From the course: Certificate of Cloud Security Knowledge (CCSK) Cert Prep

Considerations for hybrid and multicloud deployments

From the course: Certificate of Cloud Security Knowledge (CCSK) Cert Prep

Start my 1-month free trial Buy for my team

Considerations for hybrid and multicloud deployments

- [Instructor] Recall that hybrid clouds comprise on-premises data centers linked to CSPs, along with a combination of public, private, and community clouds. Hybrid cloud choices can be influenced by the need to maintain local services on systems that will not be upgraded or by an enterprise application that is too costly to refactor. Hybrid cloud security requires careful attention to protect both on-premises and cloud resources, particularly concerning their connection. Network security that is not granular or with design flaws can increase the blast radius from threats. For instance, if you're using a VPN, you may want to consider and start using zero trust architecture instead. This is even more important when various data centers, offices, and cloud providers represent multiple points of connectivity. A key area of focus is also identity and access management. This in a hybrid cloud could be compromised quite easily if an IDP was compromised either on-prem or by means of some other cloud resources that are vulnerable to attack. Because cloud and on-premises environments have significant differences in technology and implementation, it's crucial to develop a standardized approach to security for both. A standard approach may not imply that you're forcing the use of tools that do not fit the environment. Tool selection should be appropriate for specific environments. Multi-cloud refers to utilizing services from multiple cloud service providers. The business rationale for a multi-cloud approach may involve vendor lock-in avoidance or selecting the optimal services from multiple providers. In organizations pursuing a multi-cloud strategy, developing a maturely secure cloud environment with the initial cloud provider is recommended before seeking additional cloud service providers for cloud services. Each CSP will have unique security strengths and weaknesses, which will add to the management challenges. There are three multi-cloud strategies to consider. The first could be described as a transient strategy. A customer may be receiving service from an existing single provider, but through a merger or acquisition now has a second provider, if appropriate, for example, based on unhelpful redundancies, a migration to the initial CSP could be done. A primary secondary strategy involves directing all new deployments to the initial CSP with a second CSP engaged to cover needs that the primary CSP either cannot adequately handle or cannot service. Full multi-cloud support enables equal access to two or more cloud environments. It begins with one, but can expand to multiple providers due to various factors, including corporate politics and decentralized governance. For cloud service customers managing containers across multiple CSPs, it's crucial to remember that containers allow workload portability, but do not ensure management infrastructure portability. Runtime and orchestration are typically not seamless. Shared services that are not fully stateless also face challenges related to portability. This includes databases, message queues, and notification buses. Operating services at each CSP requires the knowledge and competency of specific subject matter experts. To mitigate the cost of maintaining talent, cloud service customers may sometimes retain a managed service provider to manage the complexities of an IaaS and PaaS environment. In SaaS security management for a multi-cloud environment, three tool types are beneficial, including federated identity brokers, which facilitate the centralized integration of entitlements and permissions; CASBs, cloud access security brokers, to centralize access control and monitoring of all SaaS tools; and API gateways to enforce policy visibility and controls as calls are made to the SaaS environment. Well, this concludes our discussion of the organizational management domain. Recall that IAM is a key element of shared services in its space. It's time for us to zoom in on the identity and access management domain next.

Contents