momius - Fotolia

Do multiple cloud accounts provide security benefits?

Some experts believe establishing multiple cloud accounts for each enterprise project or workload can provide security benefits. Dan Sullivan explains what those benefits are.

I've read about security authorities who support the idea of an enterprise having multiple cloud service accounts for each project and environment. As a security best practice, the idea is to keep each project or environment isolated from others so that in case of a breach, an attacker can't move laterally. Is this a sound strategy? What are the drawbacks of having multiple cloud accounts?

Separation of functions is a sound principle when it comes to keeping developer environments isolated from tester environments, which in turn should be separate from production environments. For example, developers writing code should not be able to deploy that code themselves, or at least not without some kind of gatekeeping operations to prevent an insider from deploying malicious code.

In the cloud, a cloud administrator could implement controls over subnets, object storage and deployment tools to prevent a developer from rolling out unapproved code. This best practice works as long as there are no misconfigurations or other vulnerabilities. It also assumes that the developers have limited privileges. It often makes sense to give at least some developers elevated privileges in a development environment. For example, they may need root privileges to install libraries or apply patches on their development instances. These kinds of exceptions that require a more relaxed security posture in return for more efficient software development is one reason for isolating development, test, user acceptance and production environments.

In addition to segmenting environment types, it is important to segment by project or business function. Separate cloud accounts for different projects or departments can help limit the exposure of the infrastructure in each account. If, for example, a system administrator fails to patch a server and it is attacked and exploited, only the resources accessible from the compromised instance will be vulnerable. Servers and other resources in separate cloud accounts are isolated and inaccessible.

Of course, there are more pieces to manage. Cloud administrators will have to ensure all accounts are applying a consistent set of policies and controls. Automation is the key to ensuring consistency within and across multiple cloud accounts.

Next Steps

Learn how to prepare for security risks when using cloud database services

Discover how to overcome multicloud management challenges

What you need to know to manage multiple AWS accounts

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices