Microsoft’s new message for combatting cyberattacks is “take shelter in the cloud.” The software giant said this week it has extended native capabilities of Microsoft Defender to the Google Cloud Platform (GCP) on top of the existing support for Amazon Web Services (AWS), announced last year, and its own Microsoft Azure. A critical element of this move is security. Venafi recognizes the challenges of maintaining consistent security for all multi-cloud instances and how important it is to keep an accurate inventory of all machine identities across Azure, AWS, and GCP.
“[Security] is the mother of all problems,” Microsoft’s new security chief Charlie Bell said to the Wall Street Journal in an interview. “If you don’t solve it, all the other technology stuff just doesn’t happen.”
The software giant, when announcing protection for Google’s GCP this week, spelled out the challenge as a “kind of a Frankenstein solution,” according to Bell, who was hired away from Amazon last year. “The problem is everywhere you glue things together, there are seams and those seams become places that people attack.”
Since Bell took the reins at Microsoft, he has moved to centralize Microsoft’s security efforts under one organization and now oversees an organization of 10,000 people. "He has a budget to spend billions of dollars to build security products,” according to the Journal.
As organizations look to the cloud, the reality today is an increasing cadence of sophisticated ransomware and nation-state attacks, Microsoft said in announcement that came out the same day as the interview.
“Cloud, mobile, and edge platforms have driven unprecedented business innovation, adaptation, and resilience during this time, but this broad mix of technologies also introduces incredible complexity for security and compliance teams. The security operations center (SOC) must keep pace with safeguarding identities, devices, data, apps, infrastructure, and more. Further, they must take stock of evolving cyber risks in this multicloud, multi-platform world, and identify where blind spots may exist across a broad new set of users, devices, and destinations.”
A whopping 92 percent of respondents are using a multi-cloud model, Microsoft said, citing the Flexera 2021 State of the Cloud Report. And a survey sponsored by Microsoft shows that 73 percent of respondents say it’s challenging to manage multi-cloud environments.
In another survey, Microsoft interviewed more than 500 CISOs and found that Cloud Security remains the No.1 concern and investment priority for security professionals.
Machine Identity in a multi-cloud world
Venafi is acutely aware of the challenge.
Very large organizations almost always have more than one cloud provider. And part of the success of their multi-cloud strategy is having a quick and easy way to change between cloud providers when the need arises.
But many organizations have not thought out this solution very far. For instance, what happens if an organization wants to move away from one provider, say AWS, and have this instance hosted by Azure? Their answer may be something like, "We’ll just get another instance at Azure." The problem is, they will not be able to use the certificate they got from AWS on Azure or any other cloud provider.
In many ways, changing cloud providers is like changing Certificate Authorities (CAs). You need to be able to identify all certificates associated with cloud instances in a given cloud provider, revoke them and reissue them on the new cloud provider. You can make this process relatively pain-free if you are able to automate it. But most organizations never get that far in their thinking.
In the cloud, as on premises, you need to have a complete and accurate inventory of all machine identities and you have to continually monitor them. It’s the only way that you will know whether the certificate is still on the AWS instance when it should be.