The term multicloud has been gaining traction as more enterprises and organizations have increased their cloud presences across numerous apps, platforms and services. But the term also brings with it some confusion. What exactly is multicloud?
For most organizations, this is simply the use of several distinct cloud services in some combination, creating a hybrid model that shares data, application components, connectivity or some combination of all three. For many, this could be a simple hybrid cloud between different infrastructure as a service (IaaS) and platform-as-a-service environments -- using Docker and Azure, for example -- or IaaS and several software-as-a-service environments that integrate to on-premises and cloud applications.
Data classification and networking in a multicloud deployment
When dealing with multiple cloud providers, there are a number of security considerations that organizations should take into account. The first is data classification, which really applies to any sort of cloud deployment, not just a multicloud deployment. Ensure your organization has policies and governance in place to track what data is permissible in each cloud environment you're using. This becomes even more paramount in multicloud architectures because there may be data exposed or shared between cloud providers with different security postures and features, and your compliance posture could be impacted if data shared between providers isn't carefully mapped out.
A second area to focus on is network and application interconnectivity. Most multicloud deployments rely heavily on network connections that use either TLS for application components or IPsec for fully connected network subnets. Make sure that all the connections carrying sensitive information are encrypted with the appropriate type and level of protection.
Further considerations for multicloud security
Ideally, all authentication and authorization for a multicloud environment would leverage a shared form of access management. This should apply to both end-user access and administrative access and control. Shared access and identity management can be accomplished through the use of in-house, single sign-on or, increasingly, the use of an identity-as-a-service provider that integrates with numerous cloud providers through federation standards.
All users, groups and roles should be carefully defined for access to every aspect of the multicloud deployment, and this central identity and access platform -- whether in-house or in-cloud -- should then be audited and controlled centrally.
Security event management is a considerable area to plan for in multicloud deployments, as in-cloud logging will only cover the events for that provider's environment. Ideally, all logs should be sent back to an in-house security information and event management or analytics system, or a cloud-based event management platform, like Splunk Cloud, Loggly or Sumo Logic.
When moving to multiple cloud provider environments, be considerate of the third-party security vendor products in use, as many don't currently have support for all cloud providers. For example, it is not uncommon to find that some security vendor appliances are available in the Amazon Web Service (AWS) Marketplace, but not in the Azure Marketplace (or vice versa). If you make a significant investment in a single vendor, this can limit the security controls available in your new cloud environment when you move to a multicloud design.
Be especially mindful of tools that provide encryption management and visibility into system and application configuration and performance, since these are difficult to replicate, and cost significantly more to duplicate.
The only real security benefit to using a multicloud deployment is leveraging cloud provider security controls that are best of breed for the assets operating in their environments. For example, Microsoft Azure may offer native Windows system and application controls that are better than those at some other providers, but since Amazon offers a configurable distributed denial-of-service prevention service -- AWS Shield -- that may serve as a better front line of defense, as DNS and routing may be in place within AWS. In order to take advantage of this benefit, security controls will need to be a primary consideration when evaluating cloud providers, which is unfortunately not always the case.
Enterprises will continue to move to multicloud deployments, despite the security challenges, because of the flexibility and cost savings obtained by using a variety of different cloud providers. As they move, enterprises will need to keep in mind the potential risks of a multicloud architecture and the best practices for keeping such an environment well defended.
Learn how to reduce multicloud integration costs
Discover the best placements for multicloud apps
Find out how to make a multicloud infrastructure work for your enterprise