momius - Fotolia
Compared to traditional on-premises environments -- and even the use of a single IaaS provider -- multi-cloud deployments demand a lot of change, including how you protect your data.
Follow these three tips for erasure coding, encryption and data compression to bolster your multi-cloud security strategy.
Erasure coding is a model in which admins distribute data among several locations -- or, in the case of multi-cloud, across several IaaS platforms. This ensures that, even if attackers hack one or two of those platforms, they won't be able to retrieve enough information to rebuild the entire data set.
Erasure coding works by adding a set of extra storage blocks to each "stripe" of data in such a way that the loss of several blocks still won't prevent data retrieval. For example, let's say an admin recodes a stripe of 10 data blocks to include six extra blocks. This means any six blocks can be lost, and you can still retrieve data.
In addition, it's possible to split up those 16 blocks across multiple cloud platforms, so if a company uses four clouds, it could put four blocks on each. To retrieve data, a hacker would then need to reach three out of the four clouds and read at least 10 blocks. This means that a hacker could only access your data if he or she has a file map and access to application space.
Despite its benefits, erasure coding can be compute-intensive and time-consuming. Still, the potential for highly parallel read/write operations usually offsets this. Hardware to better support the erasure coding process is in the works, and some GPU-based systems already demonstrate multigigabyte-per-second operation.
Encryption is absolutely mandatory for multi-cloud security. While this might seem obvious, many companies still don't properly encrypt their data.
Set up different encryption keys for each cloud platform you use, as this will limit the scope of attacks caused by accidental key disclosure on one of those platforms. Keep in mind, however, that this makes it more difficult to move data between cloud platforms.
It's critical, in any cloud deployment, to keep your encryption keys safe, so be sure to carefully evaluate your cloud provider's options for key management. In addition, use a solid encryption package, with AES (Advanced Encryption Standard) 256 or better, and limit keys and master passwords to a few senior admins to prevent insider attacks.
Data compression, access control and more
Data compression can also play an important role in multi-cloud security. After compression, any file is essentially unrecognizable, unless the primitive data library is available.
Access control is another area to focus on. User permissions are difficult to manage at scale, which is necessary within a multi-cloud model, but it's better to limit who can access a data set than to have to perform damage control after a hack. Ensure very few people can access more than a subset of the virtual LAN configuration. In addition, implement an intrusion detection package, ideally an AI-driven one, to receive real-time warnings when an unauthorized user attempts access.
Lastly, shadow IT will be difficult to avoid in any multi-cloud security strategy. One issue, in particular, is when users copy files into a shadow system, which then exposes data. While it's possible to ban data copying -- and enforce that policy through internal code -- this won't fully protect you from the threat of shadow IT itself. This area is still very much a work in progress.