Multi-cloud security represents a challenge to any business, with companies typically adopting five-to-six different clouds within the organization. Internal and external security expertise is essential to identify and secure all applications and data, as services continue to decouple from hardware to containers and other platforms that create value but add complexity for CISOs.
The aim for any business is to ensure that software security is defined at the application level, wrapped by policies around containers, clouds and virtual machines. With the cloud comes automation, providing ways to reduce the workload for leaders and IT security practitioners.
Here are four common security challenges that those managing and operating multi-cloud environments face, and the best practices to address them.
1. Authentication and authorization challenges
From day one of operations, a key part of the IT security team’s challenge is to ensure that only valid users and admins have access to the appropriate parts of the multi-cloud. Keeping out unnecessary users reduces the risk to the business and limits the complexity. Using identity and access management (IAM) solutions helps address these issues.
Having limited access to multi-cloud services and enabling multi-factor authentication (MFA), perhaps as part of an identity as a service (IDaaS) to ensure that it’s tougher for someone who has come across login details (either accidentally or maliciously) will prevent unnecessary users from accessing any services. IDaaS can also use biometrics for access on corporate or personal mobile devices.
When adopting these services, ensure they’re compatible across all the cloud services you use, and plan to deploy to keep complexity to a minimum. Regularly audit user lists and remove dead accounts and monitor logs or dashboards for unusual attempts at access.
2. Managing the increased attack surface of multi-cloud
Many businesses started out with a simple understanding of their on-premises threats and the tools to defend against them. Multi-cloud creates a widely expanded footprint that creates new risks and requires new solutions to protect the business.
The major part of this challenge comes from the way that each cloud or SaaS provider supports or handles their part of the security system. CISOs need to understand the spreading complexity to identify and evaluate risk, establish what products the service provides, and what the business needs to deploy to defend against the multi-cloud risks.
Securing each element of the combined attack surface across all clouds is essential, but must be done in a joined-up way to avoid fragmentation and simplify monitoring of the various dashboards and logs to detect threats.
3. Securing the control plane, services and storage
As cloud environments grow, the control plane provides services and devices with information about that environment, creating a key source of data that needs protection. As businesses adopt a multi-cloud strategy, they can deploy on a variety of management platforms to govern and defend the control plane. This is done through policies and services to provide control plane, endpoint and network security.
Cloud security posture management (CSPM) helps automate management of multi-cloud infrastructures, covering services, connections, applications and storage. They provide automated checks for service misconfigurations which can lead to breaches.
These tools can’t create an impenetrable border around the operating environment. Instead, security policies and rules should be applied as close as practical to the data and the application within the cloud or workload and as data crosses internal and external systems, decoupled from the old notion of services protecting specific hardware.
4. Ensuring data protection and privacy
These services along with tools like cloud access security brokers (CASB) can provide a layered approach to defending data across any multi-cloud system. The cloud also provides a way for companies to distribute workloads across several instances. This can minimize the impact of one cloud being compromised or failing, while multiple cloud services can also be used to backup data to prevent data loss.
When it comes to privacy, the same rules that apply to any cloud solution apply to multi-cloud. Deloitte’s recent report, “Data privacy in the cloud” cites a range of issues that companies face. Firms need to understand and comply with various jurisdictional privacy laws, and how cloud providers will protect your data through encryption and management strategies. Understanding these and creating in-house privacy rules to complement them will support a multi-layer approach to data protection and privacy.
Across the multi-cloud, CISOs and IT security teams need to identify gaps in the current security layout and provide tools that fill in the gaps, either internally or externally. As the cloud footprint continues to expand, these tools need to account for new services or instances, containers and other use cases.
This is also true as firms merge or acquire other businesses and take control of their services. All of which means the job will never be complete, but the team needs to build an adaptable and robust solution to manage these and other changes.
- 12 Best Practices to Maintain Cloud Security
- Why Your Multi-Cloud Strategy is in Urgent Need of a Makeover
- Multi-Cloud vs Hybrid Cloud: Which Do You Need in Your IT Strategy?
- How the Hybrid Cloud is a Game Changer for Security
Join the conversation...