Enterprise IT has embraced the multi-cloud model, with surveys showing that nearly all organisations now use multiple cloud providers as well as numerous cloud-based solutions.
Indeed, analyst firm IDC expects more than 90 per cent of enterprises worldwide to have multiple public clouds by 2022. The 2020 State of the Cloud Report from Flexera, a provider of IT management solutions, found that 93 per cent of enterprises have a multi-cloud strategy - up from 81 per cent two years ago - with respondents now using an average of 2.2 public clouds and 2.2 private clouds.
But the expanding mix of public and private clouds as well as software-as-a-service applications within the typical enterprise has also given rise to growing security concerns. Some 83 per cent of enterprises surveyed by Flexera listed security as a challenge - ahead of concerns about managing cloud spend (listed by 82 per cent) and governance (cited by 79 per cent).
“The challenge that multi-cloud presents to security teams continues to grow. The number of services that are being released, the new ways of interacting, the interconnecting of services and systems, all of that continues to advance and all of these add new complexities into the enterprise security model,” says Randy Armknecht, a managing director and the emerging technologies and global cloud practice leader at consulting firm Protiviti.
The high level of concern over securing the multi-cloud environment is not surprising, as CISOs have seen the scope of what they must protect move from the infrastructure confined within the enterprise to a mesh of compute resources spread across various vendors offering differing levels of both services and security assurances.
This vast and boundless environment creates a larger surface for malware attacks, data breaches, compliance/regulatory violations and resiliency issues. It is because of this added complexity that multi-cloud is becoming an attack vector, says Sai Gadia, a partner in KPMG’s Technology Risk practice. “And if there is any loophole in your classic people, process or technology, then bad actors are looking to exploit that.”
The typical enterprise IT infrastructure and solutions stack today includes not only public and private cloud deployments but also an average of 288 different SaaS offerings, according to the 2020 SaaS Trends report from tech vendor Blissfully. That’s in addition to legacy technologies in many cases, too.
These various elements have different security requirements as well as different levels and types of built-in security capabilities. Different cloud providers have different tools, they often use different terms for the same class of tools, and they have differing positions on their security responsibilities.
All this leaves CISOs having to stitch together a cohesive whole that documents whether the cloud-provided security features are adequate, whether more security is needed, and where and what additional security measures are warranted.
“Cloud was supposed to make our lives simpler, and it a lot of ways it does; it provides a lot of benefits. But from a security perspective it adds a lot of complexity because there’s so much to do,” says Garrett Bekker, senior research analyst in the information security channel at 451 Research, a part of S&P Global Market Intelligence.
Respondents to the 2020 Cloud Threat Report survey from Oracle and KPMG cited complexity as significant challenge, with 70 per cent of respondents saying that too many specialised tools are required to secure their public cloud footprints and 78 per cent highlighting the need for varying security policies and procedures between their cloud-resident and on-premises applications.
This has led to the rise of another familiar enemy of security: lack of visibility.
“How do you take all the disparate information you’re getting from the different providers and formulate a single management perspective?” asks Ed Moyle, founding partner of Security Curve and lead developer of Managing Security Impacts in a Multi-cloud Environment from the IT governance association ISACA.
The visibility challenge is multilayer, says Kathy Wang, CISO at Very Good Security and a recognised security thought leader. For example, some enterprise security teams don’t have insight into all the organisation’s cloud deployments (particularly when factoring in SaaS offerings bought directly by business units).
Even when they do, many struggle with monitoring all of the various cloud deployments to detect issues. And others struggle with compiling and understanding all the data from incident management tools.
Developing a strategy
Devising a multi-cloud security strategy starts with identifying all the clouds used by the enterprise, ensuring that the enterprise has a robust data governance program to guide cloud-related security decisions, and deploying the right tools in the right places to assert the appropriate levels of controls.
“The enterprise must align its tools, processes, monitoring capabilities, operational mindset and numerous other elements of its security plan to consider that multiple providers are in play,” says ISACA in its Managing Security Impacts in a Multicloud Environment paper.
Gadia says CISOs are moving in that direction, noting that the Oracle-KPMG survey shows that organisations have more cloud security architects than security architects. Still, Gadia says many security teams have further to go in adding staff who have all the skills needed to create a secure cloud architecture.
Following are three key steps to stronger multi-cloud security.
Mind your apps and data:
The importance of application security in a multi-cloud environment can't be understated. "Now, more than ever, having a robust and solid approach to hardening and securing applications is fundamental,” says Ramsés Gallego, international director for security, risk and governance at Micro Focus and an ambassador for ISACA’s Barcelona chapter. This means not only ensuring that code is bug free but that any libraries applications may be using are updated and have no vulnerabilities, he says.
Gallego adds that “data management, data minimisation and, most importantly, data anonymisation and encryption are fundamental pillars of the ‘cathedral’ that companies want to build. As in civil engineering, the foundations have to be rock-solid and as some regulations indicate, it is imperative that the proper strategy for data masking and data hiding is chosen (tokenisation, encryption, etc.).”
Employ the right tools:
Assembling the appropriate mix of tools and technologies for each organisation's unique mix of cloud solutions takes work, Wang says, given the variations of security features embedded in different cloud offerings. CISOs are thus forced to determine in granular detail which solutions work where and to select solutions that can span across their cloud environment to create a single pane of glass into the security scene.
As such, experts cite the need for technologies such as cloud access security brokers (CASBs), software that the enterprise places between itself and cloud service providers to consolidate and enforce security measures such as authentication, credential mapping, device profiling, encryption and malware detection.
Experts also recommend cloud security posture management (CSPM), a newer technology that assesses an enterprise cloud environment against its security requirements to enforce continuous compliance of cloud configurations.
“CASBs are still relevant but very much focused on SaaS, whereas CSPM is more broadly focused on all cloud service models (IaaS, PaaS, SaaS),” says Juan Perez-Etchegoyen, a researcher and co-chair of the ERP Security Working Group at the nonprofit trade organisation Cloud Security Alliance (CSA).
Bake security in:
Security leaders also advise CISOs to adopt zero trust and move toward implementing the technologies that support the zero trust security model - a model that assumes connections are untrustworthy unless and until they can prove themselves as trusted.
“In a zero trust security model, the security of cloud assets does not hinge on trusting users and devices within the extended network; instead zero trust hinges on least-privilege/access on a need-to-know basis only," says Gadia. "Every user and device is verified before being granted access to resources in the cloud environment - across all the services, cloud providers and platforms being used.”
Moyle says this mindset shift to seeing everything as untrustworthy until verified helps security teams protect the enterprise against both sanctioned cloud deployments and shadow IT as well as cloud providers whose own embedded security isn’t as robust as the organisation requires.
“This isn’t to say that these other providers don’t have good security - they absolutely could - it’s just that you’re assuming the environment is hostile and so design for that,” Moyle says.
Lastly, according to experts, CISOs looking to improve the security posture of their multi-cloud environment also need to ensure they have processes in place to support their security standards, completing the traditional people-process-technology approach that has long dominated security.
This requires collaboration between all the stakeholders within the enterprise to balance business needs, security objectives and compliance obligations.
“There needs to be a higher-level strategic conversation on how we do risk management for the cloud and how does the nature of cloud development within our organisation affect how we make risk decisions with technology,” says Fernando Montenegro, a principal research analyst on the information security team at 451 Research, noting that he sees more CISOs and their teams working collaboratively with developers and other stakeholders earlier in project cycles to ensure security is considered from the start.