Follow 3 key steps to improve multi-cloud monitoring

Common multi-cloud security challenges

There are always potential risks in using cloud service environments, particularly when sensitive assets and data are deployed within them. This could be the case for any one cloud service provider (CSP). However, the risks are easily compounded when using multiple CSPs -- either parallel to or in conjunction with one another.

Here are some possible multi-cloud security challenges:

• Increase in attack surface due to system complexity. The cloud may well simplify some types of activities and deployments, but it also brings new technologies and creates additional surface area that must be locked down. With multiple clouds, this threat surface can grow immensely.
• Data privacy concerns due to multi-tenancy. In any multi-tenant arrangement, there are potential privacy risks due to other tenants' activities. This risk exists in all types of clouds.
• CSPs are not interoperable. There is a legitimate risk of vendor lock-in with each cloud provider used. For example, Azure is not compatible with Google Cloud Platform (GCP), which is not compatible with AWS. This same challenge holds true for third-party tools and products that may be integrated within any one cloud environment.
• Conflict in policies. All cloud providers have their own systems for identity and access management (IAM), network access controls and more. Creating uniform policies that work across multiple clouds may be challenging or even impossible.
• Loss of client control over resources and data due to asset migration. Depending on the types of cloud deployed -- as well as the individual provider policies and shared responsibility model -- organizations may find diminished control or complete loss of control over some parts of their deployments. For example, moving container services into a service such as AWS Fargate would reduce the configuration control over containers and orchestration capabilities.
• Management overhead. Every cloud environment requires a variety of skills to operate and employees' willingness to learn how to properly build and manage its infrastructure and assets. Additional skills and training are required with multiple providers in use.

Address challenges with a multi-cloud monitoring strategy

Multi-cloud deployments can easily become scattered from a security standpoint, so the most critical aspect of a sound security architecture and operations model is centralization.

By focusing on cloud service logging and centralized security scanning and monitoring services and tools, security teams can better enable a more cohesive and sustainable multi-cloud monitoring strategy.

Infosec teams should centralize security tools and controls whenever possible to improve monitoring and visibility. These initiatives may require some new tools and approaches. Security operations teams should consider incorporating the following three strategies to mitigate multi-cloud security challenges:

1. Enable central logging in each cloud. First, AWS CloudTrail, Azure Activity Log and Azure Monitor, and GCP Operations must be enabled and commence logging. Next, security teams should centralize events from all clouds into a cloud-enabled SIEM or other monitoring platform. Cloud-focused SIEM services, like Azure Sentinel and Sumo Logic, are becoming more popular due to ease of integration and broad cloud support.
2. Consider a cloud security posture management (CSPM) service. CSPM tools and services can monitor a wide variety of issues within any cloud environment. The idea is to create a policy dictating the desired state or configuration for the cloud infrastructure before monitoring the actual state of what is in place. Examples of cloud control plane issues CSPM can monitor include the following:
   • no encryption enabled for cloud storage or databases;
   • no encryption for sensitive data traffic in motion;
   • lack of sound encryption key management, including old keys or stale keys;
   • poorly defined IAM policies that do not adhere to least privilege principles;
   • privileged accounts without multifactor authentication enabled;
   • open or permissive network access controls;
   • exposed data storage, such as accessible S3 buckets; and
   • minimal or no logging enabled within the cloud environment.
3. Centralize vulnerability scanning services and endpoint security products. To properly evaluate assets in multi-cloud environments, vendor tools that work in numerous cloud environments and report back to a central console are ideal for updating monitoring dashboards and processes. In recent years, a new category of cloud security controls and oversight has developed, known as cloud workload protection platforms (CWPPs). CWPP offerings protect the workload from attacks -- typically, using a combination of network segmentation, system integrity protection, application control, behavioral monitoring, host-based intrusion prevention and optional antimalware protection. In many cases, the vendors in this space may reference zero-trust and microsegmentation capabilities, as well as endpoint detection and response functionality.

By focusing on cloud service logging and centralized security scanning and monitoring services and tools, security teams can better enable a more cohesive and sustainable multi-cloud monitoring strategy. This strategy will help hasten detection and response of issues and incidents, as well as get more manageable over time as it is integrated in overall cloud security policies.