Organizations across industries rely on public cloud computing for a significant portion of their workloads. The flexibility, cost efficiency, redundancy and security of cloud infrastructure providers makes it attractive to organizations of all kinds. From banks and healthcare providers to technology companies and retailers, firms depend on cloud computing to carry out core business functions.
However, as these organizations perform risk assessments, they often worry that using a single cloud provider might create a single point of failure (SPOF) in their environments. Multi-cloud security architectures aim to eliminate this SPOF by enabling the rapid shifting of workloads between cloud providers, but is this approach in fact a benefit from a security perspective?
Here, compare the differences between single cloud and multi-cloud security.
3 multi-cloud security challenges
Multi-cloud simplifies to the least common denominator. The ability to shift workloads between cloud providers seems quite attractive on its face, but this approach commoditizes cloud providers. For organizations that need the ability to seamlessly shift workloads among AWS, Microsoft Azure and Google Cloud Platform, workloads must be designed to not use any unique value-added services offered by those providers. This prevents organizations from taking advantage of higher-level security services and other technical enhancements offered by the major providers.
Additionally, multi-cloud work requires multi-cloud experience. Many organizations have only just recently implemented employee retraining initiatives designed to bring technical staff up to speed on a single cloud provider. These significant undertakings highlighted the broad diversity of services offered by the organization's provider of choice. Operating in a multi-cloud environment requires training staff to work in both environments, which is a costly investment of human resources.
Third, multi-cloud management brings additional technical complexity. Unsurprisingly, cloud vendors do not make it easy to shift workloads to their competitors. If an organization chooses to operate multiple cloud vendors, it must also manage the orchestration of workloads across providers. Additionally, companies must build a layer of security tools that can ingest, correlate and act upon information arising across those environments.
Single cloud vs. multi-cloud security is about quality over quantity
It is important to note that using a single cloud provider may not necessarily present a SPOF. While it is easy to claim that using a single vendor represents a SPOF, is that indeed the case? For example, organizations are unlikely to have two completely independent and fully functional ERP or CRM systems -- it would be a waste of resources.
Likewise, if a cloud environment is well designed, it will take advantage of multiple availability zones distributed across many different geographic regions with redundant servers and other infrastructure. This is far from a SPOF. Organizations have always had vendor dependencies in their IT environments. If the organization's cloud vendor decides to fold up its tent tomorrow, then that would cause trouble. However, that is the kind of black swan event external backups are designed to address.
Although multi-cloud environments are not inherently more secure than single cloud, there are many reasons organizations may use more than one cloud infrastructure vendor. Not every enterprise is best served by exclusively using a single cloud vendor. Plus, some services are hosted with different providers for many valid technical and functional reasons. These are valid multi-cloud uses. Just remember: What may constitute wastefulness is attempting to design a multi-cloud environment that enables the seamless shifting of all enterprise workloads among providers just because of the notion that it may be more secure -- especially when that may not be the case.