A decade ago, most security analysts were pretty confident that we would soon be able to secure enterprise cloud environments. To give credit where it is due, we were partially correct – the top 3 cloud security threats today are far less worrisome than they were all those years ago.
But while we were working hard to secure the cloud, something else was also happening. The number, complexity, and sophistication of cloud infrastructures was also increasing. This means that in 2020, according to the 2020 State of the Cloud Report from Flexera, 93% of enterprises have a multi-cloud strategy – up from 81% two years ago.
Unfortunately for cybersecurity engineers, multi-cloud environments are not just more difficult to secure than cloud systems, they are exponentially more so. In this article, we’ll look at why that is, and what we can do about it.
The Rise of Multi-Cloud
Looked at in hindsight, the rise of multi-cloud infrastructures might turn out to be as problematic as it was inevitable. CISOs have known about the importance of cloud security ever since cloud systems first emerged, but lack of time and resources have made it a bit more difficult to manage in practice.
Now, in many organizations, IT managers typically don’t know how many clouds are in use, let alone how to secure them. In your average enterprise, there will normally be a large, pretty centralized cloud, managed internally. There will then be a number of subsidiary clouds, each relating to a piece of software – one for office productivity software, and one to archive conversations on communications clients, etc.
To make matters worse, many of these clouds are resistant to oversight from within an organization. In response to concerns about web security, for instance, some companies have made the switch to private browsers. However, most of these allow users to store data in proprietary, encrypted clouds that are designed to be inaccessible to IT admins. That’s a problem.
And it doesn’t even stop there. Today, according to the 2020 SaaS Trends report from tech vendor Blissfully, the average IT infrastructure consists not only of multiple clouds, but also an average of 288 different Software-as-a-Service (SaaS) offerings.
All of these SaaS tools have different security requirements, and each interacts with existing cloud infrastructure in complex ways. Giving apps the necessary access to enterprise cloud storage is a major task in itself, and has led many admins to leave their cloud security more open than it would otherwise be in order to avoid the kind of cloud incompatibility issues that are very common in B2B environments.
At a more fundamental level, each of these SaaS solutions represents a potential threat vector, because (almost by definition) each SaaS application must exchange data not only with a cloud hosted by the provider, but also with a cloud held within the enterprise it is being used in.
This interlocking set of clouds, security requirements, and sometimes incompatible policies has given rise to an enormous amount of complexity, and in the final analysis it is this complexity that is the real enemy of cloud security. According to the Hosting Tribunal, a survey from LogicMonitor and IDC revealed that more than 60% of enterprises are worried about privacy and regulatory issues, along with governance and compliance of cloud services.
Securing Multi-Cloud Environments
This complexity makes any prescription for cloud security contingent on the precise nature of the cloud and apps in use within your particular organization. However, there are a set of principles that can be applied that can help to ensure better multi-cloud security.
1. First and foremost, get back to basics and recognize that, ultimately, the purpose of your clouds is to store data for applications. Putting it like this allows us to instantly recognize an important fact that we might have forgotten amid all the complexity of multi-cloud environments: that application security is still the most important factor in cybersecurity. By locking down your applications, and ensuring that they have the correct authentication for cloud systems in place, you can minimize your chances of being hacked.
2. Secondly, it pays to look at emerging solutions that can help you to prevent unauthorized access to your clouds. Cloud access security brokers (CASBs), for instance, are pieces of software you can place between your organization and cloud service providers to consolidate and enforce security measures such as authentication, credential mapping, device profiling, encryption and malware detection.
3. Third, make sure that security is “baked into” every extra cloud you add to your systems. That might come as cold comfort to administrators who are already struggling with multiple clouds, added by security engineers who have long left their organization, but there’s no time like the present: make sure that every new cloud you add is only accessible by the applications (and users) who truly need access, rather then leaving it open to avoid compatibility problems.
Above all, it’s crucial that cybersecurity analysts retain a good level of visibility across the clouds that are actually in use in their organizations. Every single instance of storage should be mapped and accounted for, or you are leaving yourself open to attack.
Despite the current difficulties that we face in securing multi-cloud environments, there are plenty of advantages to moving your business operations to the cloud. Most cloud solutions are user-friendly, making it easier to collaborate with remote teammates and offering increased flexibility and mobility.
There are signs of hope when it comes to security, too. More CISOs and their teams are working closely with developers and other stakeholders, and they are doing so earlier in project cycles, to ensure security is considered from the start. Over time, this will mean that more clouds are constructed with security built-in, and multi-cloud environments are inherently more secure.
With so much already on their plates, find out how you can make life easier for your IT and and security teams by offloading complicated PKI tasks and management. Reach out to one of our GlobalSign experts today.
Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign.