Multicloud Security: Challenges and Solutions
The more clouds you use, the more security risks your business can face. Here’s what to look out for, and how to stay safe.
Picture an energy utility spread across a major urban center, servicing millions of people. Employees and contractors require 24/7 access to cloud desktops and networks for all aspects of customer service, finances, transportation, and materials. Others use handheld Internet of Things (IoT) devices in the field. Overnight, a hurricane takes out a few of the city’s major transformers, causing blackouts across a vital urban center. This issue is unfortunately becoming more common. In 2020, Hurricane Delta knocked out power throughout Louisiana, affecting hundreds of thousands of consumers. Ida, an even more powerful hurricane, struck the next year. It caused service outages across eight states, disrupting about 1.2 million customers.
Natural disasters are not the only threat to a cloud’s infrastructure. Cybercriminals are a constant danger because they know the rewards can be so great. Identity Theft Resource Center states that publicly reported data breaches in 2021 were markedly higher than the previous year, and some of the breaches affected hundreds of millions of users.
Facebook was hacked in April of 2021, leading to the leak of 533 million global Facebook users’ personal data. Ransomware attacks were up more than 100% from 2021’s numbers, and encrypted threats were even higher (167%), according to SonicWall. The sophisticated supply chain malware attack on SolarWinds, a global provider of IT monitoring products, compromised data of tens of thousands of clients, including governments.
Microsoft’s LinkedIn fell victim in June 2021, losing 700 million users’ personal data, which was sold on a dark website. Microsoft claimed there was no security breach – rather, the criminals abused the Application Programming Interface (API) to scrape data. (An API is the interface that allows two applications to request and respond to each other.)
While these risks are present when using one cloud, they multiply when using multiple clouds.
Growing use of multicloud
The move to multicloud infrastructure—whether by online specialty stores, public utilities, or global development banks—seems inevitable across all industries. During a Protocol interview, David Linthicum, chief cloud strategy officer at Deloitte, stated that the shift often happens as business needs change. “People just morph and evolve into it. They had the idea that they’ll leverage a single cloud provider three or four years ago, and now we’re at the notion of leveraging the best AI technology, the best analytics technology, the best databases, things like that.”
Suppose your enterprise is shifting from single cloud storage to a multicloud option. This can encompass public, private, or edge clouds for applications and other services. (Another option is hybrid cloud, which combines public or private cloud architecture and on-premises IT servers.) Partnering with multiple cloud providers allows you to customize based on your needs, avoiding lock-in with a service that has strengths in some areas but not others. You retain the expertise of cloud-based security, but that security, spread among different providers, can be harder to manage.
The largest cloud providers offer multiple, scalable packages. The security features of Amazon’s AWS can help manage military data, government records, or high-volume financial transactions. Your remote workforce can stream Office and other desktop applications and conferencing software through Microsoft Azure, or your company can use Google Cloud Platform to build, test, and develop apps. These three cloud companies now control much of the world’s cloud data. All can handle Software as a Service (SaaS) applications for basic business interactions, including marketing, email, and project management.
The benefits are low latency, speed, high bandwidth, convenience, outsourced security and OS updates, cutting-edge software improvements, accurate compliance (for banking and other data-sensitive industries), and edge computing for handheld devices and remote workforce.
Flexera 2022 State of the Cloud Report consulted more than 750 cloud decision-makers and other IT experts at the end of 2021. They agreed that public, private, or hybrid cloud use is going to be the norm. Respondents stressed the need for holistic, cross-cutting strategies toward cloud creation, migration, use of public clouds, and more. Top concerns include:
- Optimizing existing use of clouds (59%)
- Migrating more workloads to cloud (57%)
- Moving from on-premises software to SaaS (42%).
No matter your enterprise’s size, it’s better to be prepared than to be left behind, or waste time and resources on products that are underused or not needed. The Flexera report estimates that even small- and medium-sized businesses will spend more than $1.2 million on cloud use in 2022.
Security issues for single and multicloud platforms
Oracle estimates that 76% of enterprises use more than one public cloud, and those with $1 billion or more in revenue use at least three public clouds. With that level of investment, multicloud security becomes an even more urgent concern. Multicloud and single cloud providers share these risks:
- The extensive scale of services and architectures available can make comprehensive oversight more challenging.
- Deployment of new features can occur more quickly than security controls.
- Higher number of public-facing endpoints can increase the attack surface.
Is multicloud safe?
As enterprises expand their architectures and data across cloud environments, IT teams need a customized, adaptable strategy toward security features across all providers. This added cost is a necessity to keep data safe across their multicloud architectures.
In a Protocol roundtable, Paul Cormier, Red Hat’s president and CEO, states that multicloud security is a complex task for internal teams. “Everyone has similarly named services. They’re very powerful, but they’re silos unto themselves. And with those silos, they’re now adding that complexity times five or 10 for your operations and securities people.”
A single cloud provider controls its security software updates, simplifying interactions with its clients. Therefore, transitioning to a multicloud architecture poses these security challenges:
- IT has to keep up with all the upgrades among multiple clouds, and ensure employees are using them.
- Sometimes third-party services handle security for cloud providers, meaning parts of the cloud environment aren’t accessible.
- Because employees are accessing multiple clouds, each with their own security and access protocols, the risk of vulnerabilities increases.
- Remote employees may be using handheld devices, personal laptops, etc., which means human error can creep in and may be harder to identify.
- Lack of thorough training for all cloud platforms can lead to errors when setting up each cloud’s security measures.
Best practices for multicloud security
Cloud providers include many security features including multi-factor authentication, encryption, identity and access management, compliance and governance tools, and threat and anomaly detection. But Gartner points out that human error can also lead to expensive security breaches. This advocates a mindset shift from asking “Is the cloud secure?” to “Am I using the cloud securely?”
Your data storage strategy must weigh the budget against the risk tolerance, and measure which data streams require the most security features. Even with a risk management cloud strategy, IT teams should audit and adapt from lessons learned: both internally and from breaches that hit the news.
These best practices—along with hiring the right personnel—can go a long way toward avoiding breaches and retrieving data in the face of disasters. Yes, reduce human error through automation, but create personal business partnerships with those protecting your valuable assets.
- Take security ownership through a risk assessment that’s modified as needed: don’t outsource security completely to cloud providers.
- Synchronize security tools across multicloud platforms, automating compliance protocols. Try to reduce or eliminate specific security tools that address only one potential problem, because patchwork fixes can multiply and be hard to track.
- Form relationships with IT cloud security staff, the experts in policies, updates, and ways to troubleshoot gaps.
- Virtualize and use additional SaaS products, apart from cloud products, for reporting, deployment, and creating a thorough security policy.
Adopt a zero trust approach
When enterprises relied on internal servers, a castle-and-moat philosophy reigned, meaning firewalls kept most hackers at bay. Yet now, according to Gartner, “Trust based on physical location breaks down when users are mobile and when external partners require access. It creates excessive implicit trust – trust that attackers abuse.”
Therefore, security teams are increasingly adopting a zero trust approach. They’re embedding security throughout the infrastructure and continually monitoring and testing areas that could be vectors for illegal entry.
Security solutions have to be ongoing, rigorous, and at an enterprise level, with scrutiny on what individual users have access to, from where, and at what times. With the rise of mobile devices, security has to go to the edge of data endpoints. In short, we advocate to:
- Promote consistent security measures across cloud environments.
- Use an Infrastructure as Code (IaC) tool, like the Megaport Terraform Provider, to enforce configuration consistency and support change management.
- Reduce public facing endpoints by using private multicloud connectivity solutions, like Megaport Cloud Router (MCR) for cloud-to-cloud routing, or our data center connectivity options for DC-to-cloud connectivity.
- Consider a SASE and ZTNA architecture for your cloud edge, and Firewall as a Service (FWaaS) options for intercloud and edge connectivity.