The broad adoption of public cloud has exploded over the last few years. This is primarily driven by the need to increase flexibility for organizations, such as the abilities to deploy software remotely, bring new environments online more quickly, and have them more accessible in public cloud environments (such as AWS, Microsoft Azure, and Google Cloud Platform).
When it comes to multi-cloud adoption, it is often the natural result of your current cloud journey. As your organization adapts, grows, and business requirements change, adoption of more than one public cloud may simply be what is necessary to help you reach the performance, scale, redundancy, and reliability goals of your cloud environment.
This guide will help you:
- Understand the drivers for multi-cloud adoption
- Identify and address the key challenges you may encounter
- Address the best practices for adopting and implementing a multi-cloud strategy
- Be aware of key security considerations that will impact multi-cloud adoption
Drivers for Multi-Cloud
There are three primary drivers for multi-cloud adoption for midsize businesses:
- Cost optimization: The reality of mid-sized organizations is they are likely already leveraging multiple cloud vendors to support different parts of the business (e.g. Active Directory for IT, O365 for remote working, AWS for DevOps teams). Multi-cloud strategy can be the fastest, least resistant path without major impacts to budget. Cost-savings benefits can be seen when shifting from on-prem to public cloud or hybrid infrastructure to address needs for resiliency, space, and backup, in addition to the benefits of scalability and ease of deployment in public clouds.
- Application or licensing affinity: It is no surprise that people are comfortable with the types of applications with which they typically work. Some work better within specific public cloud environments (e.g. Microsoft for database users and AWS for DevOps). This familiarity drives companies to move to multi-cloud. Additionally, license portability plays a factor as they evaluate cost vs. refactoring, looking to find a solution that is most cost effective.
- Delivery model adaptation: Organizations looking to scale may need to adjust their delivery model to accommodate the growth they are anticipating. This requires organizations to revamp their security to align with new and/or adopting shared responsibilities.
92% of enterprise respondents indicate they have adopted or will adopt a multi-cloud strategy*
55% of workloads are expected to be in a public cloud in the next 12 months*
Challenges of Multi-Cloud
Securing it: There are two primary reasons for this challenge:
- Often, security gets bolted on at the end.
- The assumption that native security controls for point products and tools are sufficient. In reality, they lack the underlying security coverage needed to operate and manage the entire environment safely and securely.
Inconsistencies between cloud service providers (CSP): Each CSP has its own distinct set of tiers and requires a contract. The differences between the tiers, applications, and services for each can contribute to inconsistency across all CSPs from a management, cost, and operational perspective.
You may be multi-cloud already and not even know it: Operating with a remote workforce results in a heavy use of cloud applications to enable employees to get their jobs done. It also means they’re likely using several unsanctioned cloud applications. Additionally, it could mean that project teams are adopting cloud services without notifying necessary stakeholders, driving a multi-cloud approach without a strategy in place to establish guidelines and controls.
Skills shortages: Identifying and maintaining the right talent and skillset is no easy task. Having a cloud architect’s perspective on the design, implementation, and deployment of your cloud is ideal but can be costly and in high demand.
“Overall, 81 percent indicate that security is a challenge, followed by 79 percent for managing cloud spend and 75 percent each for governance, lack of resources/ expertise and compliance.”
2021 Flexera State of the Cloud Report
Before you get too far, these must-haves should be completed early in the process:
Define a clear strategy: The omission of a strategy is a deal-breaker for multi-cloud adoption which is quite an undertaking and can quickly
Don’t forget about security: 81% indicate security is one of their top challenges.* Unfortunately, security continues to be brought in at the tail end of deployment and too late into conversation — contributing to hurdles (project delays, costly add-ons, and vulnerabilities) as additional public clouds are adopted. Organizations do not have the luxury to ignore security anymore. As ransomware attacks increase, cybercriminals become more sophisticated and a more remote workforce requires organizations to make security a top priority.
Understand the drivers: While every organization is different, the drivers across midsize organizations have similarities. These drivers may impact the business objectives, the strategy defined, and the cloud provider that ultimately gets adopted. As such, being clear on the drivers can help organizations focus attention on achieving their objectives to deliver desired outcomes.
Involve the appropriate stakeholders: Adopting multi-cloud is not purely an IT or security decision alone. There are dependencies between the two groups that will directly impact the ability to successfully (or unsuccessfully) deploy your multi-cloud environment. Engaging multiple stakeholders ensures you address the business requirements and desired business outcomes that drive your organization.
2 Minute Cloud Security Assessment
Answer a few of short questions to understand your cloud security gaps and identify what is needed to move forward.
Best Practices for Secure Multi-Cloud Adoption
Follow these set of principles to ensure your strategy and approach are secure.
Prioritizing Security: This has been mentioned several times, but it requires repeating: security MUST be central to the design of your strategy for multi-cloud. It is the single most critical element with the potential to impact every aspect of your multi-cloud adoption — from cost and resources to execution timelines and long-term sustainability of your cloud environment.
Addressing pre- and post-breach security: Most organizations adequately address pre-breach security, but they tend to de-emphasize post-breach security.
- Pre-breach is focused on having visibility to and an understanding of what is happening in your environment, then building on it to harden your posture and minimize risk. Vulnerabilities do not always happen in the places you would expect. The ability to scan across the environment to identify vulnerabilities is imperative. Most often, pre-breach compromises are attributed to human error and/or oversight (such as a misconfiguration or lack of appropriate access controls in place).
- Post-breach is focused on reducing the amount of time that a breach is successful to minimize its impact. It is a sobering fact that your preventative technologies will fail at some point, especially if you’re dealing with unknown threats. You cannot stop what you do not know.
For 40% of organizations, lack of visibility is one of their biggest cloud security concerns.** To effectively address it, you need a single pane of glass view of your entire environment. Additionally, visibility should extend to discovery, as well. You cannot protect what you cannot see. Visibility should include the ability to perform vulnerability scanning, and asset and workload discovery, regardless of IS platform. Ideally, this should be done via a consolidated view.
The reality is that most providers lack the ability to view and monitor your environment in one place. Fortunately, Alert Logic Managed Detection and Response (MDR) enables you to pull logs, data, and activity across public and hybrid environments. With a comprehensive view of threat activity, Alert Logic MDR provides 24/7 security monitoring and dedicated security experts to help prioritize where you and your team focus your attention when it comes to security threats.
Securing Known and Unknown Threats
Known threats are predictable because you can implement preventative measures to minimize the potential for a breach such as proper configurations, patching, and known ransomware. Unknown threats require threat intelligence and research to proactively gather insights on the threat behavior, understand what is happening with other companies, and create an analytic rule to detect against this. It allows you to hunt for this behavior and scan to minimize post-breach impact if/when the vulnerability is exploited.
The reality is most vendors can address known threats; it is more complex to address the unknown threats. Security Operations Center (SOC) teams (such as those offered by Alert Logic) conduct data analysis and threat hunting to proactively warn customers with recommendations on how to respond and offer remediation steps to address these unknown threats.
Maintaining Controls & Processes
In any cloud environment, maintaining visibility (to network, log, configuration, vulnerability) across all applicable environments is a must. Establishing and implementing controls in the environment is also crucial. However, consistently monitoring adherence to those policies, such identifying when workarounds are attempted and/or successfully executed, is equally important.
Beyond the best practices, there are several key considerations you should keep in mind as you build your multi-cloud strategy. Each represents critical elements that should be known and incorporated into your strategy.
Shared Security Responsibilities: When it comes to the shared security responsibility model, the obligations between cloud provider and organization are clearly defined. And when working in one cloud environment, it is clear how to manage your responsibilities. What becomes challenging, however, is ensuring effectiveness in a second or third cloud environment. An organization’s confidence of SSRM for different cloud services may differ. As a result, consider:
- The impact of adopting a new delivery model — you may need to adapt your approach to each public cloud provider accordingly
- The maturity levels for each public cloud provider
- Building your in-house expertise through a cloud architect or dedicated training
- Leveraging a third-party service to assist with ensuring adherence to shared responsibility requirements
More Tools Do Not Equal Easier or Better
It should come as no surprise, there are many tools when it comes to multi-cloud. For example, each public cloud vendor has a portfolio of tools. There are also many on the market designed for specific functions and capabilities but require strong effort to get the same level of information and insights across all of them. More tools translate to more raw data and if you cannot interpret and act on that data, then you have not addressed your original problem. Consider a single tool or service that can give you visibility across the entire IT estate for a more comprehensive view of your environment, including visibility to public and private clouds, applications, even endpoints along with actionable insights.
If you’re like the 62% of organizations using native cloud provider security tools** to provide coverage, it is important to recognize these tools may not be sufficient. While they are designed to provide security for their respective environments, that coverage does not always extend to other public cloud providers. If your strategy is to build a multi-cloud environment, you will need to incorporate other services and/or tool to close the gap.
Role of People & Processes
It should come as no surprise that people, process, and tools are the trifecta elements to tackle any cloud environment. Each plays a critical role in ensuring the security of your enterprise. We have already explored tools, now let’s dive into people and process.
People: Identifying and maintaining the right talent and skill set is no easy task. Having a cloud architect’s perspective on the design, implementation, and deployment of your cloud is ideal but can be costly since they are in high demand. Be realistic about your ability to operate and manage at the skill and process levels required for your environment.
Additionally, you will need to take the people element one step further and consider if you have the proper resources to maintain and can get the most out of it. Your processes and controls will help, but you need resources to monitor, identify, and respond to threats that may affect your environment, as well. This is an additional skillset that may not exist with your existing resources. Third-party services and expertise are a great option to fill this gap. Providers ranging from EDR, XDR, and MDR are plentiful. When considering what service is ideal, consider a provider that can check all the boxes of your multi-cloud strategy (such as pre- and post-breach coverage, or a single tool platform to help reduce the burden of secured shared responsibility, etc).
Process: Security is rising to the top as a priority and mandatory element of how organizations build their cloud and IT processes. For some organizations, security teams are getting more involved with IT, and as a result the traditional roles and interactions are transforming.
When security and IT teams work more closely together, teams are better informed on processes such as patching schedules, DevOp cycles, and processing of employee separation — enabling more streamlined collaboration between teams. In many cases, security teams now have a seat at the table when it comes to influencing traditional IT processes and areas of ownership. As a result, changes are made to processes to incorporate aspects such as security. Checks and balances are then integrated to ensure avoidable mistakes are not overlooked (such as misconfigurations, granting too much access, not performing regular patching, etc).
Do NOT Do It Alone
Some mid-sized organizations are mature in one public cloud environment and can effectively execute in that environment (have the skillsets, staff, resources, and budget). However, they are not skilled or mature in a second public cloud. For these organizations, it is important to evaluate if you have the resources to internally build the skillset required to learn the different services offered by various public cloud providers.
Consider how long it will take and how much expertise those resources can reasonably acquire in that time frame. It may make more sense to partner with a provider that can cover the shifts and leverage the collective expertise to manage and maintain that environment’s complexities. If the latter makes more sense for your organization, Alert Logic can help. You do not have to build an in-house team of experts. Leverage Alert Logic’s team of cloud and security experts to gain 24/7 threat detection and response across your entire multi-cloud environment.
Rely On Alert Logic
As the industry’s first SaaS enablement managed, detection, and response (MDR) provider, Alert Logic has unparalleled coverage for any environment — protecting your most critical assets with purpose-built technology and security expertise, to strengthen your security posture.
* 2021 Flexera State of the Cloud
** ISC2 2021 Cloud Security Report
*** Flexera 2020 State of the Cloud Report
+ ESG Research, “Select Multi-Cloud Related Research Findings”, Doug Cahill, August 2021
++ Source: 2021 Ponemon Cost of a Data Breach Report