Multi-Cloud Security: What CISOs & CTOs Need to Know

Why go multi-cloud? It’s not always by choice 

A multi-cloud strategy can combine the best of two (or more!) worlds, allowing cloud-native organizations to choose best-of-breed options for building apps and storing data in the cloud. At least this is true when the multi-cloud approach is by design.  

It’s not unheard of for a multi-cloud approach to happen by accident. Along with mergers and acquisitions that force two IT estates together, so-called ‘shadow IT’ is a significant problem – where teams make use of an unapproved solution resulting in a complex cloud infrastructure that spans across different cloud vendors.  

While multi-cloud companies can gain numerous advantages - each public cloud has its own strengths - the downsides should not be disregarded, especially if they mean compromising on security and visibility and giving the CISO or CTO sleepless nights. 

Advantages and disadvantages of multi-cloud 

CTOs in cloud-native businesses typically choose multiple cloud providers, such as AWS, Azure, Google Cloud, Alibaba, and others, to maximize the potential of their tech stack and access a broader range of features. Azure is known for its tight integration with other Microsoft products, AWS has strong support for general enterprise compute and storage, while Google Cloud has sought to differentiate with a focus on Machine Learning. The latest battleground is on AI and LLM support.  

But companies with legacy infrastructure, or those in highly regulated industries such as finance and healthcare, may also have on-premises assets as well, resulting in a hybrid mix of private and public cloud infrastructure. 

Key reasons to consider a multi-cloud approach: 

• Flexibility: Since you have access to multiple cloud providers, you can choose the service that best suits your needs out of a pool of options. For example, if you want to store data in a storage asset, you don’t necessarily have to go with a bucket from AWS; you can also consider a storage account in Azure or weigh out your options based on integration with other software, pricing variables, or even geography.  
• Optimizing costs: Although broadly speaking, different clouds stack up in a like-for-like comparison, there are subtle but important differences in how each provider does things and charges for them. So, the flexibility of choosing services from different providers allows organizations to optimize costs effectively, avoiding unnecessary expenses and ensuring that resources are allocated efficiently. 
• Redundancy and high availability: Distributing data across multiple cloud platforms ensures high availability and redundancy. If one provider experiences downtime or disruptions, data remains accessible from alternative sources, minimizing the risk of service interruptions. 
• Geo-location options: By distributing data across vendors, you can be closer to end-users from all around the world, reducing latency and improving overall user experience. Moreover, for data sovereignty reasons, you can also ensure compliance with various standards that may require that data stays inside a particular country or geographical location. This is a particularly important consideration in regulated sectors but can just as easily apply to any company that deals with customer data – which is pretty much every company. The EU’s GDPR privacy regulation is a prime compliance example, and the US is catching up now with state-specific considerations, like California’s CCPA.  

Risks and downsides of multi-cloud 

• Added complexity: An infrastructure that spans across cloud vendors is inherently more complex and more challenging to manage and secure. This is a daunting task for any CTO and engineering team. Each cloud provider has its own naming conventions, service structures, deployment models, API endpoints, and more, meaning both engineering and security professionals often forget best practices for each specific service, which can and will introduce security gaps in the company. 
• Reduced visibility: This is a big one. There is no security without visibility in the cloud, after all, you can’t secure what you can’t see. And something that’s less obvious but even more important in the cloud is context. When you can’t see all your assets, you can’t understand the relations between them and how a misconfiguration on one asset affects another. This also goes for users (both human and non-human identities) and their permissions. Without comprehensive visibility and inventory, you cannot identify vulnerabilities and gaps in your security.  
• The need for cloud-specific skills: Being an expert in Azure does not directly translate to AWS and vice-versa. Same with any other cloud. All vendors have different assets, each with their own technologies, settings, security best practices, even naming conventions.  

Making multi-cloud work and keeping your estate protected 

So, how do you leverage the advantages of multi-cloud and keep the downsides of having to manage and secure a multi-cloud environment under control? Let’s look at some best practices along with actionable insights to enhance data security in multi-cloud deployments. 

1. Achieve visibility of your multi-cloud estate 

Continuous visibility is the first step to securing a multi-cloud infrastructure. To achieve this, centralize an inventory of your clouds in one single place using a CNAPP (Cloud-Native Application Protection Platform). Having one or two dashboards that showcase your entire inventory across cloud service providers is more manageable and gives you an integrated picture versus switching tabs and constantly having to look up resources in each specific cloud console or portal.  

2. Continuous monitoring to keep up with your clouds 

Monitoring goes hand in hand with visibility. By ensuring continuous logging and monitoring, your security team can identify suspicious behavior in real-time, and be aware of what’s happening in the cloud. Sudden spike in resource usage or anomalous behavior? Time to investigate. Centralize logs to have everything in one place and obtain a comprehensive view of the cloud. 

3. Achieve and maintain compliance with international frameworks 

International standards and laws like ISO 27001, SOC 2, GDPR, and HIPAA enforce security requirements that are meant to prevent data breaches within companies. By becoming compliant with such frameworks, you're not only strengthening your organization's cloud security posture but also showing customers that you're making efforts toward securing their data. In fact, even as the cloud skills gap has increased, so has the expectation of provable security. ISO saw an increase of 51% in ISO 27001 certifications between 2020 and 2022, as more buyers demand compliance from suppliers. Compliance applies across all security providers, and multi-cloud companies are not exempted. You should use a CNAPP to track your efforts and ace your audits by showing comprehensive reports that demonstrate your ongoing efforts. 

4. Prioritize cloud resources to optimize security efficiency  

Segment your assets based on their criticality to business operations and data sensitivity. Identify the core components that, if compromised, could have severe consequences for your organization. By categorizing assets, you establish a hierarchy that guides the allocation of security resources and efforts, and in a world where both cloud and cyber skills are in short supply, optimizing your efforts is key. A CNAPP tool can help perform this prioritization based on the severity of existing vulnerabilities and misconfigurations, as well as how many other assets a cloud resource impacts or is related to. This can make the difference between a quick fix in a typical workday or a data breach that can cost a company a fortune in remediation, fines, or reputational damage.  

5. Use automation to make security teams more efficient 

Depending on the skills and human resources available to you, some CTOs and CISOs might be able to easily accomplish the things we’ve discussed in a simple cloud environment, while those with reduced resources might struggle already. But there’s no denying that when you introduce another cloud provider (or two) into the discussion, a manageable manual workload quickly turns into an overwhelming mountain. For example, access reviews in a multi-cloud infrastructure are nearly impossible to do traditionally; you would have to go back and forth between identity providers and clouds and assess each permission at a time. Not only is this a very tedious job that creates lots of room for mistakes, it’s the soul-destroying kind of task that stops security teams doing work they find enriching and putting them on the lookout for other opportunities.  

Modern cloud security solutions such as a CNAPP however, aggregate all this information in one place, making your people more efficient, and suddenly applying the Least Privilege Principle no longer seems daunting.  

Overcoming the complexity of multi-cloud  

The complexities introduced by added infrastructure layers, each with their own approaches, and the need for cross-cloud expertise demand a proactive approach to security. While multi-cloud environments promise significant opportunities, it is important to address the associated risks, especially those related to complexity, reduced visibility, and the evolving skill set requirements. In this case, prevention really is better than cure, but as with all security, some ‘cure’ is inevitable.  

With a lack of cloud experience and cyber skills on the market, cloud native organizations should really be looking at CNAPP (Cloud-Native Application Protection Platform)-type solutions to enhance and augment existing human resources and skills with the aim of achieving a robust cloud security posture in a multi-cloud setup. 

Cyscale’s CNAPP is the only tool of its kind that has been designed to be deployed and used by smaller teams, helping the CTO or CISO and your security team gain the confidence to acquire visibility, prioritize assets, ace audits for compliance benchmarks, and perform other operations that actually serve the business, rather than endless firefighting across the multi-cloud estate.