Q
Manage Learn to apply best practices and optimize your operations.

Do multiple cloud accounts provide security benefits?

Some experts believe establishing multiple cloud accounts for each enterprise project or workload can provide security benefits. Dan Sullivan explains what those benefits are.

I've read about security authorities who support the idea of an enterprise having multiple cloud service accounts...

for each project and environment. As a security best practice, the idea is to keep each project or environment isolated from others so that in case of a breach, an attacker can't move laterally. Is this a sound strategy? What are the drawbacks of having multiple cloud accounts?

Separation of functions is a sound principle when it comes to keeping developer environments isolated from tester environments, which in turn should be separate from production environments. For example, developers writing code should not be able to deploy that code themselves, or at least not without some kind of gatekeeping operations to prevent an insider from deploying malicious code.

In the cloud, a cloud administrator could implement controls over subnets, object storage and deployment tools to prevent a developer from rolling out unapproved code. This best practice works as long as there are no misconfigurations or other vulnerabilities. It also assumes that the developers have limited privileges. It often makes sense to give at least some developers elevated privileges in a development environment. For example, they may need root privileges to install libraries or apply patches on their development instances. These kinds of exceptions that require a more relaxed security posture in return for more efficient software development is one reason for isolating development, test, user acceptance and production environments.

In addition to segmenting environment types, it is important to segment by project or business function. Separate cloud accounts for different projects or departments can help limit the exposure of the infrastructure in each account. If, for example, a system administrator fails to patch a server and it is attacked and exploited, only the resources accessible from the compromised instance will be vulnerable. Servers and other resources in separate cloud accounts are isolated and inaccessible.

Of course, there are more pieces to manage. Cloud administrators will have to ensure all accounts are applying a consistent set of policies and controls. Automation is the key to ensuring consistency within and across multiple cloud accounts.

Next Steps

Learn how to prepare for security risks when using cloud database services

Find out the best way to manage billing for multiple cloud accounts

Discover how to overcome multicloud management challenges

This was last published in March 2016

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What are the best ways for cloud administrators to segment and isolate instances and projects?
Cancel

-ADS BY GOOGLE

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly.com

Close