5 Muticloud Security Challenges and How to Address Them
First came cloud technology, then - as organizational needs continued to grow more complex - came multicloud.
93% of the world's businesses have embraced some kind of multicloud strategy, but 83% of them say that securing such a platform has proven a difficult challenge (Flexera). Businesses are new to this, there's a lack of expertise and resources, and it's trickier to manage than a regular cloud setup.
With that in mind, today we address five of the most common multicloud management challenges and talk about how you can overcome them with fast, practical steps.
Identity and access management
Lack of visibility or monitoring
We know - nobody wants to talk about compliance. It's not exciting, it doesn't generate new customers or go viral, it just has to be done. The consequences of ignoring it can be dire indeed.
So what are regulators concerned with regarding cloud technology?
While regulations around the world haven't always been quick to adapt to digital technologies, regulators are starting to take notice of the cloud and are growing increasingly concerned with its security. By utilizing multiple cloud providers at once, you may inadvertently exacerbate those concerns.
Currently, key concerns include:
Data protection and user privacy. With so much data being uploaded every single day, it has to be stored somewhere safe and secure, and this isn't always the case.
Concentration risk or vendor lock-in. There aren't many cloud superpowers on the market and companies often choose just one (or are locked into just one). This creates a concentration risk.
Operational resilience. Can companies survive tumult and change if they are relying on these third-party service providers? What if that single provider breaks down?
Over-reliance on third parties. Just because a company is large doesn't mean it's secure. This is something companies around the world learned recently after the SolarWinds hack - which you can learn more about at the link below.
As we mentioned, multicloud strategies can exacerbate some of the problems related to cloud compliance - but they can also be used to help. For example:
Selecting cloud services from multiple providers spreads out your third-party risk.
Migrating data from one provider to another means you aren't locked in.
You gain access to leading technology without subscribing to a single vendor or their architecture (choose from the best of the best).
Utilizing open source technologies (such as containers, databases or open APIs) further improves portability, compliance and security.
Practical tips for improving your compliance with a multicloud approach
Be aware of relevant guidelines: Depending on your sector or region, different regulations and guidelines will apply to your services and applications. For example, the GDPR in Europe, or PCI applying to companies holding global credit card data.
Classify your assets: Catalogue your data and assets that sit in the multicloud environment. This will allow you to quickly and clearly understand what you have and to where it connects (where the data flows), so you can plan out how to protect it.
Tighten access controls: Anyone with access is a potential liability - human error, even innocent errors, are always a risk. We'll talk more about this in our third challenge below.
Encrypt important data: If it's important, it must be protected. Then, try to follow the same security posture for all of your systems - you're going to be talking to a range of different cloud service providers in a multicloud setup, and they all must follow the same quality of security measures.
Misconfiguration of the cloud is one of the biggest, most damaging risk factors in the entire industry. In fact, the cost to companies due to misconfiguration errors in their cloud setup is 12 times that of the worldwide investment in cloud services (DivvyCloud). Once again, if misconfiguration is a problem for single cloud setups, it's an even bigger problem for multicloud.
Expertise has long been a problem in the digital world, and indeed Flexera noted in its report that expertise was one of the key challenges of cloud adoption. But while there is indeed an increasing number of experts in cloud technology, more often than not they tend to specialise in just one cloud service provider. To gain cross-cloud experience, companies often have to rely on yet more third parties. As we know, the more third parties that get involved, the more you increase that potential compliance risk.
Governance plays a key role here
We can hardly say that cloud is 'new' anymore, but it's still only recently that most German companies have started making a major push towards cloud and especially multicloud. This newness can lead to a lack of proper due diligence - after all, you don't know what you don't know.
Example of a common knowledge gap: If you aren't aware of the 'shared responsibility model', that is, the model which governs who owns what within the cloud and, therefore, who is responsible for which part, you might believe that a particular security concern sits with the service provider. However, according to that model, it might actually be your own problem - getting this wrong could leave a vulnerability open to exploitation.
Practical tips for reducing the risk of misconfiguration errors
Establish good cloud governance: Essentially, you must develop a policy and framework for people in the organization to follow that dictates how and when to use your new multicloud technology, and who has access (see below). Some questions to ask to get you started: ○ In what way will using your new multilcoud platform align with and enhance your business goals? ○ Who is allowed access to the cloud, when, and from where? ○ Will the use of your cloud and the storage of data related to it align with your other GRC requirements, e.g. your risk appetite, GDPR legislation, and so on. ○ What KPIs can you establish that will measure the success of your cloud tools, and how will you monitor them? ○ Do your processes include mention of and instructions on how to use the cloud? ○ Has everyone been trained on these changes to process?
Educate stakeholders on their responsibilities: We know that human error is one of the leading causes of cloud security breaches worldwide, which means good multicloud security must start with your staff. It's vital that you establish a training program for all team members, no matter how small their department, from top to bottom (including executives). That way everyone knows how to be safe when accessing the system, and they know who to escalate issues to if they suspect there's a problem.
Establish cloud migration procedures: When migrating to the cloud, you can't use the same procedures as you would for any on-premise system. Multicloud environments are, quite simply, too different. In order to successfully migrate to the cloud, follow these steps: ○ Consider your current state and plan out your desired state so you know where you are, where you want to get to, and where the gap lies between those points. ○ Ensure you talk to a cloud specialist while planning your move to double check that you have factored all the security and governance requirements that are applicable to your business, not to mention simple usability requirements. ○ Test any new tools in an isolated system before rolling it out to the company. This will let you check for security and UX concerns in a safe, simple environment. ○ After migrating your data and apps, ensure you validate the success of the move. Run further tests and make sure everything is working as expected. If you have a policy in place for people to self-report problems, this will also help you spot bugs.
So, we've mentioned user error a few times now. One way to handle the risk of user error (accidental or otherwise) is to carefully control identity and access management (IAM).
IAM is good security best practice in general, and you'll likely also get bonus points with your regulator for having a sound policy in place.
Note: IAM is actually more important than ever before as we write this article. Coming through the second year of COVID-19, more users are working remotely than ever before and it looks like teleworking is here to stay. That means more people wanting more access from more devices, and from potentially very poorly secured locations. This would push the security of any cloud environment, let alone multicloud.
Multicloud stretches the limits of what used to work just fine
Companies used to handle their IAM needs using simple tools like Microsoft Active Directory (AD). However, multicloud environments really stretch the bounds of what some of these legacy platforms can handle - often they just can't scale fast enough, or handle evolving threats.
Organizational leaders need to find a new solution that is designed to be more adaptable to an increasingly complex world and cloud system, or see if their current provider (like Microsoft) is now offering updated versions of the same tool that meets modern requirements.
Practical tips for improving IAM for multicloud
Have a process in place to regularly scan and review permissions: Chances are you'll have a lot of users with a lot of permissions - staff, admins, guests, various devices (including personal devices). You must review these permissions on a regular basis to ensure that access, especially privileged access (i.e. administrators), is always kept up-to-date. If your company is small enough you may be able to handle this manually, however larger organizations will need software to help (i.e. Microsoft Azure AD's access reviews, which has been introduced to address the issues we talked about above).
Consider making permissions temporary: Another way to get around user access growing out of date is to make it temporary. When no one has permanent access, they must re-request access on a schedule that you choose. Then, they only gain permission for the work they are doing and the length of time they require for said work. Even if someone changes departments or resigns and you forget to review their permissions, their access won't last long.
Write a strong joiner mover leaver (JML) policy: A JML policy is one where there are clear guidelines in place to govern the access levels of anyone being onboarded, moved to a new role or department, or who is resigning. HR would typically own this process, but may require support from IT to implement the digital tools required to make it simple.
For example, you may consider implementing a Single Sign On (SSO) platform - that is, a service that allows users to log into all the apps and services relevant to their access level with just one ID (using multi-factor authentication, for an even stronger policy). When a person joins, moves or leaves, their ID for every app can be managed in this one system.
Don't forget your applications: User permissions aren't the only thing to consider. Your apps also need permission to access the system in order to function properly and share data. But if these third-party tools are compromised, they have free reign of your network and - as we've seen with the likes of SolarWinds - that's a problem. So, consider treating app permissions the same as users so you have review processes in place.
4. Lack of visibility or monitoring
Different cloud service providers have, as we've highlighted, different requirements. They will use their own interface and architecture, and offer different monitoring options. Mishmashing systems like that can make it tricky for security teams to get clear visibility on the entire multicloud system - yet in order to monitor for vulnerabilities and attacks, this is exactly what they must be able to do.
Practical tips for improving multicloud monitoring
Invest in a centralized monitoring solution: Implement a central monitoring solution on the layer above your cloud platforms. That way you have one dashboard that helps you keep an eye on each of your different clouds. This is called 'single pane of glass' monitoring, and is usually designed to pack a number of different potentially complex data streams into a single, easy-to-navigate UI. Some software providers include:
Ensure your monitoring system has built-in machine learning and AI functions: Machine learning and AI are critical to being able to monitor vast quantities of data for tiny anomalies that tell you someone is trying to break in. You need a tool that can scan each of your cloud providers for such signals and either prevent an attack on the spot or notify you so that you can investigate further. This real-time detection could drastically reduce the time it takes your teams to detect a cyber breach, and therefore the damage such an attack could cause.
As we saw in Flexera's report, businesses are mostly quite new to using the cloud and that means there's a lack of confidence among users. Cloud can already seem complex, but when there are multiple service providers that must seamlessly integrate together, it can - again - exacerbate issues.
One additional factor adding to the complexity is that cloud services are not static. And why would they be? They have to keep moving to stay ahead of their own security concerns. But with so many different infrastructures, services, architectures, access controls and other features all constantly shifting and changing, it's a lot of moving parts to manage - any security controls you implement now may become redundant in a future update.
Practical tips for managing the complexity of multicloud environments
Take a service catalogue approach: Build a service catalogue of all the cloud services and functionalities that are available to users at your company. These services will have probably gone through different validations and tests before launch - you'll need a clear picture of each one and its ins and outs, so that you aren't just trusting the provider's security point of view. After all, their risk appetite will be different to yours and you must be able to contextualise their services to your business.
Use your single pane of glass to reduce complexity: That single pane of glass setup we mentioned before will help you here, too. Gaining oversight across cloud providers in a single dashboard can help you monitor everything that's important without having to flick between systems. So you can keep an eye on user access, important data, potential anomalies, and more all in one easy location.
Multicloud platforms are becoming increasingly the future, allowing organizations to access the best features of multiple providers and provide a streamlined, technology-driven solution to employees.
However, with multiple service providers comes the same problems as utilizing a single provider, except multiplied. Given the lack of confidence and expertise out there among many German businesses in cloud technology, these challenges can lead to serious security vulnerabilities.
But, there are ways to patch these holes relatively quickly. These include:
Investing in AI-driven multicloud management software to help you monitor and control each cloud vendor.
Creating good cloud security policies that govern every aspect of the cloud, from its migration through to access management, data storage, when to update, when to retire, and so on.
Carefully controlling and reviewing staff access to the system, and updating those levels based on strong policies that clearly state who can access what, when, from where, and what happens if people change roles (or resign).
Need help from cloud experts? We're here for you
While we've tried to offer practical tips today that won't be too difficult to implement, we know it's still a lot - especially if your business lacks the right expertise to make these changes happen.
That's where dig8ital comes in.
To help you learn more about securing the cloud, we recently hosted a webinar on "Overcoming CI/CD pipeline security challenges in cloud environments", which you can watch for free here. Or for a free maturity consultation with one of our team members, contact us today.