According to a recent global survey of security professionals, 90 percent of their organizations are now using the public cloud. Of these, more than half are using more than one CSP (Cloud Service Provider), so they have adopted multi-cloud architectures. Meanwhile, many organizations are still using on-premise and/or hybrid infrastructure.
As cloud providers have expanded their platforms, organizations with Internet-facing sites, apps, and services have more architectural options. In this article, we’ll discuss:
- Why hybrid and multi-cloud architectures are increasingly popular
- The security problems that they create for sites, apps, and services that are hosted within them
- How to solve their security challenges
First, some definitions.
Cloud Architecture Concepts
Cloud computing can be defined as the on-demand delivery of IT resources and services that are not directly managed by the user. Usually, they are distributed as well (although this isn’t always the case).
Public vs. Private Clouds
Public cloud services are very popular today; numerous CSPs now offer resources and services over the Internet. The top public CSPs are Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), in that order.
In addition to public clouds, private clouds are widely used as well. Here, an organization manages its own distributed computing, storage, and networking resources. Private clouds can be hosted in self-owned data centers, private CSP data centers, or third-party colocation facilities.
Single-Cloud, Multi-Cloud, and Hybrid
Single-cloud architectures are the simplest structure for cloud usage. When an organization runs all its sites, apps, and services on a single cloud (whether public or private), management is straightforward.
Multi-cloud architectures are more complicated, but are growing increasingly popular. Distributing IT resources and workloads across a combination of CSP(s) and/or private cloud(s) allows organizations to avoid vendor lock-in and take advantage of a wider range of different cloud services.
Hybrid architectures can be the most difficult to manage, but many organizations feel that their benefits outweigh their challenges. Here, the organization uses a mixture of cloud (public and/or private) and on-premise resources. This model is common for organizations that have existing on-prem infrastructure.
Rising Popularity of Hybrid and Multi-Cloud
Advantages of Hybrid Architectures
Hybrid architectures have been common since the earliest days of the public cloud. As cloud adoption grew, many organizations migrated fully to cloud, but many others could not do so for various reasons. Instead, they moved some of their storage and/or workloads to a CSP, while retaining the rest on-prem.
Hybrid is still a very popular approach today. According to the Flexera State of the Cloud Report, about 80 percent of organizations are using hybrid architectures.
Although some organizations view hybrid as a stop-gap measure–a temporary strategy to use until a full migration could be accomplished–many organizations are using hybrid for the long term. They believe it is the best approach in their specific situations. Here are some of the reasons why.
- Cost management: Organizations that have invested in their on-prem data centers can move some of their workloads to the cloud without wasting their existing infrastructure.
- Compliance: Organizations might have requirements and restrictions on where data can be stored or processed, as regulated by business partners or local governments. A hybrid architecture enables organizations to keep sensitive data or applications either on-prem or in private cloud environments to meet the data residency requirements. However, they still can take advantage of public cloud elasticity and scalability for less sensitive data and IT workloads.
- Scalability: When demand exceeds the amount of available private resources, organizations can scale quickly and access extra capacity from the public cloud via cloud bursting.
- Flexibility: Organizations can choose which environment is cost-effective based on an application’s lifetime or needs. For example, when deploying an application with a short anticipated lifespan, an organization can decide to run it first on the public cloud, avoiding the purchase of additional private resources.
- Testing: Organizations can use the public cloud for development and testing before committing to buy more servers and/or private cloud resources.
Advantages of Multi-Cloud Architectures
As noted previously, more than half of cloud-using organizations have adopted a multi-cloud strategy. There are a number of reasons for this, including:
- Technological trends: A growing number of tools are available (e.g., container orchestration) that have made it easier to deploy applications across different clouds.
- Avoiding vendor lock-in: For obvious reasons, the top-tier CSPs tend to structure their platforms as closed ecosystems. Many organizations would prefer to avoid this, choosing instead the freedom of choosing the best-in-class services from multiple providers.
- Redundancy and availability: Organizations that distribute their data, infrastructure, and applications over multi-cloud environments have better protection and resiliency in case one of the underlying CSPs has an outage or slowdown.
- Cost: Multi-cloud enables organizations to take advantage of public cloud and infrastructure vendors competing on price, and allows them to minimize their cloud bills.
Web Security: An Issue for All Architectures
Different architectures have different perceived benefits, but they all share a common requirement: robust web security. In an increasingly hostile threat environment, organizations which offer Internet-facing apps and services must protect them, regardless of the infrastructure on which they are hosted. However, the types of security challenges can vary, depending on an organization’s choice of architecture.
We’ve written extensively on the security issues surrounding single-cloud architectures: articles on individual tools (e.g., AWS WAF: A Deep Dive), comparisons of specific capabilities of the top-tier CSPs (such as API Security in the Cloud and DDoS Protection in the Cloud), and even how-to guides (e.g., How to Setup and Use Google Cloud Armor, and How to Deploy and Use Microsoft Azure WAF). We’ve also covered the challenges of maintaining on-prem web security.
Now let’s discuss the situation for hybrid and multi-cloud. Some security challenges are common to both approaches, while other issues are more specific.
Unique Challenges in Securing Hybrid and Multi-Cloud
Hybrid Security Challenges
Hybrid architectures include on-prem infrastructure, and so it’s common for organizations to use on-prem security solutions as well. However, on-prem web security is less than ideal, for multiple reasons. They include:
- Expense. On-prem security solutions are usually provided as appliances, which tend to be costly.
- Management. In a complex threat environment, a high level of expertise is required from IT staff to maintain a robust security posture.
- Vulnerability. When traffic isn’t filtered until after it arrives at your data center, several vulnerabilities remain. For example, a DDoS attack can saturate the incoming Internet pipe. This can cause your ISP to defend itself by blackholing all your traffic, which will take your sites and applications offline.
Rather than using an on-prem security solution, some organizations protect their data centers with a cloud solution instead. This is a better approach, but most third-party cloud solutions introduce some additional problems of their own. More about these in a moment.
Multi-Cloud Security Challenges
Multi-cloud architectures usually include one or more public clouds. Because the major public CSPs all offer built-in security tools, many organizations use them. For example, in a multi-cloud setup using AWS and Azure, an organization might use AWS WAF to protect one cloud, and Azure WAF for the other.
Although this sounds like a valid approach, it has several problems.
First, the CSP services aren’t full security solutions. We’ve written about this previously. (Example: Are AWS WAF and Shield enough to secure your environment?)
Also, these services are difficult to use outside of a single-cloud context. CSPs provide their tools for a specific reason: to encourage the consumption of their cloud resources. They are not interested in adding extensive support for private clouds or on-prem infrastructures, and certainly not for the competing CSPs.
Many organizations have recognized these issues, and so they use third-party cloud security solutions instead. Indeed, some of these are a better choice, but most still aren’t ideal. Here are some of their problems:
- Inflexible. Even many third-party solutions struggle to fully support hybrid and/or multi-cloud architectures.
- Incomplete. Many solutions are not comprehensive; for example, the vendor might only offer a DDoS scrubbing solution, but no WAF or bot management. Thus, organizations must assemble and manage a variety of tools from different vendors.
- Costly: Most of the solutions that offer a full suite of security tools are expensive. These vendors tend to charge a la carte for their solutions’ various modules, while also charging extra for premium support plans, threat intelligence subscriptions, and other necessary items. The combined monthly expense is usually quite high.
- Performance and privacy. Almost all of these solutions use external infrastructure for processing their customers’ traffic. This creates routing latency for the organizations which use them (since their traffic does not flow directly to their environments; instead, it goes to the vendor first). It also compromises privacy, since incoming requests are decrypted for analysis and filtering outside of the organizations’ environments. Lastly, it creates multi-tenancy vulnerabilities; organizations can be affected by attacks that are aimed at other customers of that vendor.
Fortunately, although most security tools (whether the native CSP tools, on-prem appliances, or third-party cloud solutions) are subject to the issues above, this is not the case for all of them.
Solving the Security Challenges
Modern architectures require a modern security solution; one that can protect any infrastructure (whether it’s on a public cloud, private cloud, on-prem, or any combination of them), and any workload (whether it’s a site, web application, or API).
Reblaze is a cloud native web security platform that can protect any architecture. Incoming traffic is filtered in the cloud, before it arrives at the destination environment, whether the destination is a public cloud, private cloud, or on-prem. And the traffic and security for all the environments can be managed from a single centralized dashboard.
Reblaze is a comprehensive solution, providing complete web security for a single all-inclusive price, with no add-ons or extra subscriptions required. It includes a next-gen WAF (web application firewall), enhanced DDoS protection, advanced bot management, API security, ATO (account takeover) prevention, and much more.
It is fully integrated with, and runs natively on, the top-tier cloud providers; it can provide web security for AWS, a cloud native WAF for Azure, or turn-key security for web apps and APIs on Google Cloud Platform.
Reblaze is a fully managed solution, maintained for you by a team of security professionals. It is always effective, and always up-to-date.