As its name suggests, a multi-cloud environment is a network that utilizes the services of more than one cloud provider. There are many different ways that multi-cloud infrastructures can be designed and a primary topic of discussion is how to properly secure these environments. No single cloud service provider has the best environment for every task, and by using multiple cloud service providers, you can pick the best services from each. It is for this reason that multi-cloud computing has become increasingly popular.
However, moving to multiple public cloud providers gives organizations even less control over their data than a single-cloud instance, all while giving applications a larger attack surface. The increased availability and efficiency of cloud environments is not always worth the risk in security.
With that, here are five thoughts on securing multi-cloud environments:
- Test throughout the lifecycle. Be sure the organization is prepared to implement policies that encompass both embed compliance and security testing into the software development lifecycle (SDLC) phases, as well as the service execution phase. Creating a scalable, repeatable process for dealing with configurations of cloud services, as well as dealing with identification and remediation of vulnerabilities, is paramount.
- Understand who is responsible for what. Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), and Platform-as-a-Service (PaaS) all have different areas of security responsibility. The key to managing a multi-cloud environment is understanding which controls are the provider’s responsibility and which are the tenant’s. The cloud tends to be a shared responsibility model where businesses are accountable for the security of their data and applications, while cloud providers are responsible for the security of the infrastructure.
- Ensure they give you visibility and use advanced monitoring. When selecting a cloud platform, ensure that you have complete visibility across all of your instances. Choosing a solution that relies on behavior-based monitoring instead of signature-based monitoring can greatly increase the effectiveness of the security posture.
- Understand that securing the perimeter is not enough. In multi-cloud networks, it is no longer feasible to consider all internal traffic ‘safe.’ Companies that wish to employ multi-cloud environments will need to move away from the ‘castle wall’ practice of securing the perimeter because they are no longer in control of that perimeter. Instead, the focus should shift to securing the internal network and the sensitive data as a result.
- Automate as much as possible. Policy-driven automation can take the human error factor out of multi-cloud computing. Multi-cloud strategies are transforming the security process and automation can help organizations adhere to the security standards chosen by the company.
While security in the cloud is a shared responsibility, the organization itself will ultimately be culpable. Public cloud providers will typically have strong controls and several compliance certifications, yet they have varying levels of services and offerings, and cannot fully secure what is not theirs. CISOs and security leaders must continue to define and review the scope of their responsibilities for security in the cloud.