3 top multi-cloud security challenges, and how to build a strategy

A data breach or intruder alert will send security teams into high gear as they scramble to stem the damage and determine the cause.

That task was challenging enough even when IT ran all its operations on its own infrastructure, but it has become increasingly complex as organizations have moved more of their workloads first to the cloud and then across multiple cloud providers.

The 2018 State of the Cloud Report from RightScale, a cloud services provider, found that 77 percent of the responding 997 tech professionals say cloud security is a challenge, with 29 percent saying it’s a significant challenge.

Security experts say they’re not surprised, particularly considering that 81 percent of respondents to RightScale’s survey are employing a multi-cloud strategy.

“Multi-cloud environments add to the complexity in terms of how you implement and govern security controls,” says Ron Lefferts, managing director and global leader of the Technology Consulting Practice at management consulting company Protiviti.

He and other security leaders say organizations are smart to keep security top of mind as they move more workloads to the cloud.

Multi-cloud security challenges

But they should recognize, too, that the multi-cloud environment comes with additional challenges that need to be addressed as part of a holistic security strategy.

“In this world of multi-cloud, it’s all about coordination – contractually, technologically and people wise,” says Christos K. Dimitriadis, director and past chair of the board of directors at ISACA, a professional association focused on IT governance. “Now if there’s an incident, you need to make sure that all the entities are coordinated, that they all work together to identify a breach and do an analysis and develop improvement plans to make controls even more effective.”

Here are three factors security experts say complicate security strategies for multi-cloud environments.

Increased complexity. Coordinating security policies, processes and responses across multiple cloud providers as well as a much expanded network of connection points adds layers of complexity.

“You have extensions of your data center in multiple places in the world,” says Juan Perez-Etchegoyen, a researcher and co-chair of the ERP Security Working Group at the nonprofit trade organization Cloud Security Alliance (CSA). “And then you have to comply with the regulations of all the countries or areas you’re dealing with. We have such a big number, and growing number, of regulations that are driving the controls and the mechanism that companies need to implement, and all that increases the complexity of how we protect data.”

Lack of visibility. IT organizations often don’t know all the cloud services being used by employees, who can easily bypass enterprise IT to buy Software-as-a-Service offerings or other cloud-based services on their own.

“So, we’re trying to protect data, we’re trying to protect service, and we’re trying to protect the business, without having a clear understanding of the data’s location,” Dimitriadis says.

New threats. Enterprise security leaders also should recognize that the emerging of multi-cloud environments could give rise to new threats, says Jeff Spivey, founder and CEO of the consulting firm Security Risk Management Inc.

“We’re creating something where we don’t know all the vulnerabilities yet, and we might discover those as we go along,” he says.

Building a multi-cloud strategy

A number of security best practices have emerged alongside the growth of the multi-cloud environment, security experts say, and there are several critical steps that all organizations should take as they develop their own security strategies.

That starts with identifying all the clouds where data resides and ensuring the organization has a robust data governance program that “has a full picture of data and what IT services and assets are related to the information,” Dimitriadissays.

Dimitriadis, who in addition to his ISACA post is also head of information security, information compliance and intellectual property protection at INTRALOT Group, a gaming solutions supplier and operator, acknowledges that these security recommendations aren’t only offered for multi-cloud environments.

However, he says having such foundational measures in place becomes more critical as data moves to the cloud and spreads out across different cloud platforms.

Statistics point to the reasons why having a strong security base is so important: The 2018 Cloud Threat Report from KPMG and Oracle, which surveyed 450 cybersecurity and IT professionals, reports that 90 percent of firms classify half their cloud-based data as sensitive.

The report also found that 82 percent of the respondents are concerned that employees don’t follow cloud security policies and 38 percent have issues detecting and responding to cloud security incidents.

To counteract such situations, enterprises should classify information to create stratospheres of security, says Ramsés Gallego, a leader within ISACA and astrategist and evangelist at the Office of the CTO at Symantec. This measure recognizes that not all data requires the same level of trust and verification to access or lock down.

Security experts also advise enterprises to implement other conventional security measures as necessary foundational layers for securing multi-cloud environments. In addition to a data classification policy, Gallego recommends the use of encryption and identity and access management (IAM) solutions such as two-factor authentication.

Enterprises then need to standardize their policies and architecture to ensure consistent application and automate as much as possible to help limit deviations from those security standards, says Sailesh Gadia, a partner in KPMG’s Emerging Technology Risk Services practice who leads the firm’s cloud risk consulting practice.

“The level of effort a company puts in should depend on the risk to and the sensitivity of the data. So if you’re using cloud for non-confidential data storage/processing, then you don’t need the same security approach as a cloud that’s holding the crown jewels.” Gadia says.

He notes, too, that standardization and automation create efficiencies, which not only reduces total costs but allows security leaders to direct more resources to higher-value tasks.

Such foundational elements should be part of a broader, cohesive strategy, experts say, noting that enterprises do well when they adopt a framework to govern security work. Common frameworks include NIST from the National Institute of Standards and Technology; ISACA’s Control Objectives for Information Related Technology (COBIT); the ISO 27000 Series; and the Cloud Security Alliance’s Cloud Control Matrix (CCM).

Setting vendor expectations

The selected framework should guide not only the enterprise but also the vendors, Dimitriadis says.

“What we need to do [is] incorporate those into the agreements with the cloud providers. Then you will be able to build controls around the data and services that you’re trying to protect,” he explains.

Security experts say negotiations with cloud providers and the subsequent agreements on services should address the kind of data isolation to be provided, where data is stored and who on the vendor side can access it, and how the vendors should respond if issues arise – including how they’ll cooperate and coordinate with the other cloud vendors providing services to the enterprise.

“Be specific about what the expectations are and how they will be measured,” Spivey adds. “There has to be a clear understanding of what services you’re getting from each provider and whether they have the capability and capacity to manage and govern it.”

But don’t abdicate too much security authority to cloud providers, Gallego says.

Cloud vendors often sell their services by highlighting the work they do on behalf of enterprise clients, and while that work does include security services, Gallego notes “that’s not enough. They’re in the business of cloud, they’re not in the business of security.”

Therefore, he says, enterprise security leaders must formulate their security plans to a granular level – “who has access to what when and how,” he says – and then put it to each cloud provider to assist in enforcing those plans.

He adds: “Cloud providers need to earn our trust.”

Employing emerging technologies

Policies, governance and even conventional security measures such as two-factor authentication – while all essential – are not enough to handle the complexities that come with spreading workloads across multiple clouds, however, according to security experts.

Enterprises must adopt the emerging technologies designed to enable enterprise security teams to better manage and enforce their multi-cloud security strategies.

Gallego and others point to solutions such as cloud access security brokers (CASBs), on-premises software that the enterprise places between itself and cloud service providers to consolidate and enforce security measures such as authentication, credential mapping, device profiling, encryption and malware detection.

They also list artificial intelligence technologies that learn from and then analyze network traffic to more accurately detect anomalies that need human attention, thereby limiting the number of benign incidents resources must investigate and instead redirecting those resources to the incidents most likely to present problems.

And they cite the continued use of automation as a critical technology for optimizing security in a multi-cloud environment. As Spivey notes: “Those organizations that succeed are those that automate a lot of the pieces and concentrate on governance and management.”

Additionally, Spivey and others say that although the exact technologies used to secure data cross multiple clouds, such as CASBs, may be unique to multi-cloud environments, they stress that the overall security principle follows the long-held approach of addressing people, process and technology to formulate the best strategy.

“We’re talking about different technologies, different scenarios, a little more focus on the data, but it’s the same concepts you have to implement,” says Perez-Etchegoyen, who is also CTO of Onapsis. “The technical approach will be different for a multi-cloud environment, but the overall strategy will be the same.”