Enhancing Multi-cloud Security with Policy as Code and a Cloud Native Application Protection Platform

Over the past 15 years, the Cloud Computing paradigm has steadily gained popularity due to the advantages it offers, such as flexibility, scalability, and reliability. In today’s business landscape, there is a notable trend toward the increased adoption of Multi-Cloud strategies by companies to provide services to customers, employees, and other businesses. A 2023 study conducted by Oracle [9] reveals that 98% of surveyed enterprises use at least two cloud infrastructure providers and 31% are using four or more; This widespread adoption underscores the necessity for the implementation of innovative security strategies to safeguard these complex environments. In this context, Cloud Native Application Protection platforms (CNAPPs), represent a novel tool utilized to enforce industry-standard compliance and security across one or more cloud platforms. This thesis dissertation analyzes the field of Multi-Cloud Security, discussing some solutions proposed in the literature and showcasing a realistic enterprise Multi-Cloud infrastructure whose security has been assessed by integrating a CNAPP solution named Sysdig Secure. The work starts off with a description of Cloud Security and Cloud Governance key concepts, to continue with an examination of two different Security-as-a-Service solutions proposed in the literature. Subsequently, an entire chapter is dedicated to the Policy-as-Code paradigm and to how it can be effectively exploited to ensure compliance in DevSecOps pipelines, Public Cloud platforms, and diverse hosts. Following this, a proof-of-concept Multi-Cloud infrastructure that emulates the resources and features of a company cloud environment is proposed, along with a thorough description of all the integrations implemented from Identity and Access Management, Secrets Management, and Observability points of view. This work also demonstrates how a Cloud Native Application Protection platform has been successfully configured to provide Infrastructure-as-Code security (IaC-Sec), Cloud Security Posture Management (CSPM), and Cloud Workload Protection (CWP) within the previously introduced multi-cloud environment. Finally, the last chapter verifies the proper functioning of all the services offered by the multi-cloud infrastructure and evaluates the quality of the security assessments carried out by Sysdig Secure CNAPP.