Enterprises are adopting a multi-cloud model due to the benefits it brings, but business leaders often fail to prepare for new cybersecurity risks that may occur if the model is managed improperly. The shift to cloud computing applications grew significantly during the pandemic as organisations rushed to adapt to remote working.
As businesses continue in the new normal, IT teams may never return to fully on-premises environments. Most commonly, they are switching to either a permanently remote model or a hybrid one to accommodate employees. Though convenient to now access corporate applications and confidential information from anywhere, it means cybercriminals can more easily exploit things. In addition, the increased use of multi-cloud applications and services brings security risks.
Shift to cloud
Although the shift to cloud computing has accelerated over the last two years, it is not a new phenomenon. As Agile and DevOps methodologies became more popular, teams saw the cloud as the future. Over the last decade, enterprises gradually began making the switch due to application developers’ need to work with greater speed on coding. Their work was stunted by sluggish digital infrastructures, which they relied on for support, especially in the move from development to testing to production.
It is easier than ever for enterprises to take a multi-cloud approach as Amazon Web Services (AWS), Azure, and Google Cloud Platform all share customers. AWS started as an in-house platform for the e-commerce giant before evolving into an independent business. On the one hand, it offers companies access to new levels of computing power. But on the other hand, there are also underlying risks of relying on a singular provider – vendor lock-in. Cloud adoption opened up new options and inspired more start-ups, vendors, and specialist providers to enter the market. To stay ahead of the game, organisations are developing a multi-cloud, multi-year strategy, leveraging IaaS (Infrastructure as a Service), SaaS (Software as a Service), and PaaS (Platform as a Service).
The popularity of multi-cloud and hybrid-cloud lies in their ability to use several different public and private clouds to provide benefits when it comes to agility and combining different providers to optimise environments and workloads throughout the organisation. If one cloud service suffers an outage, such as the major AWS outages in December 2021, businesses can continue operating as there are other, multiple services to fall back on.
Indeed, a multi-cloud approach brings diversification benefits, but at the same time, the cyber risks become more complicated. It becomes more difficult to ascertain the identity of a person, service, or machine and therefore access to the relevant data or capability. The security paradigm should shift from devices and boundaries to identity.
Secure identities
According to Sandy Bird, CTO and Co-Founder of Sonrai Security, identity goes beyond people. “When we talk about identity, we always think of people. But it is not, of course. Sometimes it is a machine; sometimes, it is a cloud service. It could be many different things.” He puts great emphasis on companies to ensure efficiently and safely all those ‘identities’ can access a resource and plan for what happens when a bad actor takes over an identity.
Cyber vulnerabilities will increasingly take advantage of and occur when there are identification gaps in poorly architected multi-cloud systems; this creates an opportunity for bad actors to infiltrate. There is a lack of communication and alignment on priorities between teams – for example application teams power ahead and leave the security and compliance teams scrambling to protect their digital footprint across several clouds. Organisations cannot afford to fall behind on cyber resilience in the multi-cloud environment; as cloud complexity and identities increase, clouds must be appropriately configured and monitored.
Business decision-makers are easily mistaken to believe the cloud is a ‘quick fix’ to save time and costs, enhancing operational speed and performance. However, cloud migration and multi-cloud environments need to be constantly monitored, managed, and updated – they are a long-term investment. Otherwise, all efforts will be dwarfed by the financial, reputational, and material fallout of cyber vulnerabilities caused by poorly architected clouds, which result from a lack of foresight over how to govern identity and access in a fragmented cloud environment. CSOs, CTOs, and digital transformation officers should make intra-cloud cybersecurity part of their multi-cloud blueprint, not a bolt-on project afterwards.
The C-suite and security teams need to be aware of what software and services are used across the business. If IT is procuring multiple cloud services, it can be difficult to keep track, but knowing the extent of the infrastructure is critical to cyber resilience. To successfully execute intra-cloud resilience, organisations need greater visibility into their clouds to establish a suitable protocol for controlling how data can be accessed and by whom. This will help to create graphical visualisations of how data and identities are intertwined to ensure maturity levels can be baselined and enforced. Focus priorities on identity, data classification, and entitlement (access) enforcement as standard controls for the multi-cloud security strategy. Cybersecurity must be integrated into the business cloud roadmap. ‘Shifting left,’ designing security upfront into the process, is critical in this new operating model.
Organisations are shifting to a multi-cloud architecture to hedge their risks and harness a wider range of capabilities but often underestimate the challenges of verifying identity in a fragmented cloud environment. Cloud migration is too often a crude ‘lift and shift’ approach, shipping on-premises legacy infrastructures into the cloud without considering emergent risks. Most businesses will use more than one cloud and therefore need to consider the right architecture and strategy to maximise benefits: without compromising operational and cyber resilience. Executives and the C–suite consider the cloud as a win-win approach, lowering costs, and increasing performance. As the cloud environment becomes more complex, they may be underestimating the impact of emergent vulnerabilities on revenue, brand reputation, and customer trust.
