organizations. In some companies, they're the same organization. But show the value of all the things that you do consistently for all of them. 

That's what I tell my customers, it's a six-point plan. 

Michael Krigsman: How do these six points fit into your product strategy?

Anand Oswal: It comes down to the principles of zero trust. We're having a user trying to access an application. Before I allow that connection, I need to understand who the user is, what device are they on, what application are they trying to access, what data they're trying to access.

If I decide to allow that connection, use the principles of least privilege access to allow that connection. Now, once that connection is allowed, you're not done. You're just getting started because now you need to inspect that connection on a continuous basis for threats on that session. 

It's the principle of zero trust, ensuring that you will have no notion of implied trust. 

Zero trust is crucial for cloud-based security

Michael Krigsman: Why is zero trust so foundationally important? 

Anand Oswal: Zero trust allows you access as a user to what application you need, what data you need, consistently, understanding who are you, what device you are on, what are you trying to access, what data do you want to access, do you have the right permission sets. That then allows you to inspect these connections on a continuous basis and do that across all facets. 

You could be at home, on the road. You can be on any network. You can be on any device. You have no notion of implied trust. You'll always have the same level of consistent security no matter who the user is, what device they're on, what network they're on, what application and data they access, and that consistent policy.

Michael Krigsman: Anand, as you talk with your customers, to what extent has zero trust been adopted out in the market, and how much room is there to grow, so to speak?

Anand Oswal: Most organizations have three distinct security architectures. They have a hardware-oriented architecture, which I call a next-generation firewall, services enabled, additional appliances to secure their data center. 

As the applications move to the cloud, they have software firewalls, virtual machines, containerized firewalls, or cloud data firewalls. To secure their remote workforce and their remote branches, they have a cloud-delivered stack which we call SASE. 

We have over 1,700 customers today, Michael, that use all the three form factors and have started their journey of consistent security, of consistent policy, of consistent manageability from day zero to end across their entire infrastructure. They're in the early innings of this one, as more and more customers adopt a platform-centric approach and embark on that zero trust across the entire enterprise. 

Michael Krigsman: What is the easiest and the fastest way for organizations to adopt zero trust?

Anand Oswal: Zero trust is a journey for many customers because many of the organizations have architectures that they've built over a number of years. So, understanding where you are today, understanding the North Star of where you want to get to, and making steps along the way to simplify how you do manageability, how you do policy, to have that consistent security across all facets of your enforcement points – your data center, your public cloud, your remote workers – is the essentials you need to start. We have many tools to help our customers on that journey.

AI and ML for cloud-native security

Michael Krigsman: You've spoken about the essential importance of AI and machine learning. You've spoken about the foundational importance of zero trust. How do these come together?

Anand Oswal: If you think about the way customers are evolving, the days of a user in the office accessing an application that sits on-premises are gone. Users are not everywhere. We're in the office. We're at home. We're on the go.

Applications, they're everywhere. They're in the data center. They're in the public cloud. They're in multiple clouds. 

We're no longer accessing those applications from only IT-issued devices. We have our own devices: my iPhone, my Android device, my iPad, and so on and so forth. I'm accessing these applications and data not just from the corporate network but from the home wi-fi network, from 4G, from 5G networks, 

We have this whole any-any phenomenon. This makes life complicated because now you have so many permutations and combinations. 

The only way to achieve enterprise-wide zero trust is to have a platform-centric approach: consistent security, consistent policy, consistent manageability no matter what the user is, no matter where the applications reside, no matter what form factor of network security I use.

Michael Krigsman: Where do AI and ML fit into this landscape?

Anand Oswal: Let's take an example of URL filtering, Michael. The traditional way of doing URL filtering has always been to have crawlers on the Internet, to build a database of all the URLs, to group the URLs into certain categories, and then to give a risk code to each and every URL. Then set a policy, zero to ten or low-medium-high, and you were able to get it done. 

This is no longer working. Attackers are getting more and more sophisticated. Before I build a database, the URL is gone, or attackers will register domains today to use five years from now. 

The only way to solve it is through the power of AI and ML where I can look at better data of the URL, content of the page, to stop the highly evasive threats in-line, in real-time. That's just one example.

We apply that across all of our services through command-control connections, software exploits, sandboxing, IoT security, DNS security, SaaS, and so on and so forth. That's how we're using AI and ML across all the infrastructure in security to stop threats that we have never seen before.

We're able to stop over 8.5 billion threats every single day, and only 1.5 million of those are net new attacks. We're able to learn data across all our customers all because of the network effect of data, to make sure that we are making every day more secure than the day before.

Advice for network security professionals

Michael Krigsman: What should network security professionals understand about the cloud and how cloud makes their job different?

Anand Oswal: There are a lot of benefits that the organizations get with the adoption of public cloud. You get speed, agility, almost infinite compute when you want it at the closest location you have. 

But as you have a distributed architecture in some sense where you have multiple public clouds and also you have a private cloud, you want to ensure that you think about security consistency from day one. Having a consistent security architecture, having a consistent policy and manageability is paramount for success.

Michael Krigsman: Are there differences that network security engineers need to understand when it comes to issues like policies in the cloud relative to what they're used to dealing with in the data center, historically?

Anand Oswal: There are maybe some differences in terms of how they set policies for the public cloud. But remember, we talked about having multiple public clouds. So, as they are having multiple of these public clouds, how do you ensure that you set consistent policies that apply across these multiple public clouds so that you can consistently manage your user-to-app policies?

Michael Krigsman: What advice do you have for security professionals when it comes to migrating their traditional security environment and architectures into this hybrid and multi-cloud world?

Anand Oswal: The most important thing is to ensure that as you are migrating from your on-prem infrastructure to multiple public clouds (or you may already have multiple public clouds), ensuring that you think through your security architecture, to think through that you have all the consistency from a security perspective. Your policy definition is defined once and applied across all of the clouds and your private cloud so that you can have unified manageability, a simplified admin experience, and the best and optimal user experience.

Managed services vs. DYI approaches to cloud security

Michael Krigsman: One of the issues that often comes up is the question of managed services versus a do-it-yourself approach when it comes to security.

Anand Oswal: If you think of the public cloud, we support both of the options. There are a lot of customers who have basically managed, of course, their on-prem firewalls in the data center, and they would like to manage their virtual firewalls, VM or containerized firewall, themselves with a consistent policy. 

There are also customers in many cases who want to have a cloud-native firewall that is built into the console of the public cloud, built into AWS or Azure, and so on and so forth. That's what we call Cloud NGFW. We support both variations depending on what the customer wants and where they are in their journey.

Michael Krigsman: Anand, one of the takeaways I'm getting from you is, by having this consistent platform, you're enabling security professionals to focus on the fundamentals, the core of providing great security. 

Anand Oswal: If you think about a network security admin's job, it's already hard. If you have all of the operational aspects of what they do taken care of, automated, and simplified, they can focus on what they do best in terms of what they have to do from a security perspective, ensuring that they're able to have the best security for their organization.

Michael Krigsman: This seems like a very fundamental point.

Anand Oswal: At the end of the day, you want to have that consistent, best-in-class security across all of your hybrid multi-cloud environments. You want to also have that simplicity we talked about, the operational simplicity, the ease of use. They all are important, but security is absolutely the most important. 

Michael Krigsman: The platform helps alleviate some of the mundane work so that the security folks can concentrate where they need to.

Anand Oswal: It helps automate a bunch of the stuff that would have been done manually. It helps give them insights for monitoring and alerts and things that they want to do from templates into all the things they can do on an ongoing basis, looking at all the threats that they're seeing and what they need to do to react to it. 

Michael Krigsman: Again, the point is making life for security professionals and IT professionals easier so that they can focus on ensuring that their environment is fully secure.

Anand Oswal: Yes. 

Cloud security best practices for hybrid- and multi-cloud environments

Michael Krigsman: Anand, you work with so many different customers at Palo Alto Networks. You see so many different kinds of organizations, so many different kinds of security architectures and stages of maturity. Can you share advice on securing your multi-cloud environment and migrating successfully, just in the fastest, easiest way? I think that's what everybody cares about.

Anand Oswal: They care a lot about speed and agility. But more and more, as you talk to security professionals in the organizations, they also want to make sure they're doing it thoughtfully, consistently, and securely. 

Look, 92% of all organizations either have or are going to have a multi-cloud environment. Most of those organizations also have private cloud environments. They have consolidated data centers. They may have had many before and they have a few right now.

As you move many of your applications to the public cloud, ensure that (from a north-south perspective) you secure all the traffic because network security at the broadest level is all about traffic inspection and applying the right policies. Secure all the traffic north-south or east-west. 

We're looking at hardware firewalls in a private data center, ensuring that the policies that you have for your applications in your data center, as you have applications go into the cloud, those policy constructs are done consistently. The policies you apply are applicable across all the public cloud environments. Those things have to be thought through.

Then you also want to have the right level of visibility, the right level of analytics, the right level of telemetry to understand exactly what's going on, to understand what's happening in the network, where you see the threats, how you're protecting from those threats, what policies you need to change, and how I apply all of these changes consistently, easily. It can be cumbersome. 

It can take me weeks and months to make changes across the cloud. That's too slow in the cloud environment. These need to happen in near real-time.

Michael Krigsman: Are there common or typical challenges or obstacles that you see as organizations make this transition?

Anand Oswal: Usually, the slowness comes when things are not done with the power of automation because manual configurations, setting up policies manually is always going to take more time. So, we help our customers to automate these journeys, to help them have a templatized approach towards policies, so you can apply a policy once across your cloud. If you want to change your policies, you can use the best practice assessments that we have based on our experience working with thousands and thousands of customers to ensure that you have the right policy architecture, the right framework across all of these hybrid multi-cloud environments.

Michael Krigsman: Anand, thank you so much for taking the time to speak with us about security in the hybrid and multi-cloud environment.

Anand Oswal: Thank you, Michael. Appreciate it.