Managing security in a diverse cloud environment

Cloud security concept image showing a digitalized cloud symbol with a padlock sitting on a circuit board.
(Image credit: Getty Images)

There are clear benefits to having a diverse cloud environment in business. Whether it’s to meet the scalability requirements of a growing organization, to take advantage of the much lower costs of a proper multi-cloud approach, or to keep data secure through a hybrid cloud solution, there’s every reason for leaders to double down on the cloud

However, embracing and managing a diverse cloud environment is also a huge challenge. The sheer scale of these systems, which may include disparate applications, region-specific data, and connections to third-party partners, can be very difficult for any cybersecurity team to manage. 

And this may only worsen as their cloud infrastructure expands. To maintain control, businesses must invest in the right tools and controls over their cloud infrastructure, as well as draw up watertight cloud security strategies for their staff.

Knowing who’s in your environment

Evidence suggests that cloud environments are only becoming more diverse over time. The majority (94%) of large enterprises in 2023 used a multi-cloud approach, per Statista figures marking a rise since the 2021 figure of 90% among similarly-sized enterprises.

The same Statista figures note a sizable increase in small businesses using multi-cloud, with adoption among the cohort having jumped from 60% in 2021 to 79% in 2023. 

With cloud environments diversifying, leaders run the risk of losing track of cloud workloads or taking their eye off critical systems that hackers seek to attack. This is where identity and access management (IAM) can come in helpful – it allows IT teams to track user privileges, revoke access to specific systems at a click, and detect suspicious user accounts.

Some firms are even using AI and machine learning (ML) to build user activity profiles so that if and when a threat actor enters the environment using legitimate credentials, they are automatically identified based on their unusual behavior.

Above all else, leaders must remember that their employees can make or break security policies, so they must always be kept in the loop on best practices and any changes to policy.

Zero trust network access (ZTNA) across one’s cloud environment will help to ensure that if any hacker attacks your cloud environment, they won’t be able to access very many systems.

If your business is part of the X% which operates a multi-cloud environment, it’s important to get to grips with the inherent security features of all your providers. Beyond discussing these with your contact at the company, it’s that IT teams familiarize themselves with the protocols individual to that vendor.

This can help you overcome platform-specific learning curves that could hamper your security response and lead to security misconfigurations.

Casting light on your environment

If you don’t have comprehensive visibility across your cloud environment, you can’t say you’re secure with any degree of confidence. Though there are always technical limitations – some of which can be overcome with third-party tools – strategy is key here.

If you’ve always been a cloud-native company, you’ll have a far easier time putting your diverse cloud environment under a single pane of glass to monitor. On the other hand, if your journey to the cloud happened over many years and involved lifting and shifting legacy systems, you’re facing a far larger headache when it comes to cloud security.

Many old systems weren’t built to be operated in the cloud and can struggle to operate securely when run from the cloud. It may be that you’re running old software with unpatched vulnerabilities, or haven’t blown the dust off your cloud blueprint in quite some time.

While it can be difficult to maintain observability and keep patches up to date across a diverse cloud environment, the alternative could open organizations up to more risk.

Cloud concentration, in which companies only use a few cloud providers to reduce complexity, reduces the cost of working with multiple cloud vendors and partners as well as reducing the staffing time needed to obtain cloud skills and oversee multiple instances. However, cloud concentration also puts organizations in a worse position when an attack happens.

Analyst firm Gartner ranked cloud concentration as a “top five emerging risk” for organizations in October 2023, noting that it also makes firms more vendor-dependent – which can backfire dramatically.

For example, if an organization is breached by a threat actor and has grouped all of its critical resources in just one cloud instance, it is all easily accessible to the attackers. Similarly, those without a diverse cloud environment are at greater risk of being unable to recover 

Experts have pointed to Google Cloud’s accidental deletion of an Australian pension fund’s entire instance as proof of the need for a multi-cloud approach. Although UniSuper, which manages a $135 billion pension fund, had had its entire Google Cloud account and backups wiped, it was able to recover its operations using a backup with another provider. 

A security strategy for every application in your cloud

Application programming interfaces (APIs) form the backbone of cloud networks and can be particularly helpful for connecting applications across an organization’s multi-cloud environment.

To properly harness the benefits, it’s also important that leaders keep an eye on the risks associated with APIs and factor this into their security strategy. This includes ensuring that APIs have the necessary access controls and 

In the sector currently, businesses are also seeking to onboard generative AI into their broad cloud environment, across both the public and private cloud. Hyperscalers are pouring money into generative AI accessible via the public cloud.

However, strict security controls must be a part of this onboarding process, especially as AI models can be riddled with insecurities. In particular, chief information security officers (CISOs) or chief AI officers (CAIOs) must establish clear strategies for where their AI sits in the cloud, to meet data security requirements and to prevent ‘shadow AI’ in which employees use models without observation and potentially expose sensitive information to public AI models.

Every facet of the cloud comes with benefits and risks. Each new workload in the cloud broadens your attack surface – but with the right controls in place and staff provided with the core security knowledge they need, businesses can pursue a diverse cloud in safety.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.