Ah, the good old days when you could set up a storage array, put the management part on a subnet, and call it a day. It was a little bit of “security by obscurity;” it was close enough to an air gap; and you felt fairly confident that your data would be secure. But that is no longer the case in a multicloud world.
Zero Trust multicloud security was a key topic of discussion at the NetApp® Cloud Field Day Exclusive Delegates Roundtable. The day’s presenters from NetApp and Google joined the diverse group of delegates to discuss ransomware, multilayered security, and multicloud governance.
The group concluded that no matter how you got to multicloud, you probably have a mix of configurations that have resulted in a complex architecture. But did you build a purposeful multicloud strategy, or did you stumble into it by accident? Some companies may have started with a strategy, but for many others, it just sort of happened.
And with this complexity comes risk that cybersecurity threats cause, like data loss due to outages, application failure, accidental deletion, malware, ransomware, and viruses.
“You can’t just rely on, ‘oh, someone can’t route that IP address’ as a method of security,” said Jeff Baxter, senior director of product marketing at NetApp. “Because that is not a true method of security anymore.”
Forget trust but verify. The new model is verify and never trust. “You should assume that your management network is on the public internet,” Jeff explained. “The assumption of Zero Trust is that your data centers are already compromised…. Putting something on the public internet means you have to focus on the things that are truly important: multiple-admin verification, all the structure that Google Cloud and others have put in place.”
The group discussed the Zero Trust security model, which requires a multilayered, data-centric approach that goes beyond perimeter security. According to Chuck Foley, senior director of product marketing at NetApp, “We acknowledge that it’s not only a multicloud, but a multilayered approach that depends on where the threat is and where the technology is.”
Jeff added, “If you had a ransomware attack and you are recovering, you’re not going to be able to practically recover any significant amount of data to another cloud if it’s not there already. Right? Bandwidth. Data gravity. Not to mention ingress and egress charges, and all the other things that make that impractical.
So, according to Jeff, you have two solutions. One is that you can point-in-time restore to the cloud that you’re on, assuming that the reason you were attacked in the first place is likely not something wrong with the cloud architecture. It’s likely to have been an extremely rare event versus a more standard spear phishing or any other kind of more common system compromise.
The other solution is if you truly want a cross-cloud setup for ransomware mitigation, you already have your data in the second location. And to show how easy it is, at the Cloud Field Day Exclusive, the team demonstrated the drag-and-drop simplicity of that solution.
"It’s like having a mega availability zone,” Jeff said.
The conversation then shifted to governance. Governance starts with how you architect your cloud. “Everything starts with a good cloud architecture for your organization,” said Dean Hildebrand, technical director at Google. “We have customers that have thought things were going to start small and then built a very simplistic architecture in terms of… the networking and their design of folders and projects. And how we lay that out was fairly straightforward.”
Dean continued, “And then they realized, ‘oh wait, I now have 300 teams in my organization, and all of them are accessing different data resources. They all want some sort of staging areas and production areas, some of them are on prem….’ And, you know, it gets really complicated.” He added, “The point being, is then they rewrite the entire cloud architecture in terms of the networking design, the project folder layout, the access control mechanisms.”
Phoebe Goh, principal technology evangelist, added, “Many of the conversations we have are around security and security policies and knowing who has access in the cloud, who has access to which resources. It could be down to the individual resources, bucket name, or single instance. Because our policies utilize, say, AWS IAM (Identity and Access Management), it’s open…. You know what our policies are asking your systems to do, whether it’s provisioning or deleting or building a new one. And that’s part of the transparency that the Google team mentioned. It’s [about] aligning with them and using them as much as possible.”
If you want to hear more from these experts, you can watch the whole conversation.
And to learn more about all the events and discussions that day, watch the full NetApp Cloud Field Day Exclusive on demand.
Zac Mitchell is the Market Strategist for Private and Hybrid Cloud at NetApp. Over the course of his career Zac has always been driven to solve problems. At NetApp, his passion is understanding the biggest business and IT challenges of our customers and connecting them to the best solutions. He holds a BA in Mathematics and Psychology and an MBA. Offline Zac can be found skiing or hiking in the mountains of Colorado with his wife and two daughters.