Multi-cloud, where businesses use several cloud providers depending on the task, has become an increasingly popular strategy over the last several years.
According to Flexera’s State of the Cloud report 202, 89% of decision makers surveyed have a multi-cloud strategy, with the majority following a multi-public cloud approach.
Research from Fortune Business Insights, meanwhile, found the multi-cloud management market is expected to grow from a valuation of nearly $9 billion ($8.61 billion) in 2023 to just over $50 billion ($50.4 billion) by 2030, pointing to the surge in multi-cloud adoption.
One of the main drivers of this strategy is flexibility – multi-cloud allows businesses to use the right tool for the job depending on the workload while also helping to avoid vendor lock-in. It can also improve reliability, as if there’s a service outage on one cloud the entire operation won’t be disrupted.
While not all businesses will need to adopt a multi-cloud approach - many small and medium-sized businesses (SMEs) can function on a single cloud provider - many enterprises will look to multiple vendors to deliver their services.
More providers means more complexity, though, as noted by analyst firm Gartner’s definition of a ‘multi-cloud strategy’. This can, in turn, mean bigger headaches for cyber security teams that are trying to secure the company’s data that’s held in the cloud.
The larger the cloud estate, the harder it is to achieve a good level of visibility across its entirety. In addition, there are more potential vectors of attack.
Securing a multi-cloud environment must therefore take four fundamentals into consideration:
- choosing the right initial multi-cloud strategy
- creating a team with the right skill set
- ensuring visibility across the entire environment
- automating management.
Forming the multi-cloud strategy
Setting off on a multi-cloud journey on the right foot is hugely important and the choices an IT decision maker (ITDM) makes at this stage will be fundamental to creating a secure multi-cloud environment.
According to consultancy PwC's 2024 Global Digital Trust Survey, cloud-based attacks are the top cyber security concern for 47% of c-suite respondents, yet only 33% had made it a top priority for investment. Indeed, 36% have no risk management plan in place for cloud services at all.
PwC put this gap down to a frequent organizational assumption that security is “taken care of” by cloud providers. Even if they recognize that assumption as insufficient, many “struggle” to decide where to invest resources in order to strengthen cloud security.
“This is often because of the sheer complexity of their multi-cloud hybrid environments,” PwC says.
Having a plan from the outset is vital. Any additional cloud provider being incorporated into an enterprise environment needs to be fully assessed and understood beforehand.
The security strategy also needs to be comprehensive, with the same practices and framework applied to every part of the environment. Without this, multi-cloud security can become ineffective.
PwC notes that using multiple clouds to do the same job can lead to a “fragmented and siloed security posture” in which some elements of the cloud environment are not as protected as others.
Despite the added complexity, choosing to go multi-cloud in the first place is an important milestone. Recent events involving Australian superannuation fund UniSuper have made this clear.
UniSuper’s overreliance on Google Cloud meant it suffered a devastating loss of data. Even though it had backups, these backups were located on the same cloud provider and so met the same fate when the account was deleted.
Creating the right team
Gartner’s definition of a ‘multi-cloud strategy’ notes that a greater level of skill is required. This is because enterprises will need teams that understand the nuances of different providers.
Each cloud platform is different. For example, Amazon Web Services (AWS) offers its own specific ‘Foundational’ and ‘Professional’ certifications in areas of cloud, AI, solutions, and DevOps.
While the skills gained through certifications can be transferable, some are not and are specific to the particular cloud provider. If an enterprise were to add, say, Google Cloud Platform (GCP) into its cloud environment, it would need staff trained in how best to deploy GCP services rather than – or as well as – AWS services.
To ensure a secure multi-cloud environment, enterprises need to create teams that have a cyber security understanding that’s adaptable to multiple cloud providers. Teams must be armed with staff who can navigate security across varying platforms.
Total visibility
Visibility is a core tenet of security, referring to a security team's ability to effectively monitor and process any of the potential threats.
In the context of multi-cloud, visibility is even more important. Inevitably, multiple cloud environments will demand that security teams have a more widespread level of visibility.
According to Gartner research from earlier this year, a “lack of holistic visibility” in multi-cloud deployments can lead to inaccuracies in risk prioritization and assessments of cloud security posture.
The US National Security Agency (NSA) also noted similar potential threats lurking in multi-cloud environments, stating that multiple clouds can create a “loss of visibility” as part of its recent cloud security strategy guide.
Without effective multi-cloud visibility, CISOs will be at a loss to manage and protect every single workload. This will make it more likely for threat actors to find and weaponize unsecured vulnerabilities and weaknesses within an enterprise’s ecosystem.
Gartner recommends using a “cloud-agnostic cloud native application protection platform (CNAPP)” to bolster visibility and governance across multiple clouds and large multi-cloud environments.
Automation
Security teams can use automation across their multi-cloud environments to bring down the level of work, therefore ensuring a more easily secured multi-cloud environment.
DevOps specialist Dinesh Reddy Jetti referred to this in a blog post, noting that the delivery of security across “diverse environments can be complex and challenging” in the multi-cloud arena.
“Automation plays a critical role in streamlining security processes and ensuring that security controls are consistently applied across all cloud platforms,” he said.
More specifically, Jetti mentioned ‘Continuous Compliance Monitoring,’ automated tools that monitor cloud environments for compliance with security policies. This can help ensure that the enterprise-wide security framework is being met.
There is also cloud orchestration software. This software essentially automates the arrangement, coordination, and management of different workloads across different clouds.
Cloud orchestration software allows teams to add permission checks for security and compliance at points in existing workflows. They can also create templates to use across new environments that include security rules.
Through the use of appropriate tools and recruiting specialist staff, businesses can reduce the risk of cyber attacks in a multi-cloud environment. However, a well thought out strategy is also vital to success.
