When an organization moves even a few workloads to the cloud, it changes everything – the way you access, pay for, store, and secure your resources. But most companies today have moved past that initial dip into the cloud and now embrace the popular multi-cloud model.
The multi-cloud approach has gained in appeal because it lets organizations choose the cloud instance that best suits specific workloads and projects. That means they are not tied to one vendor.
At the same time, however, multi-cloud environments introduce plenty of complexity.
“Moving to the cloud is hard, and multiple clouds is harder because the language between clouds isn’t standardized,” said Scott Fanning, a senior director at cybersecurity firm CrowdStrike. “But when you add the complexity of understanding how adversaries will take advantage of misconfigurations and identity, you realize that you’re dealing with a very challenging environment.”
It all comes down to data, that valuable resource that companies depend on and adversaries prey on. A recent Forrester report backs this up. The report found that heterogeneous multi-cloud environments exacerbate data security issues. In addition, Forrester said, the most critical internal challenges to cloud security included the complexity of multi-cloud environments and differences in operational and security controls among public cloud providers.
That’s why Todd Moore, vice president of data protection solutions for Thales, recommends a three-pronged “digital sovereignty” approach to data protection in the cloud:
- Data sovereignty: maintaining control of your data no matter where it is
- Operational sovereignty: knowing where your data is going specifically when it goes to the cloud
- Software sovereignty: writing software that will work seamlessly in any cloud environment, regardless of provider
Mistakes That Lead to Multi-cloud Security Challenges
With the complexity and confusion surrounding multi-cloud security, it’s unsurprising that companies get so much wrong. Here are five serious errors that organizations can make about multi-cloud security, as well as advice for how to fix them.
1. You don’t understand the differences between on-premises security and multi-cloud security
In an on-premises environment, it’s relatively simple to keep track of where data resides and ensure that it’s protected. However, when multiple cloud providers are involved, tracking data and ensuring its security is more challenging.
That’s especially true when companies rely on subcontractors – third parties that might run the multi-cloud environment for them. Instead of simply trusting those external providers, organizations should take control by adding additional security controls on top of the stack. “You have to continue to monitor, protect, and manage over time,” Moore said. “It’s definitely not a ‘set it and forget it’ situation.”
It's also common for cloud-based software providers to focus mainly on the upper layers of the open systems interconnection stack, specifically the application layer. They tend to gloss over the cloud’s identity and access management plane, which secures user accounts and access to applications in the cloud. Yet that layer is incredibly important in cloud environments and shouldn’t be overlooked, said Lefteris Skoutaris, a program manager for the Cloud Security Alliance (CSA).
2. You believe that all responsibility for security falls on cloud providers
This is simply not true. It’s a partnership, albeit one that can differ depending on the cloud provider and the agreement the parties have.
The partnership, called the shared responsibility model, defines the split. Typically, the cloud provider is responsible for the security of the cloud they provide, whether it’s infrastructure, storage, software, or a platform. The customer, meanwhile, is responsible for securing what is in that cloud – the files, code, etc.
3. You assume that every cloud provider defines shared responsibility the same way
The shared responsibility model is often not well understood. The confusion is likely due in part to unfamiliarity with the concept, as well as the fact that different cloud providers define their security roles, and those of their customers, differently.
For example, while both the AWS and Microsoft Azure models take responsibility for the security of their hardware, software, and physical facilities hosting their services, each provider uniquely defines customer responsibilities. With AWS, customers are responsible for configuring the cloud services, choosing the AWS security settings they want, and monitoring that security. Azure’s shared responsibility model requires customers to be responsible for everything they build or use within that infrastructure, including data, endpoints, accounts, and access management.
Organizations can better manage security across different cloud environments by centralizing management and policies, Moore said. For companies that do their own software development, an orchestration and automation tool like HashiCorp Terraform or Ansible can ensure that the scripts they write will translate to different environments. These tools use an abstraction layer to help organizations deal with the different interfaces, which means they don’t have to be an expert for each cloud, Moore added.
4. You expect that everyone will do their part in the shared responsibility model
Here’s a startling fact: Nearly all cloud security failures today are the customer’s fault, according to Gartner. With a statement like that, it’s clear that customers aren’t always pulling their weight.
Yet the same may be true of the cloud provider. In either case, the implications are far from trivial. For example, misconfigured cloud services can lead to identity and access management issues, which in turn can result in data loss, the introduction of malware, failed audits, and even exposure and compromise of the underlying infrastructure. If any of those security problems occur, “don’t be surprised if an adversary takes advantage of the gaps, because they will see them,” CrowdStrike’s Fanning said.
Many companies use vetted control specifications that spell out the required security controls for managing risk in the cloud. Some companies find it helpful to also implement a framework that embeds the shared service responsibility model into its cloud controls, like CSA’s CloudControls Matrix v4 and STAR certification program.
5. You think you don’t need additional security tools
Even if your company’s set of security tools worked flawlessly for you in an on-premises world, they may not be enough in the world of multi-cloud.
Additional tools that can help include the following:
- tools to centrally manage, enforce, and audit cloud workloads;
- privileged access management software;
- key management technology to process, manage, and store keys for decrypting and accessing protected information;
- cloud security posture management tools that provide centralized visibility, data access management, and security controls that protect data across software-as-a-service applications; and
- centralized cloud authentication and access management.
What misconceptions about the cloud will cause unnecessary multi-cloud security challenges? Tell us in the comments below!
About the authorKaren D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek and Government Executive.