What Is Multicloud Security?

What is multicloud?

Multicloud (sometimes styled as multi-cloud) is the practice of using multiple cloud services as part of a single organizational infrastructure. This has become quite common in recent years as more and more technology moves out of the data center and as acquisition activity continues to thrive. If one company is largely standardized on Amazon Web Services (AWS) and it acquires another company that primarily uses Microsoft Azure, it might be easier to allow both cloud environments to continue to operate in parallel rather than attempt to migrate a working solution from one cloud service to the other. But this presents the acquiring company with a new problem: how to juggle multiple cloud environments and ensure data is consistent and secure across all of them.

What are the benefits of multicloud?

Multicloud can provide numerous benefits to an organization:

• Flexibility: Different cloud providers have different strengths, and it can be advantageous to leverage various providers according to those strengths. Vendor lock-in, wherein customers feel “trapped” by a single platform and lose the ability to easily comparison shop, has become a major problem in the cloud computing space; a multicloud strategy helps to avoid this problem.
• Reduced risk: Multicloud reduces risks related to service outages. If one cloud provider goes offline, a multicloud infrastructure allows the customer to spin up services on another provider in its stead. In an era where businesses can lose millions during even minor periods of downtime, having this type of security blanket is increasingly essential.

What is the difference between multicloud and hybrid cloud?

Multicloud and hybrid cloud are similar but distinct concepts. While multicloud refers to the use of multiple cloud services in a single environment, hybrid cloud refers to the use of one or more cloud services along with a traditional on-premises data center. While multicloud environments span multiple public cloud services, hybrid cloud systems include both private and public cloud environments. In a case where a hybrid cloud environment includes a private cloud component and multiple public cloud services, the environment can be defined as both hybrid cloud and multicloud.

Practically speaking, the overall security concerns are similar in both hybrid and multicloud environments.

How is security in multicloud environments different than security in on-premises environments?

Securing a multicloud environment is considerably different than securing an on-premises environment. On-premises security is essentially built around control over known resources: The organization has a data center and various endpoints, and the security operations center creates end-to-end protection for each device, its operating system and the applications running on them. Since the cloud is abstracted away from its hardware, security is focused entirely on software components — virtual servers, applications (likely held in containers), and databases among others. Naturally, in a multicloud environment this means managing this type of security on multiple cloud platforms.

Because major cloud providers offer security services as part of their offerings, it can often be easier to manage cloud security as compared to on-premises security. Cloud security is often highly automated, with at least some of the burden handled by the cloud provider, removing some of the load from the end user. And since the user no longer has to worry about physical security issues, the overall effort in securing a cloud environment can be even less. However, in a multicloud environment, these security efforts are compounded in complexity, not just from the raw effort of having to manage multiple platforms but also in managing data flows as they move from one cloud platform to another.

On-premises security is fundamentally very isolating: The enterprise is fully responsible for its own security, without the safety net that a cloud provider may provide. Numerous security tools must be mastered, and they must be continually updated and patched. While cloud environments require the same level of vigilance, many believe that cloud-based tools are easier to master, and that there is more room for error since the cloud provider carries some of the security burden.

Alternately, adherents of on-premises solutions believe that having data closer to home is inherently more secure, and point out rightfully that breaches of cloud services are a regular occurrence. It’s perhaps understandable that some users desire a single point of failure — their own data center — rather than the opacity inherent in a cloud environment (or multiple cloud environments).

In what ways are multicloud environments vulnerable to threats?

Multicloud environments are particularly vulnerable to a number of unique threats driven by inconsistent behavior among different cloud platforms. Specifically, these include:

• Differing access and authentication frameworks: This makes it difficult to ensure user access policies are consistent from one cloud service to another. Users will require multiple accounts on different platforms.
• Lack of a single log or audit trail: This can make it hard to pinpoint vulnerabilities or active attacks.
• Inconsistent configuration processes: IT staff must learn multiple methodologies for setting up security rules.
• Varying vulnerability patching: Weaknesses that are discovered in software installed on cloud platforms are not necessarily patched on the same schedule, leading to inconsistent security policies.
• Limited visibility and observability: Compared to on-premises environments, cloud environments present this challenge. In a multicloud environment, this problem is exacerbated.
• Increasing compliance concerns: A variety of region-specific data governance regulations place restrictions over where and how data can be stored. In a multicloud environment, this becomes especially opaque, opening the organization up to the risk of fines and other penalties.
• Lack of clarity around security responsibility: Confusion over whether the cloud provider is responsible for a certain aspect of security vs. the organization’s responsibility is an enduring issue with cloud platforms. Again, in a multicloud environment, this becomes inherently more complex as multiple relationships must be managed.

What are the challenges around securing multicloud architecture?

As with any new technology discipline, multicloud security isn’t exactly a turnkey solution that can be implemented in an afternoon. Challenges include the following:

• Consistency is difficult to achieve: The goal of establishing a consistent security policy across all cloud services is essential, but achieving it is often easier said than done. There are thousands of cloud service providers, each with wildly varying approaches to security, and there’s no guarantee that a multicloud security tool will have “out of the box” support for every service you work with. Many users may end up having to customize their solution with additional programming effort.
• Staff are scarce: Multicloud monitoring is not a skill in which there tends to be plentiful, available talent on the market. Expect to expend some effort (and funds) to find qualified staff — or be prepared to train internally.
• It’s easy to make mistakes: A multicloud security solution is only as good as the staff who are managing it. Human error remains a distinct possibility (e.g., the tool unintentionally disables encryption across all clouds).
• Multicloud security may not solve data governance issues: If the organization is bound by various privacy regulations that prevent data from being stored in certain locations, a multicloud security product may not be able to take all these concerns into account to prevent a violation of compliance rules.

Inherent to all multicloud operations is the concept that the attack surface increases in size with each additional cloud service added, while the visibility into operations decreases at the same rate. Mitigating both of these challenges is the primary goal of any multicloud security solution.

What are the benefits of multicloud security?

Multicloud security provides fundamental, needed security across your cloud platforms. Additional benefits include:

• Reduced complexity: Without a multicloud security strategy, organizations will be forced to juggle a daunting number of individual tools to manage their many cloud environments — in some complex environments spanning 50 different tools or more. With virtually no integration among them, the management of these various security tools can tax even the savviest of security operators.
• Reduced error rates: If your organization has to manage dozens of different security controls and security tools, the odds of missing an important alert is considerably higher than on a multicloud security solution.
• Easier security integration into the development cycle: Because DevOps teams have access to the security features of all cloud environments in which they might be working, it’s more straightforward to embed a culture of security into application development and deployment. If enabling DevSecOps is your goal, a multicloud security platform is critical.
• Shared responsibility over the security function: When a large number of individual tools must be managed, specialists typically must take ownership over a smaller portion of them, resulting in a fragmented security operations team. Centralized security management means everyone can learn (and master) a smaller number of relevant systems.

What kinds of tools are required for securing multicloud environments?

There are two ways to secure a multicloud environment. You can rely on the security tools provided by each cloud service individually or implement a true multicloud security management tool for orchestration that secures all of these services from a central console. The latter approach is the only truly sustainable option for securing a multicloud environment over the long term.

A multicloud security management tool will include features that:

• Improve visibility into all manner of cloud operations, including virtual server and container operations.
• Allow for policies to be implemented across all cloud environments.
• Monitor all cloud workloads for signs of attack or exploit.

More specifically, Gartner outlines the need for five overlapping tools required to secure multicloud environments, including:

• Infrastructure as code (IaC) scanning: These tools scan IaC configuration files (such as Kubernetes) for vulnerabilities.
• Container scanning: These tools monitor security at the container level.
• Cloud workload protection platforms (CWPPs): These tools are specifically targeted at providing security at the workload level.
• Cloud infrastructure entitlement management (CIEM): These tools manage identity and user access rights across the multicloud environment.
• Cloud security posture management (CSPM): These tools provide continuous monitoring of cloud environments as they scan for misconfiguration and compliance issues.

Gartner notes that more progressive organizations are moving away from protecting cloud-based infrastructure directly and are instead focused on protecting workloads and the applications that run on those workloads, representing a fundamental shift in strategy.

What are multicloud security best practices?

Follow these best practices to ensure you get the most out of your multicloud security initiatives:

• Understand where your responsibilities begin and end: A shared responsibility model is common to all cloud platforms, wherein the cloud vendor bears some of the burden of security and you bear the rest. But these models are not necessarily consistent, nor do cloud vendors’ security tools work the same way. Before starting out with multicloud security in any fashion, it’s critical to understand in depth how these standard tools work as well as where they begin and end.
• Develop policies built around consistency: One goal of multicloud security is to make your security programs consistent regardless of the platform. Leverage your multicloud security system to establish security rules that are as identical as possible, synchronized across all your cloud platforms.
• Leverage automation: One of the major benefits of a multicloud security system is that it includes tools to help automate common security operations, such as regular vulnerability and malware scans. This not only saves time for your security operations team, it reduces the incidence of human error. Automated tools can be used to generate alerts when security breaches are detected and even automate repairs as necessary.
• Centralize management: Another major benefit of multicloud security is its ability to provide all of the above features through a single pane of glass, a centralized dashboard that manages all the heavy lifting of integration and policy management behind the scenes. With a centralized dashboard, security operators can access a holistic view of security across their entire cloud infrastructure.

How do you get started with multicloud security?

To get started with multicloud security, it’s first important to understand standard cloud security use cases — by mastering the security tools provided by cloud providers directly. As noted, these tools are designed to secure only a single cloud platform, but they do serve as a foundational basis for understanding the particular needs of cloud security platforms in general.

From there, some general advice on getting started includes:

• Work toward standardizing workflows across all your cloud platforms: This will help streamline operations and make for a more consistent operating environment down the line.
• Establish policies around data governance, compliance and continuity: These policies will be essential elements of your framework as you begin migrating security management to the multicloud platform.
• Consolidate where possible: If you don’t have a business need to run services on multiple clouds, consider consolidating them to simplify your multicloud environment.
• Make security part of your organization’s DNA: Too many organizations approach multicloud security as an afterthought, a way to play catch-up and secure an environment that hasn’t been sufficiently locked down to date.

The future of the cloud is multicloud deployments (or perhaps hybrid cloud) as part of a greater digital transformation strategy, so the future of cloud security is multicloud security. As with any public-facing technology, attack surfaces are growing in size and attacks are increasingly sophisticated. Organizations with complex cloud infrastructures have no choice but to use multicloud security in order to protect them effectively.

It is critical to secure your varied cloud environments in a unified fashion. Unfortunately that is more difficult than ever; standards still do not exist, nor are they likely to emerge, as the major cloud providers show no sign of cooperating on this front. A solid multicloud security tool lets your security team fill in the gaps that cloud providers have created, allowing you to much more easily investigate problems, monitor service status, detect threats and remediate issues as they arise.