Multi-Cloud Security Best Practices
Author By Dr. Varin Khera
Introduction
Since the beginning of the COVID19 pandemic, the world has witnessed a radical change in how enterprises conduct their regular work. For instance, many companies have adopted the remote-working model to remain operational during the lengthy lockdown. To facilitate the new working model, cloud adoption across all industries and enterprises sizes was accelerated to cope with the new wave.
Shifting data, applications, and systems to the cloud bring numerous benefits for their adopters, such as increased scalability, enhanced efficiency, and reduced cost, to name only a few; however, all this comes with a security price. The wide adoption of the cloud computing model has expanded enterprises’ cyber-attack surfaces and made them more vulnerable to cyber threats.
This article will list the major cyber threats facing enterprises when adopting the multi-cloud model and suggest countermeasures to mitigate and prevent these threats. However, before I begin, let me briefly introduce the concept of multi-cloud and differentiate it from another similar term, “hybrid-cloud”.
Defining Multi-cloud
Multi-cloud is a cloud computing model that utilizes services from more than one public cloud provider in one architecture. For example, using cloud services (more than one) from more than one public provider, regardless of the current private or on-premise infrastructure.
The following is a practical example of a multi-cloud deployment:
You are using a cloud service from Amazon to host your Marketing application, your employees are happy with the application, however, after a while, they demand more features that are only available on other cloud providers. To fulfill their new needs, you used additional cloud services from Google cloud. This type of deployment is considered a multi-cloud.
Some people confuse between the multi-cloud and hybrid cloud terms. For instance, a hybrid cloud environment includes using cloud services from different sources: on-premise, public, and private clouds and they all work in harmonization. In contrast, the multi-cloud includes using one cloud deployment -of the same type- from more than one vendor, whether this vendor was public or private.
Cyberthreats Against Multi-Cloud Systems
Securing multi-cloud environments is more challenging because data is scattered across different applications, microservices, and middleware belonging to different cloud vendors located in different locations. Many enterprises use on-premise infrastructure and their multi-cloud instance, which further complicates the process and introduces different security challenges.
Configuration Errors
When using cloud services from different providers, different security and privacy settings need to be configured. Even the best IT administrator makes mistakes in such a complex environment, opening the door for threat actors to do nefarious things.
Users Access Controls Challenges
Governing users’ authorization and access privileges are complex in multi-cloud environments. For instance, you need to provide a streamlined way to allow users to move between different applications without the need to require logging in multiple times to grant access to each cloud resource. Enforcing security policies on all users and external parties (such as third-party vendors and suppliers) is also challenging in such an environment.
Cloud Visibility
A major challenge with cloud adoption is the lack of visibility. In the cloud, visibility means the ability to monitor all digital interactions in your cloud environment, which enable you to detect security threats and any performance issues and address them as quickly as possible.
In the cloud, visibility depends largely on the cloud provider because clients do not have direct access to the underlying IT infrastructure supporting their cloud services.
API Security
In multi-cloud deployment, a single application could use API’s and dependencies hosted or managed by another cloud provider. This increases the difficulty of keeping all components up to date to avoid leaving any security vulnerabilities that threat actors can sneak in through it.
Data Protection Regulations
Data becomes the lifeblood of enterprises that cannot work anything without it. In most enterprises, a significant amount of data is sensitive, such as Personally Indefinable Information (PII), Patients Health Information (PHI), and financial information, such as payment and credit card records. Securing such information in a multi-cloud environment is complex. For instance, data need to be processed by different cloud providers, located in different geographical locations and subject to different jurisdictions.
Different Security Levels
When using services from more than one cloud provider, each one will have its security strategy, and you have to work according to it. For instance, security is a shared responsibility between the provider and the client in the cloud. When using services from more than one provider, you will not get the same security level from each one, which requires additional care when planning your cloud cyber defenses.
How To Protect Your Multi-Cloud IT Environment?
After listing the main security challenges that we are going to see in a multi-cloud environment, let us see how we can mitigate and prevent them.
Use A Reliable Cloud Provider
The first thing you need to consider is using a reliable cloud provider. Although the cloud market is dominated by giants companies, such as Microsoft, Amazon, and Google, small providers also exist and excel in providing niche services. Regardless of the provider’s name, ensure your future cloud provider meets the following key criteria :
1. Ensure the provider complies with major data protection regulations and standards, such as GDPR, HIPAA, PCI DSS, and ISO 27001.
2. Ensure the IT systems utilized by the cloud provider works with your existing systems in your on-premise environment.
3. Ask your future cloud provider about its third-party vendors’ relations. For instance, some cloud providers may use services from other third-party providers that you may not want to deal with (for example, located in restrictive countries or in jurisdictions that violate your enforced data protection regulations).
4. Ensure the cloud provider services level agreement is created according to the latest ISO standards for Service level agreements ISO/IEC 19086–1:2016.
5. Ask detailed questions on how your cloud provider will manage and handle the security issues, including the type of security solutions installed.
Use Automation Where Possible
To reduce the likelihood of security misconfiguration in a multi-cloud environment, use automated deployment tools to install and configure cloud services. This will efficiently reduce the number of cloud misconfiguration errors.
Install Advanced Security Solutions
To monitor all digital interactions across your IT environment, including your cloud deployments, install a Network Detection and Response (NDR) solution.
Tailor Your Access Controls Around Your Enforced Compliance Regulation
If your industry standards (such as GDPR, PCI DSS) impose specific access controls, follow them strictly when choosing your cloud provider.
Use IAM Solution
Identity and Access Management (IAM) solution allows using a centralized solution to store all users access credentials and their authorization level to access the various cloud resources. This simplifies managing users’ access across all multi-cloud instances and prevents many security threats caused by inadequate users access management.
Encrypt Data
As a rule of thumb, any sensitive data sent to the cloud should be encrypted first, while at rest and in transit. The challenge appears when using cloud applications to manipulate sensitive data, such as customer PII, because it requires decrypting this data before manipulating it, making it vulnerable to different cyber threats while processing.
Homomorphic encryption is a modern algorithm that allows processing or manipulating encrypted data without the need to decrypt it first. This technique should be employed to process highly sensitive data in the cloud.
Summary
The benefits of using the multi-cloud model become evident; however, its security implications lower its benefits if mishandled. In this article, I tried to mention the prominent security challenges enterprises face when adopting the multi-cloud model and suggest prevention measures. However, the most suitable solution begins with deploying a multi-cloud management solution to have complete visibility over cloud interactions; this will efficiently mitigate many risks associated with utilizing a multi-cloud model in your IT environment.
