Dealing with Drift and Networks Across Multi-Cloud Deployments
By William Toll, Sr. Director, Product Marketing
Multi-cloud, Infrastructure as Code (IaC), DevSecOps, all these buzzwords herald a new age of enterprise software architectures, development, and operations. Agility, scale, and automation promise to deliver on the “digital transformation” projects that business units are pushing and budgeting for.
Great. However, developing fast and deploying quickly on top of new technologies is not without big risks.
One of the biggest challenges and least understood is “drift.” Simply put, drift is when the state of infrastructure does not match the defined state that the architects and security pros had designed and tested.
Today, enterprises often struggle to defend the atomized network because they have no way to see the users, applications, data, and devices they have, what they are doing, and what’s happening to them. And like many technologies in the past, drift is a major factor, especially when the state of network infrastructure does not match the defined state the cloud architect or security team specified in the original configuration. And with today’s software-defined networks, complex configurations, and segmentation, drift can quickly become exploitable in an intrusion. More and more teams are learning that every drift event causes issues across multiple teams, and generates a new set of fixes while remaining a potential security issue.
What are the consequences of drift?
- Increased risk of network intrusions and data breaches
- Compliance and audit exceptions and failures
- Deployment and upgrade failures for CloudOps and DevSecOps teams
- Downtime for users when their applications are not accessible
What causes drift?
- Upgrade and patching – in our zero-day world of vulnerabilities – many remediations apply differently for each cloud provider, even for the same type of infrastructure or workload. Automation of upgrades and patches, and a lack of deep understanding across teams from CloudOps, DevSecOps, and the SOC. Their upgrades and patches may not account for dependencies the architect had designed the workload and cloud-specific deployment around.
- Manual changes made to networks that are made to deal with scaling or during testing and subsequently not communicated properly back to the architect or security teams. A similar issue arises with poor infrastructure as code (IaC) practices that result in configurations outside of the original design.
- 3rd party changes coming from the hyperscale cloud providers, open-source components, and 3rd party APIs, that are different from the original specification.
- Poor visibility and a lack of configuration drift detection across the atomized network. A lackluster application of the policies and controls to prevent good network security and hygiene.
Managing multi-cloud deployments and complex atomized networks is a core requirement of any multi-cloud strategy. Achieving scalable, continuous network security and visibility is central to your ability to stay ahead of configuration drift before they become costly to fix or, worse, the attack vector that is used to gain access to your network. Here are some of the top ways that teams are improving their people, processes and technologies to prevent drift in their atomized networks.
What are the best ways to prevent drift?
- Documentation and communication. From the design phase, through development, testing, and production deployments, ensure the network architecture that the cloud architect(s) planned is configured properly. Then ensure the proper use of Infrastructure as Code, change control, and testing procedures are followed across teams when updates and changes are made.
- Design customized security policies for each application and workload, and it accounts for the unique underlying infrastructure and networks to ensure controls and detection models can be implemented to detect drift.
- Consolidate and modernize your network visibility, and capabilities so it can see all of the atomized networks.
- Customize and ensure that configuration drift detection models can be applied across all network segments across the atomized network, without slowing down or interfering with cloud deployments.
- Automate response and alerting, and subsequent remediation when configuration drift is detected.
- Ensure that all teams are consciously designing for and monitoring 3rd party APIs, cloud services platform changes, and open-source component updates.
Netography Fusion® is for enterprise security operations center (SOC) and cloud operations teams that need scalable, continuous network visibility across the Atomized Network – legacy, on-premises, hybrid, multi-cloud, and edge environments. With the Netography Fusion platform, these teams gain visibility to network traffic and context across data, applications, devices, and users, and see what they are, what they are doing, and what’s happening to them. It’s easy to detect network issues with customized Netography Detection Models (NDM) that your teams can create to ensure that configuration drift is detected and a response is orchestrated.