Why Multi-Cloud Doesn’t Mean Clear Skies Ahead for Security Teams

Cloud Security

As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Steve Riley of Netskope soars into cloud security, and lays out why multi-cloud doesn’t mean clear skies ahead for security teams.

SR - Premium ContentEvery company today is a multi-cloud company. Once, that meant something as simple as subscribing to more than one SaaS application. Now, it means deploying some internal applications to AWS, others to Azure, and yet others to GCP. How did this come to be? Sometimes, a specific cloud platform is mandated by senior leadership. Other times, a particular platform might be more suitable for a specific application or better aligned with developer proficiency.

While multi-cloud may bring benefits, including increased resiliency, flexibility to optimize performance, and cost control, it doesn’t always mean clear skies ahead for a company – especially regarding security.

3 Thoughts to Consider in Cloud Security

Lack of Expertise Leads to More Mistakes

It’s already exceedingly challenging to become an expert in just one of the most popular cloud platforms. While they often employ substantially similar vocabulary, the similarity rarely extends to functionality. For instance, identity and access management models for AWS and GCP aren’t alike, even though both vendors call it “IAM.” Bringing the AWS model to GCP will leave your GCP projects exposed. As one can imagine, trying to become an expert in two or three cloud platforms is nearly impossible. This lack of expertise translates into greater mistakes, most of which manifest themselves as security vulnerabilities that are advantageous to attackers.

Companies are not immune to mistakes. In fact, during my time as a cloud security analyst at Gartner, while interacting with thousands of clients, it became clear that the vast majority of cloud security failures are configuration mistakes of some kind or another. It also became clear that developing the discipline of correct configuration is the best thing a company can do to ensure that it uses the cloud safely and securely.

SaaS Applications Offer Minimal Built-In Security

An average company subscribes to anywhere between 100 to 1,000 software-as-a-service (SaaS) applications. While these applications often help to boost productivity and collaboration, amongst other benefits, most, unfortunately, offer few built-in security features. A few of the most business-critical SaaS applications have evolved good security controls over time, but they may be wildly different in quantity and degree. For example, Microsoft Office 365 offers more built-in controls than Dropbox.

Unlike infrastructure-as-a-service (IaaS) public cloud resources, where newly-created objects are closed by default, the opposite is true with SaaS. For example, the default configuration of a Microsoft 365 tenant is such that if users have access to a file, they can share that file with anyone in the world. Whoever finds the link can forward it to anyone else in the world. Microsoft decided to facilitate sharing — it wants it to be as easy as possible for individuals to collaborate. It’s a business decision, one with ramifications, so it’s imperative to think clearly and deliberately about how to configure SaaS security controls. Misconfiguration can be ruinous.

Cloud Security Isn’t One-Size-Fits-All

The best way to protect the cloud is with the cloud. There is no other way. However, a single “cloud security” market does not exist. What companies often face is hundreds of cloud security products in a dozen overlapping markets, all vying for attention and a portion of the security budget. Countless startups have identified cloud security gaps and, as a result, established compelling offerings. In several scenarios, some of the more major, mature security players have acquired such startups, thus evolving their own cloud security capabilities.

It’s easy to be blinded by the shiny lights and false promises, though. One best practice to strengthen a company’s cloud security strategy is to prefer vendors who offer integrated platforms and can work with existing infrastructure, such as SIEMs and endpoint protection products. As a general rule, conduct a proof-of-concept to verify the cloud security platform’s integration effectiveness. It’s also sensible to rely on third-party, provider-neutral security posture management tools to ensure consistent and repeatable security policies across all cloud environments. Posture management tools sit alongside existing cloud deployments, and because they rely on cloud APIs to investigate configuration, they don’t require scheduled production downtime or lengthy integration phases to begin delivering value.

As cloud adoption continues to accelerate, companies must maintain an adequate security posture. By deploying an effective security posture management strategy, companies can continue to find and eliminate cloud security failures rooted in configuration errors.

Steve Riley
Follow Steve
Latest posts by Steve Riley (see all)