Jeroen Mulder, author of Multi-Cloud Architecture and Governance, equated setting up a multi-cloud environment to setting up a smartphone.
"When I take my new phone out of the box, it's virtually unusable," he said. "To make it functional, I first have to connect it to the internet. Then, I need to download applications, and I need data -- like my contacts or photographs -- to make it personalized. Finally, I enable facial recognition and other measures to make sure nobody other than myself can use it."
The same applies to the concept of multi-cloud, said Mulder, head of applications and multi-cloud services at Fujitsu in the Netherlands. Operating complex environments across multiple platforms requires a comprehensive strategy to handle connectivity, applications, data and security, he said.
In his book, published by Packt, Mulder explains how knowledge of enterprise architecture is central to building a multi-cloud strategy that is grounded in the business's goals -- and why it belongs in the security strategy, especially.
Here, Mulder details how his background as an enterprise architect informs his approach to security -- and his book -- and offers strategic career advice to cloud and security professionals.
Editor's note: This transcript has been edited for length and clarity.
Why did you write Multi-Cloud Architecture and Governance?
Jeroen Mulder: My previous books were all about applications. But you need something for these applications to land on -- that's where infrastructure comes in. There was no available book that described how to set up the data center concept in AWS, Azure or GCP [Google Cloud Platform], especially not one for using different clouds. So, I decided to write one myself.
I started off with a comparison between the three main public clouds. But I discovered I was doing exactly what I advise my team against: starting from the technology base. That's when I stepped back to think like an enterprise architect, which resulted in the first section of the book's focus on multi-cloud governance and architecture. It's critical to plan your multi-cloud strategy with the business perspective and architecture frameworks in mind before the security technology.
What is the most common misconception about multi-cloud security?
Mulder: Many companies still think as soon as they move to a hybrid, public or multi-cloud environment that they're protected by default -- which is obviously not the case. The only thing these platforms do is provide a toolbox with which you can start protecting and securing your environment. This is no different than how we did security in the old, traditional world.
Companies need to stop thinking they can stop attackers from entering their systems. They can't -- thinking otherwise is a waste of time. But, when you start thinking about breaches as inevitable, you can plan how to respond and how to protect the assets inside the security perimeter. For example, put steps in place that will make stolen data unusable once it's in the hands of attackers.
Securing assets inside the perimeter is especially important in multi-cloud environments because you don't always have a complete view of your assets. Many customers do not know that their services are running in different parts of the world. It's not your data center anymore; it's virtually all over the globe.
How can enterprises address and prevent cloud sprawl?
Mulder: Cloud sprawl increases the complexity of security. To prevent sprawl, best practice is to keep everything as single stack as possible, but that's not the world we're living in right now. We're living in a multi-cloud world. And back to the phone analogy: When I open my phone, I'm using many different applications -- from Google, Apple, Microsoft and others from around the globe -- but keeping them secure is up to me. It's my responsibility to make sure that I'm the only person with access to my phone -- for example, by enabling Face ID authentication.
Multi-cloud security best practice starts conducting an inventory of assets and identities. Know who is in your system and why. Note that identity can apply to a service, application, API that collects data or even software. When you perceive these as identities, it's easier to think of ways to protect data and applications.
How does your enterprise architect training influence your multi-cloud security approach?
Mulder: Companies need to learn how to do enterprise architecture -- multi-cloud security is about more than technology. Yes, firewalls are a security no-brainer, but security doesn't start with the firewall -- it starts with governance. Who's eligible to enter what systems? Where do we need to secure the systems, and at what level, and why? After governance, think about data, then applications and then technology. Enterprise architecture is about focusing on the bigger picture and determining if and how technology can add value to the business.
I can build the highest virtual wall around any part in my cloud environment to make it secure, but doing so may make it completely unusable. There needs to be a balance between protection and usability.
What nontechnical skills are important when working with multi-cloud environments?
Mulder: Being patient and listening to your customers is important from a governance perspective. Understand that your credibility is why you were invited to have the relationship with the customer, so be confident but not arrogant. You need to be able to explain things in a calm manner and always be ready to adopt new opinions.
Was there anything you learned in the process of writing this book that surprised you?
Mulder: I was using and learning the three platforms -- AWS, Azure and GCP -- on three different monitors. It's interesting to see what similarities overlap and what aspects are completely different across the platforms. I knew AWS and Azure before writing this book, but GCP was new to me.
The Google Cloud Console is basic. The first time I opened GCP, I thought to myself, 'Where is the rest of the menu?' I started off with the Cloud Console, not with the scripting or PowerShell. It's very time-consuming, but for the book, I had to do everything from consoles. Initially, it felt like I had gone back in time 10 years and was programming Unix again. But what surprised me was how powerful it was. I could do things in GCP that I never imagined -- that was one big discovery for me.
Which certifications should security architects working with multi-cloud environments pursue?
If you're entering the cloud, it doesn't really matter where you start. You can begin with AZ-900: Azure Fundamentals or any of the AWS fundamental certifications, for example. All cloud adoption frameworks cover identity, security, cost management and governance. Whether for AWS or Azure or GCP, the only way the cloud fundamental courses differ is in the technology. They may look different under the hood, but learning the generic public cloud concepts can enable you to work in any cloud.
About the author
After studying journalism, Jeroen Mulder started his career as an editor for Dutch newspapers. In 2000, he joined the IT company Origin, later acquired by Atos, as a communication specialist in cross-media platforms. At Origin and Atos, he fulfilled a variety of roles, most recently as a principal architect. Since 2017, he has been working for Fujitsu, where he boarded as senior lead architect. In 2020, he was promoted to head of applications and multi-cloud services for Fujitsu in the Netherlands. Mulder is a certified enterprise and security architect, concentrating on cloud technology. This includes the architecture for cloud infrastructure, serverless and container technology, and application development, as well as digital transformation using various DevOps methodologies and tools.