Multicloud strategies are the de-facto standard across enterprise IT these days, as companies depend on numerous cloud vendors and software-as-as service (SaaS) solutions. Indeed, research firm IDC predicts that more than 90% of companies will depend on multicloud infrastructures by 2022, as the COVID-19 pandemic drove home the urgent need for business agility.
Cloud was also supposed to simplify life in IT—speed, flexibility, scalability. And in many ways, cloud does provide those benefits. But the growing mix of public and private clouds and SaaS applications in use at most companies also adds complexity. And complexity makes cybersecurity more difficult. According to Flexera’s 2021 State of the Cloud report, security is the top challenge facing organizations, cited by 81 percent of respondents.
The security challenges presented by multicloud strategies are on the rise. Instead of protecting one defined internal infrastructure, companies now must secure a disparate environment spread across different providers that use different approaches and technology for ensuring security. This network of services not only imposes technical borders between providers, but also increases the threat footprint, giving bad actors a wider area of opportunity, and increasing the risk of non-compliance with various data privacy regulations. Instead, companies are left trying to cobble together a cohesive method of determining whether the individual security offered by vendor is sufficient, and what additional safeguards may be needed. Moreover, vast disparities in security monitoring functionality, as well as a lack of industry standards, makes it difficult for security teams to gain a clear view across this interconnecting web of services and systems. Many security teams resort to custom-engineered tools, an expensive—and complicated—undertaking.
Cutting Through Complexity
How can companies build a multicloud strategy that cuts through security complexity? There are a number of options, including the following:
Better standards. One way to do this is to create and promote technical standards that can be universally adopted by cloud providers, such as the work being done by the ONUG working group behind the Cloud Security Notification Framework. The group’s goal was to examine the disparity of security notification services between Cloud Service Providers (CSPs) and find a way build a standardization and common syntax. According to the group’s working paper, “Lack of standardized security reporting inhibits automation and enterprise controls of their CSP resources. In short, CSNF provides security teams an important tool to increase staff productivity plus visibility across CSPs and on-prem infrastructure.”
Common processes and monitoring capabilities. Companies must align not only security processes, but also tooling and monitoring capabilities to account for a digital infrastructure that incorporates multiple cloud service providers but also from on-premises data centers. This is not a one-size-fits-all endeavor, as building a security toolkit for an enterprise’s custom mix of cloud and SaaS environments requires detailed analysis of the interconnections and dependencies in order to create security visibility that encompasses the entire environment.
Integrated governance. Enterprises need a common networking and security governance program that works across all the cloud services and SaaS in use. Such a governance framework should be baked into the selection and onboarding of cloud technologies, to make sure that security monitoring takes place even as new vendors are added to the multicloud ecosystem that the right tools are being deployed appropriately to maintain a consistent cloud security architecture.
Invest in automation. The reality is, security teams are often overwhelmed by with the level of alerts generated in across a multicloud environment and must find a way to scale incident response to keep pace with multicloud growth. This is particularly true in light of the fact that incident response times are often tied to regulatory compliance windows, adding further pressure. By automating lower-level incident responses, security teams can turn their attention to more complex scenarios.