Recently, we’ve seen lots of activity and announcements around multicloud security – particularly network security (or the expanded view – secure cloud networking). We have been in this game longer than most competitors. And our experience has uniquely positioned us to solve customer’s multicloud challenges better. In customer conversations, we have observed three statements that get thrown around a lot in the market. In most cases, without really considering the customer implications, and the impact they have on the requirements for a solution. Briefly, they are:

  1. You cannot secure what you cannot see
  2. Network and security have to come together
  3. All security must be multicloud (but what does that actually mean?)

#1 You Cannot Secure What You Cannot See – But Security Remains the Goal

This is obvious on its face. But the corollary is that seeing a problem and not being able to do anything about it might be the worst thing ever. First, it should be easy – visibility shouldn’t require deployment of infrastructure. Second, visibility here helps us achieve an outcome – namely, securing cloud workloads by putting defenses in place. In other words, see a problem, fix a problem – all in the same solution. Additionally, when we talk about securing things we see, even the act of deciding what policy to use requires us to better understand all things cloud. In the cloud, workloads are tagged (in part because physical location and IP addresses are neither static, nor controlled by you). Cloud security solutions not only have to consume cloud native tags and attributes at enterprise scale, but also treat them as first-class policy objects.

#2 Networking and Security Have to Come Together – Else Security is Always Behind

After countless hours of conversations with customers, the common pain point expressed was how they struggle with securing workloads in the cloud quickly and at scale. The root of the problem wasn’t because of organizational structure or lack of efficiency. In fact, their cloud networking and security stacks weren’t working together.

First, with the dynamic nature of the cloud, networking and security controls must be able to work with one another to automatically adapt and evolve as environments change to ensure defenses remain in place. Second, security and networking coming together means that administrators shouldn’t have to go multiple places to manage policy (security) and enforcement infrastructure (arguably, networking). Yet, legacy vendors regularly attempt to force fit datacenter products into the cloud. The cloud is not your datacenter, and force fitting technologies in an environment where they will struggle to keep pace and scale with dynamic environments is an inferior approach. The best approach is to centrally manage multicloud policy and infrastructure while incorporating distributed enforcement points. This allows you to manage your cloud environments globally while simultaneously enforcing security policy locally. Our approach follows this best practice using a Software as-a-Service (SaaS) controller (not VM-based) with in-account (or in-datacenter) Platform as-a-Service (PaaS) enforcement.

#3 All Security Must be Multicloud – Which is Different Than Running in Multiple Clouds

Over the last few years, legacy vendors have claimed their security appliances run in all clouds. But running multiple point security tools in cloud environments does not mean their approach is a solution to solving multicloud problems. From the customer perspective, a multicloud solution starts with a single policy (policy for an app, not an appliance) that can be implemented across all clouds, public and private, through a single, scalable service. As best practice, the service should manage both infrastructure as well as policy, bringing networking and security together while giving organizations the visibility they need to place security controls strategically and accurately. You get the idea, configuring individual policies on individual devices, across individual clouds does not solve multicloud problems. Writing a policy once and distributing it across the clouds from a single location does.

The Implications for Enterprises – Requirements are Changing for the Better

The multicloud world is ever evolving and organizations are continuously adjusting evaluation requirements to adequately protect their cloud workloads. We have heard from numerous customers that visibility into their network, bringing networking and security together, and solving multicloud problems with a true multicloud solution are top of mind criteria in their decision-making process.

To learn more about how Cisco is helping organizations overcome the three hard truths of multicloud security, visit www.cisco.com/go/multicloud-defense.

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels



Vishal Jain

Vice President

Security Business Group Engineering