Microsoft on Multi-Cloud: It’s the New Imperative But Cyberattacks Present Challenges

With its new multi-cloud strategy, Microsoft is stressing security. It’s “the mother of all problems,” Microsoft’s new security chief Charlie Bell said to the Wall Street Journal in an interview. “If you don’t solve it, all the other technology stuff just doesn’t happen.”

The software giant, when announcing protection for Google’s GCP this week, spelled out the challenge as a “kind of a Frankenstein solution,” according to Bell, who was hired away from Amazon last year. “The problem is everywhere you glue things together, there are seams and those seams become places that people attack.”

Since Bell took the reins at Microsoft, he has moved to centralize Microsoft’s security efforts under one organization and now oversees an organization of 10,000 people. “He has a budget to spend billions of dollars to build security products,” according to the Journal. 

As organizations look to the cloud, the reality today is an increasing cadence of sophisticated ransomware and nation-state attacks, Microsoft said in announcement that came out the same day as the interview.

Sponsorships Available

Sponsorships Available

Sponsorships Available

“Cloud, mobile, and edge platforms have driven unprecedented business innovation, adaptation, and resilience during this time, but this broad mix of technologies also introduces incredible complexity for security and compliance teams. The security operations center (SOC) must keep pace with safeguarding identities, devices, data, apps, infrastructure, and more. Further, they must take stock of evolving cyber risks in this multicloud, multi-platform world, and identify where blind spots may exist across a broad new set of users, devices, and destinations.”

—Microsoft, February 23, 2022

A whopping 92 percent of respondents are using a multi-cloud model, Microsoft said, citing the Flexera 2021 State of the Cloud Report. And a survey sponsored by Microsoft shows that 73 percent of respondents say it’s challenging to manage multi-cloud environments.

In another survey, Microsoft interviewed more than 500 CISOs and found that Cloud Security remains the No.1 concern and investment priority for security professionals.

Machine Identity in a multi-cloud world

Venafi is acutely aware of the challenge.

For organizations to fully embrace these multi-cloud strategies, it’s critical that their security solutions reduce complexity and deliver comprehensive protection.

Very large organizations almost always have more than one cloud provider. And part of the success of their multi-cloud strategy is having a quick and easy way to change between cloud providers when the need arises.

But many organizations have not thought out this solution very far. For instance, what happens if they want to move away from one provider, say AWS, and have this instance hosted by Azure? Their answer may be something like, “We’ll just get another instance at Azure.” The problem is, they will not be able to use the certificate they got from AWS on Azure or any other cloud provider.

In many ways, changing cloud providers is like changing Certificate Authorities (CAs). You need to be able to identify all certificates associated with cloud instances in a given cloud provider, revoke them and reissue them on the new cloud provider. You can make this process relatively pain-free if you are able to automate it. But most organizations never get that far in their thinking.

It’s important for these organizations to know that they are not alone. The majority of companies are faced with the same issue and they have not solved it. The easiest advice to follow is that you should treat machine identities for cloud instances in exactly the same way that you treat them in on-premises environments. In other words, you should be able to enforce the same security policies for all machine identities used in your organizations, regardless of where they reside.

Keeping an inventory of machine identities

In the cloud, as on premises, you need to have a complete and accurate inventory of all machine identities and you have to continually monitor them. It’s the only way that you will know whether the certificate is still on the AWS instance when it should be. And not there when you’re no longer there. So, you have to monitor machine identities across cloud instances and you have to renew them when necessary changes occur. And you must also be ready to make those changes on a dime. This is especially important in the cloud, where the renewal period should be even shorter than on premises.

Organizations must treat the cloud as another component in an overall machine identity management program. Ultimately, it’s got the same rules and the same issues as every other infrastructure. And you should be prepared to be just as agile in the cloud as you are on premises.

Related Posts

• Moving to the Cloud Doesn’t Mean You Can Forget about Key Management
• The “Egregious 11” Have Spoken: Machine Identities in the Cloud Need to Evolve
• Why Zero Trust in the Cloud Requires On-demand Machine Identity Protection
• Dynamism in the Cloud Complicates the Task of Securing Machine Communication

Microsoft’s new message for combatting cyberattacks is “take shelter in the cloud.” The software giant said this week it has extended native capabilities of Microsoft Defender to the Google Cloud Platform (GCP) on top of the existing support for Amazon Web Services (AWS), announced last year, and its own Microsoft Azure. A critical element of this move is security. Venafi recognizes the challenges of maintaining consistent security for all multi-cloud instances and how important it is to keep an accurate inventory of all machine identities across Azure, AWS, and GCP.

“>