Security and multi-cloud: facing the hidden risks

It’s easy – perhaps too easy – to think organisations fall into two neat categories when it comes to cloud strategy.

The first ‘easy’ category is a hybrid cloud approach. We see a mix of legacy, on premise infrastructure and private and public clouds driven, in many cases, by rapid take up of popular cloud services like Salesforce or Microsoft Office 365. And this move is often accelerated in response to the pandemic and the quick digital transformation it introduced. 

The second category is a multi-cloud approach. The standard belief is that this is a more strategic, planned trajectory towards using many public cloud environments and no private data centres or clouds. Typically, this route leverages on-demand capabilities such as big data services from Google, applications operated from AWS and office suite products from Microsoft.  

However, I believe what’s happening is a staged mix of the two to form a single approach. 

The security challenges of multi-cloud adoption

In many cases, this complex cloud environment came about to save costs and facilitate operational changes in response to the challenges brought on by the pandemic, as well as to provide new and more adaptive products and services for customers. Often though, these changes have been made with far less governance and control than with previous business transformations. As a result, many CISOs don’t have clear visibility of how the organisation’s IT teams have moved their applications and data workloads across to multiple cloud environments, therefore don’t understand if they have the correct controls in place and face hidden risk.

In the dark about their attack surface, organisations are relying on heavily adapted protections and tactically federated access controls. They’re trying to correlate events and telemetry across multiple cloud domains and identify anomalies from a disconnected mix of traditional and cloud security controls. This poses significant risks and can lead to: 

• poor hybrid and multi-cloud security risk and threat management coverage
• reduced high-confidence risk alerting
• minimal inspection and reporting of traffic flows between clouds
• no tracking or management of security posture and risk / compliance changes over time
• uncertainty around cloud vendor responsibility models
• lack of consistency amongst security policies for workloads within different clouds.

Taking responsibility for multi-cloud security and deployment

Over the past couple of years the organisation’s strategy has been driven by the business, making rapid decisions to keep operations going in a rapidly evolving working landscape. Security has been left to follow behind, playing catch-up to make sure each new development is secure.

Responsibility for cloud adoption is typically managed by internal business teams and IT, with specialist providers only engaged when scalability is required. In 65% of high maturity companies, the CIO is responsible for network and cloud security controls, and 30% of organisations manage their own cloud security controls. This means significant digital transformations are taking place without the specialist support of security advisors. These advisors could ensure clear governance structures and risk considerations are developed across the top to minimise the longer-term impacts of hidden technical debt, increased operational costs, and supply chain fragility.

A ‘one-stop-shop’ for cloud and security controls?

Many businesses haven’t re-imagined their security approach for the cloud, or sufficiently developed an inclusive cloud security architecture, instead simply choosing to extend and adapt existing tooling and processes. But in many cases, existing security controls are unsuitable for the dynamic nature of cloud environments, particularly when it comes to properly securing multi-cloud deployments.

Luckily, standalone cloud security vendors and cloud hyperscalers are developing a wide range of ‘point’ cloud security solutions where security controls are embedded within their platforms. It’s an attractive path to cloud security compliance and a ‘one-stop-shop’ to procure both the cloud infrastructure and the control.

Before deploying these solutions however, it’s important for businesses to ask six fundamental security questions:

1. Has our business data been optimally discovered and classified?
2. Are user access and entitlement controls effective and enforceable?
3. Are cloud asset inventories and configurations being discovered and monitored?
4. Are consistent and appropriate cloud application access controls in place?
5. Are cloud security posture management tools delivering actionable events?
6. Have continuous endpoint posture and user validation and response controls been deployed?

Faced with these considerations, the seeming simplicity of a single point of control across multiple clouds and legacy infrastructure becomes more complex, leaving organisations unsure how to proceed.

Cutting through the complexity and deciding on the best approach

An inclusive cloud security architecture is the best way forward, but choosing the best approach depends on an organisation’s specific needs.

With approach one, organisations embrace native cloud controls, but these require significant integration and orchestration within a distributed heterogeneous estate – so expert security support is essential. But if an organisation chooses approach two with a single vendor partner, it must look at the strength and coverage of the partner’s portfolio, ability to address core requirements, and strategic vision in their roadmap.

How a trusted third party can help

Partner with a trusted third party who can objectively review and contribute to strategic multi-cloud adoption as this will mean a smoother deployment and the option for the co-management of selected security controls. It’s an approach that gives the best balance between in-house control and cost-efficiencies.

Get in touch today to find out how we can help you secure your multi-cloud infrastructure.