Due to the structure of multi-cloud environments, concepts for IT security have to be rethought.
Cloud was yesterday. The future is multi-cloud. Studies estimate that in the next 75% of all cloud architectures will be multi- or hybrid cloud systems. With digital transformation, the demands on companies in terms of efficiency, scalability and customer experience are increasing. Multi-cloud systems can map these requirements better than on-premise architectures, because the company can pick and choose the best services and build them in without having to reinvent the wheel itself or create the necessary IT infrastructure. Downtime can also be reduced by using services with identical functions. If AWS fails, another service provider steps in.
But where multi-cloud architectures promise efficiency, scalability and customer-friendliness, they also open up challenges. The structure of multi-cloud environments means that concepts for IT security have to be rethought. We explain what makes security in multi-cloud architectures a particular challenge and how companies can deal with it.
Multi-cloud architectures are complex because they include many individual services. Instead of a single point, there are now many points at which sensitive data is transferred and attackers can attack. The complexity does not just increase linearly compared to the complexity of simple cloud solutions: Not only does the company communicate with many different services, often the services also communicate with each other. These are only the cloud services themselves, but increasingly also IoT devices that connect to the system.
As the attack surface increases, visibility decreases at the same time. The responsible persons in the company lose the possibility to overview and monitor the entire architecture and to react quickly to threats and proactively identify and close gaps.
When a variety of different cloud services are used, there are almost always some inconsistencies. The technologies and interfaces used are different. One solution is the use of containers. With containers, a programme carries all its conditions with it and can thus be executed anywhere, independent of the platform. This in turn opens up the space for platforms that unify different services.
Meanwhile, there are many providers that address the visibility problem by creating an overarching structure that creates this visibility. Cloud management platforms and cloud services brokers create a common denominator between different public cloud services. This allows a company to regain visibility over the architecture and potential security risks.
One of the easiest ways for attackers to gain access to the system is through employee accounts. The larger the company, the more people have access to certain systems. At the same time, with each service comes a new potential point of attack. How can companies overcome this problem? Imagine that all employees in the company had administration rights. Attackers would then only have to take over one account to take over the whole system. The system would then only be as strong as an employee's weakest password. This thought experiment shows that companies need to do exactly the opposite: Access and rights should be as restrictive as possible.
Another way to eliminate the human factor is to automate processes in the cloud. The less manual work is necessary, the fewer opportunities there are for errors due to carelessness. Many software solutions are now available for automation. However, in order for them to be useful, cross-service standards must be in place. IBM address security automation in the paper "Cloud-native security practices in IBM Cloud".
For the CISO, multi-cloud security remains a key challenge. And it is not the only one. In addition to security, compliance is also a major challenge that must be addressed in order to become fit for the multi-cloud future. Companies should therefore carefully examine the requirements in their own organisation before making a decision. In the end, security is never just a product, but a never-ending task. The BSI also provides comprehensive information about Cloud Security.