Page 137 - Cyber Defense eMagazine April 2023
P. 137
A multi-cloud, multi-cluster world
According to one report, 92% of enterprises had a multi-cloud strategy last year. Deploying workloads
across multiple public clouds can be particularly useful for organizations in highly regulated industries
like financial services. It may help them meet compliance-based data sovereignty and availability
requirements – by ensuring that sensitive information is stored in the right jurisdiction and that systems
remain up-and-running even if one provider fails. A multi-cloud strategy also enables banks to take
advantage of best-of-breed capabilities offered by specific providers. And it helps to mitigate the risk of
vendor lock-in – which may also be a concern for regulators.
As multi-cloud has grown in popularity, so have containers and microservices – which offer a vehicle in
which to run workloads across these different cloud environments. In many cases, it is Kubernetes that
is used as the de facto system for automating, deploying and managing these containers. Again, at this
level, financial services companies are choosing to run them not just in a single cluster but in multiple
clusters – and across multiple cloud environments – to reduce vendor lock-in, enhance performance, and
improve availability and resiliency.
But government and financial regulations also require businesses to assert a level of control over these
environments in order to mitigate cyber risk. This should include not only human identity and access
management, but also managing the digital certificates and keys that comprise machine identities.
When the auditors come knocking
What do we mean by machines in this context? It could refer to anything from devices to workloads,
applications, containers and clusters. Fail to keep these identities up-to-date and secure and the “machines”
they are linked to will become vulnerable to hijacking and exploitation – potentially leading to data breaches,
ransomware, crypto-jacking and much more. That’s because machine identities effectively secure and
encrypt communications between these cloud assets. Fail in this, and financial services organizations could
expose themselves to significant reputational and financial risk.
The bad news is that there are several roadblocks to effective machine identity management. Containers
in particular are dynamic and ephemeral – appearing and disappearing all the time. Each new one needs
a digital certificate, which may ultimately only last an hour or two. Multiply this out over multiple clusters
and clouds, and the numbers quickly become mind-blowing.
Research reveals that the average organization used nearly 250,000 machine identities at the end of
2021 – but that this figure will more than double to at least 500,000 by 2024. Three-quarters of surveyed
CIOs said they expect digital transformation initiatives to increase the number of machine identities in
their organizations by at least 26%. We would expect similar findings in the financial services sector.
The challenges are multiplied by the fact that cloud native identity management tools don’t work across
other providers’ environments and don’t allow for continuous monitoring of machine identities. This can
lead to duplicated effort, extra expense and critical security gaps. It will also put financial services firms
at risk of failing risk management audits – which will at the very least require them to show an inventory
137
