Cloud strategies enable collaboration, innovation, and remote work. As with any technology strategy, no one-size-fits-all solution exists. This leads many organizations to establish multi-cloud environments in support of their business goals. In fact, it’s been reported that 80% of enterprises have a multi-cloud strategy. Understanding and establishing best practices for managing multi-cloud environments enables organizations to enhance security while still achieving desired cost savings and efficiency gains.
What is a Multi-cloud Strategy?
A multi-cloud strategy is one built around deploying two or more private and/or public clouds to distribute assets, software, and applications. Often, it consists of some combination of the following:
- One or more Platform-as-a-Service (PaaS) provider
- One or more Infrastructure-as-a-Service (IaaS) provider
- Software-as-a-Service (SaaS) providers
For example, a multi-cloud strategy might include an Amazon Web Services (AWS) IaaS and Microsoft Azure PaaS deployment with different SaaS applications or developer products used in each.
Why Choose a Multi-cloud Strategy?
While cloud services providers have the same offerings, organizations can choose options based on their unique needs. Additionally, each cloud excels at something different. Business outcomes may not be achieved by only using one provider.
For example, some key reasons companies decide on a multi-cloud strategy include:
Cost optimization
Shifting from on-premises to public cloud can provide savings for business needs such as scalability, resilience, and license portability.
Return on investment (ROI)
Business chooses the right services from each provider to enhance overall value.
Resilience
Multi-cloud can reduce the impact of a single point of failure.
Flexibility
Expand technology stack to enable innovation.
Speed
Organization placing resources in the public cloud enables them to execute against deployed services quickly.
Maintenance
Sharing maintenance responsibilities with cloud services providers reduces IT burdens.
Security
Security responsibility is distributed under the shared security responsibility model.
Application or licensing affinity
Working with known applications like Microsoft databases or DevOps within AWS can drive decisions.
[Recommended Reading: The Road to a Successful, Secure, and Stable Cloud Transformation]
What Are the Security Challenges with a Multi-cloud Strategy?
Every architecture involves a trade-off. Even with the benefits a multi-cloud strategy offers, it still comes with some challenges.
Native/default security controls
Cloud providers often have default or native security controls and configurations built into the initial deployment that threat actors know about. Organizations must be diligent in reviewing and modifying these controls and configurations to address business requirements unique to their environment.
Inconsistencies between cloud service providers
Differences between tiers, applications, and services across cloud service providers leads to inconsistencies from management, cost, operational, and security perspectives.
Misconfigurations
Misconfigurations are a fundamental security issue for most cloud deployment that only becomes more challenging in a multi-cloud environment. Resources are accessible from multiple vectors in their public cloud environments, and threat actors can exploit misconfigurations as part of their attacks.
Insecure APIs
APIs enable data to travel across applications. However, without the appropriate security controls in place, threat actors can use insecure APIs to access the environment or steal sensitive information during transit.
Credential-based attacks
Users access resources with their login ID and passwords. Weak passwords can be an entryway for hackers to gain access to systems and networks.
Data sharing
The cloud enables collaboration, but limiting who can edit, view, and download information can be difficult. This becomes even more challenging when people want to share with third-party contractors since data can be downloaded and forwarded without the organization’s security team realizing it.
Unmanaged assets
The flexibility and scalability of the cloud means IT teams can spin up containers or workloads quickly and easily. However, if the organization is unable to assign responsibility, these assets remain unmanaged and can be exploited without being detected.
Cybersecurity skills gap
Finding a cloud architect with the skills to ensure consistent security across multi-cloud environments can be cost prohibitive because too few cybersecurity professionals are available.
10 Best Practices for Managing Multi-cloud Environments
Managing multi-cloud environments is challenging but not impossible. With the right resources and services to manage the complexity of the multi-cloud environment, organizations can effectively support their cloud initiatives.
Involve appropriate stakeholders
IT and security teams need to collaborate for a successful multi-cloud security strategy. Additionally, business leadership should be included to ensure the deployment addresses business requirements and desired business outcomes.
Set roles and responsibilities
People, processes, and technologies work together to achieve shared security responsibilities. Organizations need a cloud architect to design, implement, and deploy the cloud as well as consistent processes for monitoring, identifying, and responding to threats.
Define a clear strategy that includes security
Organizations should start with a clear strategy with input from all stakeholders and ensure that security is built into it from the beginning. Waiting until the tail end of deployment makes securing the environment more challenging. These processes should incorporate pre- and post-breach responsibilities.
Synchronize security policies
Each vendor has its own set of security policies. Often, the same operations run in multiple clouds to ensure availability. By synchronizing policies and settings, the organization ensures consistency no matter which instance is used.
Set unique security policies for each service
Every workload or application needs to have its own security profile that drives its security policy. Security policies should reflect:
- Business criticality
- Data sensitivity level
- Compliance requirements
Automate security tasks
Automating security reduces human error risk. Automation enables organizations to better monitor:
- Configurations
- User access
- Network traffic
- Vulnerability scanning
Monitor user behavior
User access is a key security control for cloud deployments. Organizations need a baseline understanding of how users interact with resources to identify anomalous activity. Abnormal user activity can be the first indication of an attack, so early detection can prevent malicious actors from maintaining persistence, elevating privileges, and causing damage.
Visibility
Maintaining a robust security posture requires continuous monitoring. With multi-cloud environments, using vendor-supplied tools can lead to blind spots. Having the ability to view and monitor the environment from a single pane of glass enables organizations to aggregate and correlate data from:
- Intrusion detection systems
- Event logs
- Vulnerability scanners
- Containers
- User activity
- Web application firewalls
Establish detection, investigation, and response processes
With visibility, organizations can create appropriate incident response processes. To build out a robust multi-cloud security strategy, organizations need to have:
- Threat hunting capabilities to proactively search for Indicators of Compromise (IoC)
- High-fidelity alerts that correlate events across multiple cloud environments
- Ability to prioritize threats based on exploitability
- Processes for investigating alerts to determine the root cause
- Actionable remediation strategies to contain threats
- Ability to recover systems and networks back to the pre-incident state
Set security compliance controls
Compliance is a business driver. Customers need assurance that the organization is managing security. Additionally, privacy laws often incorporate security, as well. In order to prove compliance, organizations need to map their multi-cloud security strategies to critical compliance requirements, including:
- General Data Protection Regulation (GDPR)
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- SOC 2
- Sarbanes-Oxley
[Recommended Reading: A Guide to Successful Cloud Modernization]
Managing Multi-Cloud Security with Alert Logic
Fortra’s Alert Logic delivers protection against advanced and unknown threats both pre and post breach with Managed Detection and Response (MDR). Our platform provides comprehensive security monitoring, detection, and response capabilities. Our security experts provide 24/7 remediation advice tailored to customers’ needs, so they have the people, processes, and technologies needed for a robust multi-cloud security program.
