Don't let multi-cloud multiply your security problems
Amazon Web Services, Microsoft Azure, Google Cloud – how to select the right platform? You don't have to choose: many organizations are increasingly spreading the infrastructure of their applications over multiple cloud platforms. Some companies end up in a multi-cloud situation because of acquisitions and mergers, but some choose multi-cloud as an intentional strategy, because it helps you to avoid vendor lock-in, allows to use the best features from each platform, and helps to get a better return on investment – if you do it right. On the other hand, multi-cloud can actually multiply your security problems as the infrastructure becomes complex, your visibility to the environments is lacking, and nobody understands the big picture. Let's take a look at some multi-cloud pain points and what you can do to address them.
Bridge the skills gap
New cloud service features come and go rapidly enough within one cloud service provider, let alone in a multi-cloud environment. Because the terminology and logic differ between all the cloud services, being skilled, for example, in AWS doesn't necessarily mean that you know all the tricks in Azure or Google Cloud. Investing in training your employees is likely to pay off with less hassle and security gaps.
You can explore the fundamentals of each platform from a variety of video tutorials and online courses offered by the cloud providers themselves. Typically, there are different types of courses based on your previous knowledge and your work role. Many of the tutorials are free but may require you to register. Examples of self-paced learning material include:
For instance, Udemy, Coursera, and other online learning platforms have free and low-cost courses about the cloud.
Understand your infrastructure
You can't protect something if you don't know it exists. Multi-cloud environments make the infrastructure more complicated, and it can be challenging to grasp what kind of instances, networks, databases, data lakes, Buckets, and Glaciers do you have. You can quickly end up in a cloud sprawl where your overlapping services and licenses inflict unnecessary costs. Furthermore, it becomes tough to ensure that your environment is sufficiently protected.
Threat modeling is a great way to analyze your cloud environment for security gaps, considering the architecture and network security within one cloud ecosystem as well as all the external integrations. On top of examining the architecture, you should check encryption settings, security monitoring, and software development security.
Another danger we have seen in large systems spread over multiple cloud services is that people can be very knowledgeable about their specific subject area, but nobody understands the big picture. Typically, documentation is also lacking. Lack of knowledge and documentation can especially be dangerous if people change jobs. Threat workshops will reveal pretty quickly, who has the know-how and is it only in someone's head.
Take a bird's eye view
Visibility to the cloud environments is one of the pain points already with just one cloud service provider. As the infrastructure gets more complicated, so does availability and security monitoring. Many organizations content to separately monitoring the cloud platforms with their native tools. This approach can have blind spots and leaves a lot to be desired regarding the correlation of events. Centralized logging and looking for anomalies across the whole system helps to identify problems earlier.
Get a grip of Identity and Access Management
One cloud: you need to handle the authentication of all administrators, developers, and other user accounts and authorizing them to use the resources and services. Multiple clouds: Multiply the work. Also, you need to set up accounts to connect your cloud services and grant access across the whole multi-cloud environment. Each cloud service provider has slightly different terminology, features, and logic for identity and access management (IAM). That's why getting all the roles, least privilege restrictions, conditional access, credential rotation, and access revocation settings right requires time, perseverance, and probably the aid of an IAM specialist.
Keep testing to stay secure
Cloud services evolve rapidly, and your once current security policy might become old probably sooner than later. New vulnerabilities are published daily, cybercriminals keep developing new attack methods, and perhaps your applications will be expanded with new features. Cybersecurity is not a one-time-thing – you need to continuously scan your environments and test your systems to make sure you are secured and compliant, and will also stay compliant.
Want to learn more about securing your cloud and minimizing risks? Download our whitepaper, Your to do list for a secure cloud, and learn how to secure your cloud environments.