Cross-data center tools limit east-west effectiveness
The reason cross-cloud attacks are possible is because defenses in cloud environments are weaker than traditional on-premises controls. For one thing, the use of cloud-native tools means that a significant portion of cloud-based traffic never passes through a perimeter, meaning it’s never checked against a security control before being permitted to communicate on the network. Second, even if a company has traditional microsegmentation implemented, address-based controls don’t scale well in elastic, dynamic environments such as public cloud. This leads to a fragmented security strategy where organizations are using one set of tools for securing on-premises networks and a different set for cloud environments. That, in and of itself, is problematic for defenders. Managing, monitoring, and correlating data from disparate sources is time consuming, inefficient, and more often than not causes missed alerts, misconfigurations, and even security incidents.
The shared responsibility model of the cloud requires organizations to understand how they’re using cloud (i..e., private hosted cloud, public cloud, hybrid cloud), what data they have in the cloud, and how data is transmitted in and across cloud platforms. Cross-cloud attacks are indicative of inattention to exposed pivot points and a fundamental misunderstanding of whose responsibility it is to do what.
A holistic security strategy
Adopting environment-agnostic tools that are not reliant on network constructs (e.g., IP addresses, ports, and protocols) is one way to ensure security teams unify their security strategy and are able to build and monitor centralized policies and monitoring across networks.
Another important aspect of a cross-cloud security strategy is moving focus inside the network, in other words, away from the perimeter and to the data asset. Since attackers are targeting sensitive data inside data centers, it’s imperative that the most hardened controls are centered around data-rich targets and limit:
Who has access to what network resources
Which systems can communicate with each network resource (inbound connections)
Which systems network resources can communicate with (outbound connections)
How connections are established
Finally (but not lastly), implementing the principles of zero trust will help ensure that malicious traffic cannot communicate freely or that network communication paths are not overexposed, giving attackers the advantage. Applying data-centric security controls that are governed by zero trust (i.e., require verified authentication and authorization for each sent/received communication; implement least-privilege access; use machine learning to ensure policies dynamically update and adapt) will greatly reduce the probability that attackers can use organizations’ own networks against them.