As enterprises migrate more IT systems from their data centers to the cloud, they are increasingly deploying workloads across a mix of public and private cloud technologies. These multi-cloud and hybrid environments create new challenges for security and networking teams responsible for addressing myriad issues related to multi-cloud operations and security while keeping costs in check and maintaining development teams' productivity levels.
The multi-cloud model often combines integrated public cloud offerings and the organization's own private cloud. This gives the organization the flexibility to select from the growing selection of public cloud providers and private cloud options to customize the environment that works for all of its users.
While the trend of more companies migrating their data, applications, and development work to the cloud is not a recent development, the coronavirus pandemic accelerated it. As a result, more organizations are prioritizing launching or expanding their multi-cloud strategies as part of their digital transformation initiatives. They can optimize for cost, geographical coverage, application performance and to reduce dependency on a single cloud provider.
According to a Gartner survey of public cloud users, 81% of respondents said they work with two or more providers. They can customize a collection of services and platforms from various providers that meet their specific needs and avoid vendor lock-in.
"Multi-cloud is no longer a matter of 'if — it's a matter of 'when,'" said Santhosh Rao, Senior Director Analyst, Gartner. "Multi-cloud computing lowers the risk of cloud provider lock-in, and can provide service resiliency and migration opportunities, in addition to the core cloud benefits of agility, scalability, and elasticity."
A multi-cloud strategy eliminates the need to decide between application portability and full functionality for specific workloads. The question from a security and operational standpoint is how to realize all of the above benefits without spending time re-doing everything for each cloud service/platform? In other words, how can an organization:
- Minimize the customizations necessary for each cloud environment it uses to streamline operations and reduce overhead.
- Achieve consistency. For example, can an application run on Azure, AWS, and Google Cloud and ensure seamless security and compliance monitoring and reporting across all three?
An organization needs to unify the administration and monitoring of its IT systems. This means standardizing policies and processes as well as the sharing of tools across multiple cloud providers. The challenge is to architect deployments that use native cloud applications when appropriate but elevate security to work across all cloud environments and ensure migration and interoperability.
But variations in security controls from cloud service to cloud service complicate matters. Security is a shared responsibility between the enterprise and its cloud providers. The provider manages platform-layer security, and the customer is responsible for implementing the right controls to secure the application and data. We say "shared," but Gartner predicts that "through 2025, 99% of cloud security failures will be the customer’s fault”. So although platform-native tools are available, cloud security breaches due to misconfigurations are occurring at an alarming rate.
The Ponemon Group-IBM 2020 Cost of a Data Breach Report reveals that misconfigured clouds are a leading cause of data breaches alongside stolen or compromised credentials. Our recently published research reveals a significant majority of companies that move to multi-cloud environments are not properly configuring their cloud-based services. And even when companies became aware of these errors, most have not addressed the bulk of these issues in a timely manner. This is especially true with larger enterprises that take an average of 88 days to address issues after discovery.
Managing multiple accounts on one cloud is difficult, and it becomes exponentially more so on multi-cloud because there are so many security settings with different applications and so many users. One organization may have 20 cloud accounts with ten admins and a number of other users setting up services or running instances – that's hundreds of people touching configurations.
But identifying and eliminating misconfigurations must be a priority – doing so is critical to shrinking the attack surface and hardening the organization’s overall security posture.
The key is to gain the ability to provide consistent control over all of your organization's cloud environments. If you decide to evaluate external Cloud Security Posture Management (CSPM) solutions to achieve the visibility you need, be sure to examine how fully each vendor supports all the platforms you're using, as well as potential future ones. And while in some cases, it might seem easier to use the cloud providers' own security features, the deeper in you go with those, the more difficult it will become to port them or consistently manage them in other cloud provider environments. Cloud providers are trying to differentiate their offerings in terms of specialty services, regional availability, price, and even security tooling. This means that each cloud is very much its own world, with a lot of differentiation across such things as the management console, scripting languages, APIs, command-line syntax, and even terminology. Although multi-cloud is a strong force, dealing with multiple providers comes at a cost.
The answer is not to try to limit or prevent users from adopting the cloud platforms that best fit their needs. That will only serve to hurt their productivity levels and encourage them to try and use them without IT’s knowledge or permission. The ideal approach is one that allows full flexibility in choosing which applications run on which cloud, taking into account any application dependencies on specific cloud services, regional availability, or data residency requirements.
Rani Osnat is VP, Strategy at Aqua Security.