Multicloud security: How to secure your cloud infrastructure and keep the hackers at bay

A move to multicloud can deliver benefits to your organisation, but it also brings additional risks if not configured correctly.
Written by Danny Palmer, Senior Writer

More and more organisations are using cloud computing, and increasingly they are also starting to realise that it's a good idea to use a variety of different cloud providers across the organisation.

This 'multicloud' strategy -- using more than one cloud provider -- means that they are choosing to spread their operations across public cloud services such as Amazon Web Services (AWS), Microsoft Azure or Google Cloud Platform (GCP).

Many are also deploying private clouds, as well as cloud-based software-as-a-service (SaaS) solutions offered by the likes of Salesforce, Workday and many more.

SEE: Cloud v. data center decision (ZDNet special report) | Download the report as a PDF (TechRepublic)

There are benefits to embracing a multicloud strategy, as organisations can more easily choose the specific services they need, with more flexibility than if they were locked into one vendor's platform.

It can also provide additional resilience for organisations. In the event of one cloud provider being hit with an outage, perhaps due to the weather, power failures or a DDoS or any other type of cyberattack, spreading applications across a range of provides means that a company's whole infrastructure is less likely to be forced offline at once.

Multicloud security challenges

However, deploying a multicloud environment isn't without its challenges, especially when it comes to security. There are already numerous instances of organisations misconfiguing cloud environments to such an extent that sensitive files have been left publicly facing the internet, and with multicloud comes more potential for this to happen, if only because there are more opportunities for error.

"As you have a bigger and more disparate environment, it brings a challenge. It allows you to innovate really quickly because you're spending less time on commodity infrastructure and services, but it also gives you a potentially larger vulnerability landscape," says James Hodge, chief technical advisor for EMEA at Splunk.

"The unintended consequences of having an amazing capability to build on top of, is having a huge landscape to secure," Hodge adds.

Misconfiguration of a multicloud environment could therefore make it easier for cyber criminals and hackers to target your organisation -- but that's only if the environment is set up poorly.

If the IT and security teams can get hands-on with the environment and get to know what's really there, they can make big steps towards correcting any errors. That's assuming that IT knows about all the services being used, something which is not guaranteed as many business units and even individual workers are happy to start using new cloud services without telling the IT department.

"We're still in a situation where we need viability before we can do anything, and if we don't know the services that are in use, then it's no surprise when there are security holes," says Nigel Hawthorn, data privacy expert at McAfee. "IT needs the power and visibility to take control of services that may be seen as relatively benign."

Those deciding on cloud providers should also discover where the services operate from. In order to mitigate the risk of a security incident or downtime taking multiple services offline, for example, you need to ensure that the services aren't based on the same infrastructure at the same data centre hub.

"You've got to realise that the single point of failure might not be what you think: you don't want to have contracts with two service providers and find they're both hosted on the same infrastructure," Hawthorn says.

A multicloud environment also brings another challenge: ensuring that the users are secure in the environment and have access to what they need -- but don't have access to data or services they're not authorised to access, which could potentially lead to security risks.

"The most fundamental security challenge when it comes to securing a multicloud environment is how to allow users access in a consistent fashion without compromising security or giving them access to resources they're not authorised to view," says Paul McKay, senior analyst on the security team at Forrester.

This can become problematic in a multicloud environment, as many providers will have their own authentication methods and mechanisms for securing their own systems. Different solution providers' means of securing their environments can be mutually incompatible -- or even incompatible with the software that organisations use to manage this issue.

"Managing that tension is an important thing to try and counter," McKay says.

Multicloud security advantages

But if this can be managed by using the right tools or employing the right training, there are advantages to a multicloud environment that can help to bolster overall security, and help to more quickly identify suspicious activity on the network.

"If you bring strong governance behind your cloud environments, it becomes much easier to see what's inside those environments. So if you do have someone spin up AWS instances, you can quickly identify something has happened and act," says Hodge.

"In a traditional data centre, it can be a lot harder to notice those changes because all of it's in your control, whereas in a cloud environment, it becomes a lot easier to understand what's inside and outside your boundaries," he adds.

SEE: The future of Everything as a Service (free PDF)

If managed properly, a multicloud environment can also help organisations root out problems associated with legacy systems.

"In an existing on-premises environment, there's a lot of legacy debt that has been set up as a result of things that were done 20 or 30 years ago which are now difficult, costly or impossible to secure," McKay notes.

Of course, a cloud provider can never 100 percent guarantee security of their environment -- but it's their core business.

That's why they have huge teams dedicated to security, which might be able to a better job than an organisation can do with its own cloud or data centre services -- and that's a tempting reason for organisations to switch to a cloud or multicloud environment.

"A well-secured and well-managed cloud environment is more secure than a badly configured, not-well managed on-premises environment," McKay says.


Editorial standards