Multiple Clouds? Multiple Risks.

Most organizations are operating in multiple cloud properties in addition to their own on-premises private cloud. For the past three years we've asked about the challenges and frustrations professionals in every role within IT experience while operating in this mode.

Every year the top answer is the same: consistency.

This is no surprise. Organizations are still largely working as siloed teams, and the introduction of public cloud hasn't changed that. In fact, it's largely expanded the number of siloes as cloud-focused teams are often necessary to properly adapt to the unique dashboards, consoles, and ways of operating each individual public cloud.

This reality makes it harder to secure applications for which organizations—not cloud providers—are responsible. The challenges arise in part from the use of heterogenous security services that may or may not provide the parity of policies required to sufficiently secure an application according to company expectations. The capabilities of one security service may not be the same of another. If there is functionality you depend on to protect an application and it is available in one cloud but not the other, you can't achieve consistent security.

So it was no surprise that a report from Sophos on the State of Cloud Security 2020 found greater numbers of security incidents amongst those organizations operating in multiple cloud properties:

"Multi-cloud organizations reported more security incidents in the last 12 months. Seventy-three percent of the organizations surveyed were using two or more public cloud providers and reported more security incidents as those using a single platform."

The report further clarified the source of those incidents, finding that security gaps caused by misconfiguration were exploited in 66% of attacks, further falling into three categories: 

• 33% Cloud account credentials stolen
  
• 22% Cloud resource misconfiguration 
• 44% Misconfigured web application firewall

Misconfiguration can be the result of many things. Typos are common. Misinterpreting terminology or misunderstanding the policy model can be another.

To reduce typos and other human-introduced errors, automation often comes into play. But it doesn't help with the latter, where differences in policy models and languages can be a source of confusion that leads to misconfigurations.

The best answer today to solving the issue of misconfiguration is standardization. Choosing a standard set of security services that operate in every environment you need them to operate in will go a long way toward eliminating misconfigurations. By focusing on a single set of security services, skills gained are retained across cloud properties. Expertise is built on experience, and by focusing on a narrower set of policy languages and models, organizations can more confidently approach securing applications in any environment.

Standardization also acts as a force multiplier for automation by enabling the reuse of code, scripts, and templates that provision, deploy, and manage security services across multiple clouds. The automation artifacts become hardened and optimized by use and reuse, which inspires greater confidence in the use of cloud.

Cloud is here to stay, as is the reality of multiple clouds per organization. But that doesn't mean we need to accept the reality of increasing security incidents. By deliberately approaching security services with an eye toward standardization and attention toward internal organizational structures that may be impeding collaboration, organizations can take positive steps toward improving security, expanding automation, and optimizing the skills and expertise of their most valuable assets—their people.