Nearly all organizations surveyed for the Flexera 2022 State of the Cloud Report outlined that they had adopted a multi-cloud deployment model. The Flexera Report quantifies the thinking of over 750 global cloud decision-makers and users via a survey conducted in late 2021. From this cohort, Flexera found that 89% used more than one cloud provider (see ref 1 for a link to the report). A VMware report from mid-2022 of over 2,100 technology executives delivered a similar result, with 87% using two or more cloud providers (ref 2).
While the multi-cloud deployment model brings many benefits for organizations, it also increases the cybersecurity risk they have to deal with. Deploying many services across cloud providers increases the organization’s attack surface. Contrary to what some think, deploying to the cloud does not transfer responsibility for security onto the cloud provider. When deploying to multiple clouds, you must ensure that cybersecurity is at the heart of all considerations and decisions. This need to consider security in multi-cloud environments is so important that NIST has established a Multi-Cloud Security Public Working Group (ref 3) under Presidential Executive Order 14028, “Improving the Nation’s Cybersecurity” to provide guidance on the topic.
What challenges should a CISO or CIO consider in a multi-cloud environment? In the sections below, We list and briefly outline them. Providing detailed advice on addressing these risks is beyond the scope of this article, but you should discuss these with your internal team, or the Managed Security Service Provider (MSSP) tasked with delivering cybersecurity and data protection in your organization.
Security Considerations for Multi-Cloud Deployments
Let’s start with a reminder of what we mean by multi-cloud. A multi-cloud environment uses services from many different public cloud providers. These services can include software as a service (SaaS), infrastructure as a service (IaaS), platform as a service (PaaS), and more. The typical providers are Amazon, Microsoft, and Google, as well as some mid-range and specialty providers targeting SMEs and niche sectors. Hybrid cloud deployments that mix on-premise infrastructure with public cloud services sometimes get called multi-cloud, but this is technically incorrect even if a relatively common usage.
As the number of public cloud providers used increases, the attack surface also increases. Often this increase is not linear, and doubling the cloud providers will more than double the attack surface. How the attack surface expands and the risks involved will vary between organizations based on the services used. In any event, those responsible for data and systems security will need to take the following into account to deliver protection:
Data Security – Protecting data at rest and in transit is core to all cybersecurity strategies. When multiple cloud services are in use, the network traffic between endpoint devices and the cloud will increase dramatically. You must always protect this traffic with TLS (Transport Layer Security) encryption. The services used across the various cloud providers will store and process data. Much of this data will be personally or commercially sensitive, and it needs protecting when at rest on the cloud services (and on endpoint devices). The core of this protection should be strong disk encryption.
User Authentication – Controlling who has access to systems is always important, and especially so when multiple cloud services are in use. Knowing who has access to what across the whole estate is vital, as is knowing who can access what and making sure that only those who need to access a system can. There should be consideration of implementing least privilege access to give the minimum necessary for a job.
Many organizations are using privileged access to control who can access user accounts that can make critical changes or that have access to sensitive data or financial systems that can transfer funds. Privileged access management often has a two-key requirement workflow that requires at least two people to authorize the use of certain user login credentials. When approved, the login is single-use, time-limited, and doesn’t allow onward authentication to other systems. Sessions using the approved credentials often get recorded for auditing purposes.
All the other standard attributes of good user account management should be in place across all cloud services in a multi-cloud deployment. Namely strong & unique passwords for each service, multi-factor authentication, zero-trust access within and between cloud services, and effective account management to eliminate unused accounts as users change roles or leave the organization.
Regulatory Governance – Regulations governing data are now standard around the world. Organizations need to have a complete picture of the data they have stored in cloud-based services and who can access it. All the data regulatory frameworks specify what data should be protected, where it can be stored (within the EU, for example), and the implications if a data breach occurs.
Having data spread across multiple services in a multi-cloud environment makes this task of tracking and protecting data harder. But all organizations using a multi-cloud deployment model must ensure that they fully protect their data.
Cross-Cloud Monitoring – In addition to protecting the data spread across multiple cloud providers, organizations must protect the systems that host and process this data. A common adage in cybersecurity is that you can’t protect what you can’t see. The use of services across providers means that the task of monitoring systems is much more complex than for an on-premise or single-cloud deployment.
The monitoring tools for each cloud provider will be different, and using them often means that there are multiple monitoring consoles that each show a subset of the complete estate. Having a way to aggregate these subsets into a single overall picture is an essential part of security in a multi-cloud environment. Many solutions exist to allow this cross-cloud monitoring, both for in-house use and from dedicated MSSP and MDR (Managed Detection & Response) providers.
Multi-Cloud Sprawl – Commissioning new services and virtual machines on public cloud providers is straightforward. This ease has led to a problem of servers and application instance sprawl. In much the same way that the advent of VMware-based virtualization meant it was easy to deploy virtual machines on-premise.
It’s challenging to track and decommission any cloud-based services that are no longer needed. So the number in use grows across providers and within services. This sprawl makes the attack surface much larger than it should be. Worse than that, the risk that a virtual machine that’s no longer used will get missed when critical security patches are released is almost a certainty. And cyber attackers will find these zombie servers if they are internet addressable and use them to gain access to systems.
It’s imperative that the cross-cloud monitoring discussed in the previous point finds everything across all providers and that there is a management process to decommission anything unnecessary. As an added bonus, this will likely reduce your monthly cloud costs, as anything running in the cloud will consume resources the provider will bill.
Managed Configurations – Human error is the most common root cause for most cyber incidents. This is true for end users who fall for fishing attacks, but it is also true for system admins who can make configuration errors when deploying new cloud-based infrastructure. Errors in server or service configuration can lead to exploitable vulnerabilities. Organizations should implement automated deployment scripts that are tried and tested, version controlled, and protected by privileged access. These automated configuration scripts should be the only way to deliver new infrastructure for production use.
References
- FLEXERA: 2022 State of the Cloud Report. Available from https://info.flexera.com/CM-REPORT-State-of-the-Cloud
- VMware: Achieving Better Control in a Multi-Cloud Estate. Available from https://cio.vmware.com/2022/10/multi-cloud-accelerating-modern-it-strategy.html
- NIST: Multi-Cloud Security Public Working Group https://csrc.nist.gov/Projects/mcspwg/nccp