As cloud adoption increases, companies are under ever more pressure to protect their data across multi-cloud environments. However, it can be challenging for companies to manage access to that data and keep it secure.
The types of threats seen in multi-cloud environments are no different than those in a single cloud environment, says Crystal Morin, cybersecurity strategist at security company Sysdig, However, Sysdig’s Threat Research Team is witnessing attackers move between environments during attacks, making this a cause for concern for multi-cloud users.
“The greatest mistake a company operating with a multi-cloud environment can make, beyond normal cloud security practices, is not securing and observing the movement between the cloud environments,” she says. “Maintaining a wholesome view of your environment is key to keeping it secure.”
As multi-cloud environments become more popular, there will likely be an increase in attackers moving laterally through environments looking for additional privileges and sensitive data that may be stored across the environments, Morin adds.
Because the cloud landscape is so diverse, spanning multi-cloud and hybrid setups, it presents a fragmented network that expands the attack surface and complicates monitoring and protection, says Phani Dasari, chief information security officer of HGS, a digital customer experience company.
Overcoming this fragmentation through enhanced visibility across the entire cloud environment is vital for reducing cyber risks and a top priority for security teams, he adds.
Magic Gnomes Aren’t the Answer
Companies need to ensure that only the people who need access to specific company data for their jobs can access it, says Wayne Anderson, director of cloud, security, and infrastructure at BDO Digital, a provider of technology and business advisory services.
“Today’s multi-cloud world isn’t made up of an army of magic gnomes, however, who make intelligent and well-judged decisions in real time,” he says. “Instead, systems have to be designed or configured to know what permissions are needed, who should have those permissions, and how the permissions are applied to data or application functions. Machines will follow these rules exactly. The rules must be right.”
Getting there requires an organization whose business units are regularly communicating with the security team, who are willing to spend just as much time in the planning process, setting up such things as workflow, as they are spending to buy the tools in the first place, according to Anderson.
“The best security teams act like advisors and have built trust with the business to be the consultant who finds a balance of fast implementation while keeping the business protected,” he adds.
One of the most effective ways to manage the level of permissions that are assigned to entities within an organization is through role-based access control (RBAC), says Brandon Leiker, principal solutions architect, security at 11:11 Systems, a managed infrastructure solutions provider. With RBAC, various roles are created based on the types of users or levels of access users need to an environment or data, then user accounts are assigned to those roles.
“[However], managing access and permissions across multiple cloud environments through each environment’s identity and access management solution can be administratively burdensome,” he says. “Not to mention users will be challenged with needing to manage multiple usernames, passwords, and MFA [multi-factor authentication] tokens, tempting them into the poor practice of reusing passwords across those environments.”
To alleviate these pains, organizations should seek to implement single sign-on solutions, Leiker says. This allows administrators to manage access and permissions across the various cloud environments leveraged by the organizations through a centralized platform. Users have one centralized portal to access those environments using a single username, password, and MFA.
Attackers Are Targeting Backups
In a multi-cloud environment, ensuring data security is paramount, says Evan Pease, technology leader Launch Consulting Group. One way for companies to do that is to maintain backups in multiple locations and have robust recovery plans.
“Multi-cloud setups offer the flexibility of using different cloud providers for backups,” he says. “While it can be more expensive to store data on multiple clouds, the tradeoffs might be worth it for some data.”
Steve Costigan, field CTO, EMEA at cloud computing company Zadara, agrees, saying organizations need to ensure that backups are portable across different environments and locations.
“You don’t want to tie yourself to a locked-in solution with limited recovery options,” he says. “Ensure you have true isolation between systems, this will restrict east-west lateral movement if a compromise occurs.”
“This is your last line of defense for recovery,” he says. “If your backups are deleted or compromised, then you are staring into the abyss for your data integrity.”
Multi-cloud environments also necessitate versioning mechanisms and robust disaster recovery plans, says Dasari.
“Having historical versions readily accessible ensures swift restoration in case of data loss or corruption,” he explains. “Rigorously testing the disaster recovery plan is crucial to minimize downtime and ensure data availability.”
It’s Not Just About the Technical Tools
Protecting data in a multi-cloud environment goes beyond just employing the right technical tools; it’s about adopting a holistic approach that encompasses both administrative and technical aspects, says Nick Harrahill, director of customer support at Spin.AI, a software-as-a-service (SaaS) security company.
“On the technical front, measures such as data encryption for both data at rest and in transit, regular data integrity monitoring using digital signatures or hashes, and strong identity and access management controls are paramount,” he says. “Additionally, comprehensive auditing, timely vulnerability management, adopting data management platforms, fortified network security, and automated disaster recovery solutions are essential.”
From an administrative standpoint, rigorous vendor evaluations and contracts that ensure compliance with service-level agreements and the highest security standards are critical, Harrahill adds. Frequent third-party audits, robust data security policies, a well-defined incident response strategy, and stringent data lifecycle management guidelines are just as vital.
“The entire endeavor of securing data in a multi-cloud setup boils down to fostering partnerships between clients and vendors, each contributing their expertise and controls to the table,” he notes. “I always emphasize the mantra’ trust but verify.’ This philosophy is foundational to building and maintaining strong, secure relationships in the multi-cloud space, ensuring the integrity and safety of data at all times.”
A cornerstone of safeguarding data is understanding each cloud provider’s security mechanisms and ensuring alignment with internal protocols, says Mike Fraser, VP of DevSecOps at Sophos, a provider of cybersecurity solutions.
“Data encryption necessitates encrypting data at rest and during transit. While many cloud providers furnish encryption tools, organizations garner enhanced security when they manage their encryption keys,” he says.
And cybersecurity posture management and data security posture management play a significant role in this by maintaining secure and compliant configurations of cloud services and data, often integrating seamlessly into modern DevSecOps pipelines to ensure enforcement through automation, Fraser adds.
As cyber threats continue to evolve and regulations become more stringent, organizations globally will prioritize their cyber investments based on protecting “business-impacting” data, says Dasari.
“This involves gaining a deep understanding of such data across the organization and continuously assessing its introduction into the environment, whether through the cloud, SaaS solutions, core applications, or third-party relationships,” he says. “This approach will lead to more resilient cybersecurity programs and minimized risks for organizations.”