Governance, identity, and authentication in the multi-cloud world

Multi-cloud, multi-issue? The nuts and bolts of modern authentication.
20 March 2023

Multi-cloud security and identity governance – an evolving challenge.

The world is increasingly run on multi-cloud technology, and in multi-cloud environments. That means the importance of governance, identity and authentication within those environments is becoming increasingly important to any company’s cybersecurity strategy.

We sat down with Kevin Bocek, VP of Ecosystem and Community at Venafi, a company that specializes in machine identity management and application outage prevention, to investigate the state of the developing arts of governance, identity, and authentication is the world of multi-cloud.

Multi-cloud governance.

THQ:

How do we deliver governance, identity, and authentication in a meaningful, consistent, and reliable way within the multi-cloud environment?

KB:

That’s a biggie. First of all, let’s talk about identity in cloud-native environments, which then will get us into just how we deliver it.

What does cloud-native mean? It’s basically software that is designed to run anywhere. It could run in a public cloud provider, it could run in my private cloud, it could run in our data center, it could run in all those places. It could run in a connected device, because I can take that code that runs on a $5 million surgical robot, and I can run it also in a cloud provider. That means I can also simulate it – I could create a digital twin of it.

So cloud-native just means it’s designed to run anywhere with that agility.

Most often, of course, when we think about cloud-native, we think about things like Kubernetes, and Kubernetes runs everywhere from a data center to a public cloud. You’ll see Kubernetes running in restaurants, you can even see Kubernetes running in diesel engines made by leading manufacturers. So that’s the premise – it can run anywhere.

The thing about that is, for example, if software is going to run anywhere, how do we know what’s good or bad? What’s friend or foe?

The answer to that is identity. And that forms the first part of the common element in cloud-native, which is that identity establishes what is good or bad.

Identity, identity, identity…

Identity being as important as it is in cloud-native is more or less a whole new concept that wasn’t there before. If you think about traditional operating systems, like a desktop or server, the idea of identity was many steps down the line. Even once we get to cloud providers, identity was important, but cloud providers thought about features first, rather than identity management.

But in cloud-native, identity is actually where it all starts. So – great news! In cloud native, identity is built in, and specifically, we’re talking about machine identity. There are different types of machine identities in a cloud-native world, because we’ve got containers that we need to run, we’ve got the workloads that run in those containers that have to talk to other containers (microservices), we’ve got those groupings of microservices that we would call a cluster, clusters have to talk to other clusters to do work, clusters have to talk to other cloud services that are completely unrelated.

That creates a problem that gets multiplied, because we can run in one cloud, we can run Kubernetes in our data center, and Kubernetes in the cloud, and each one now starts to have its own set of machine identities – and they don’t work with each other.

That gets to the first part of the question. We have to have governance, we have to have a single, consistent way of working with identity across those different cloud-native environments. Essentially, we need a control plane.

In networking, you’ve got the network layer, the data layer, and then you’ve got the control plane to manage that networking layer. It’s the same idea in cloud-native, we have all these different identities being used, and then we need an identity control plane across different environments.

Gartner recently came forward with research that shows that we’re now living in an omnipresent cloud environment. That means we’re living in a world in business, where cloud isn’t a technology, it’s a way of doing business.

Infinite machines.

We build businesses in the ways that clouds can deliver. And because of that, we’re not using just one cloud. We’re using cloud providers based on whatever they do best, and we end up in a multi-cloud environment. Then we need a set of services, machine identity being one of them as we live in this omnipresent cloud world.

So identity is fundamental, particularly machine learning. The machine identity world is vastly larger than the human identity world. There are only so many customers you can have in a business. Only so many team members you can have in your workforce, but the number of machines is infinite.

So you have to have that governance to be able to control those identities. Where are you getting it from? Which one should we trust? How do we run authentication? Once we have governance, we can specify which identities can be used. What do you do with identities? If you can authenticate them, you’ve got control over those different players.

So for someone who works in customer identity management, or workforce identity management, these ideas will be like, “This is what we do every day.” But these are new concepts in terms of the cloud-native world. Because in cloud-native, we’ve only been doing this for around four years. And we’ve been accelerating into it over the last two years.

Now we’ve got applications running in one cloud provider, applications running in another, and we’re starting to see the inefficiencies, the uncertainty, and possibly the opportunity for unauthorized access.

And so now we have to get that governance to control which identities we’re going to trust, and which ones can be useful in authenticating which applications.

Corporate responsibility.

THQ:

Would that be done on an individual business basis? Or would that have to be done on a larger, more general basis?

KB:

This is done on a per business basis. After all, you and I might both use AWS and Microsoft Azure. But what makes your use of Amazon or Microsoft Kubernetes different from mine? It’s the identity of our services. So that identity is individual to the company, and it’s your responsibility, and mine.

One of the initiatives in the Biden administration’s new cybersecurity pillars is that consumers should not have to bear the negative impact of a business making poor security decisions. So the business is accountable, but it will have a significant impact on questions of whether their bank account is secure, whether their shopping carts are secure, and whether their credit cards are being processed correctly.

Playing catchup.

THQ:

And as you mentioned, we haven’t been doing this that long. How ready do we think businesses are to take that on? Technically, they have to be able to deliver this sort of governance, or they stop working, right?

KB:

Well, as I mentioned, this is one of the things in cloud-native, like with Kubernetes, or with public cloud services – many times comes they come with this ability to manage machine identities built in. So things like TLS certificates, or new types of identities like SPIFFE are built in. And so what happens is developers start to use these, and they get into production.

Now, security teams haven’t been involved in those developments. And security teams are accountable for protecting the business. What we see then is errors or a lack of reliability, because there’s a misconfiguration in the machine identities that then becomes a security issue.

The security team didn’t deploy it. They didn’t design it, but now they are accountable. Cybersecurity teams are playing catchup in these new public cloud and cloud-native environments that developers have built. And that’s leading to a skills gap.

Do we have controls that actually work in those environments? Would we even know what to do? What does good governance look like? What is a policy for authentication that should be followed?

These are things that security teams are catching up on, which is why governance in cloud-native and multi-cloud environments is an emergent problem.

 

While we had Kevin in the chair, we took this point further with him. In the next article in this series, we’ll delve into the emergent role of the platform engineering team, and how the demands of multi-cloud and cloud-native governance are beginning to reshape the needs of companies – and the teams that meet those needs.