The fundamentals of a successful multi-cloud security strategy

Securing your multi-cloud architecture is complex, but absolutely critical. Here’s why it’s time to review your strategy.

The fundamentals of a successful multi-cloud security strategy

Securing your multi-cloud architecture is complex, but absolutely critical. Here’s why it’s time to review your strategy.

Natalie Walker
Natalie WalkerPortfolio Director, BT Security, Business

The vast majority of organisations are operating in a multi-cloud environment using a combination of public and private clouds. This in itself isn’t surprising, given how well a multi-cloud approach fits with the way organisations want to work today.

Multi-cloud cuts the risk of cloud lock-in and takes away that single point of failure. But more importantly, choosing multi-cloud instead of single cloud shifts the power balance. 

It gives you the freedom to take what your organisation needs from different clouds, tailoring your own solution, rather than being at the mercy of whatever your one cloud provider can offer. 

With a strategic multi-cloud approach, you can work with specialists for every workload, and choose the clouds that make the best financial or operational sense for your situation.

A multi-cloud approach can also make complying with varied and complex data regulations much easier. When a country or region requires some level of data sovereignty, you can easily store the relevant data in a cloud located in that region – while still connecting to your other clouds.

New cloud approach, new security challenges

Of course, nothing’s perfect, and the biggest challenge to an effective multi-cloud strategy is keeping it secure. 

Just as multi-clouds need new forms of management and operation, they need a new approach to security too. And organisations that try just to extend their existing perimeter-based security controls into the cloud leave themselves open to attack.

It's just as problematic when organisations take a DIY approach and end up over-relying on the broad range of security tools offered by ‘hyperscalers’.

These tools often integrate well into their other cloud-native tool sets, but they’re rarely interoperable across clouds, leaving the organisation’s security team with the headache of making a cross-cloud security policy work. 

Aligning AWS security controls with those of Azure, Google and so on is possible, but will quickly lead to spiralling costs. There are usually extra charges for additional security features and there’s no guarantee of future parity if services change. 

As highlighted by the recent Optus hack, which made organisational data available online via an unprotected URL link, clouds can be surprisingly easy to misconfigure without the right expertise.

In our opinion and based on our hands-on experience, it’s the dedicated security vendors who excel in capability, usability, and cross-hyperscaler functionality. We’re seeing an enhanced collaboration among dedicated security providers resulting in virtual and complementary ecosystems that really stand out.

If you’re thinking multi-cloud security, think network too

Securing your multi-clouds involves a shift in thinking away from just applying security solutions to recognising the fundamental need to keep data secure, wherever it travels over the network. Networking and security can no longer be considered separately. 

Making the most of the flexibility of a multi-cloud strategy means being able to run a workload in one cloud, and send data from that cloud to an application in another, and so on. The data routing and the network that data travels across are critical in this, as is keeping that data secure at all times. 

So, network and security planning must go hand-in-hand when it comes to multi-cloud success.

There’s no one-size-fits-all solution to multi-cloud security

What will work best for an organisation depends on its business objectives, digital strategies and existing architectures. 

For some, a cloud-based security model that diverts all traffic via secure web gateways will be the right fit. Whereas others may need more security embedded in their own network or their own private cloud.

Your multi-cloud security approach will be as unique as your organisation, but there are some fundamentals that you should look out for when planning your strategy.

Get your policies right

Remember that you are responsible for the security of the data on your clouds, so think carefully about your governance approach and access policies – and make them apply to your whole cloud estate. 

Enforcing a consistent, centralised global security policy across a multi-cloud infrastructure can be very difficult to navigate. But it’s essential if you’re to avoid ‘configuration drift’ (where new exceptions and bolted-on policies undermine security policy and create new vulnerabilities).

Here are our suggestions on how to do that:

1. Establish visibility

More clouds and easier access to critical data from anywhere mean an expanded attack surface, so being able to track activity across your entire architecture is vital.

2. Monitor continuously

With so many of your workloads dependent on clouds, it’s vital to monitor your cloud configurations. You also need to evaluate cloud performance to make sure they’re always fully available and working properly. This will help you decide how to split workloads up amongst your clouds, and catch any issues before they can do any damage.

3. Make the most of automation

The best way to avoid risky misconfigurations is to automate and standardise as much as possible. Automation will also improve your advanced threat detection and remediation capabilities, without putting extra strain on your security teams.

4. Control access

The more widely your workloads are spread, the more important strict identity and access management becomes. Consider enforcing the ‘least privilege’ principle, to ensure your employees can only access what they need and nothing else.

The full package – achieving end-to-end multi-cloud security

When we assist global organisations secure their multi-cloud architecture, we don’t jump straight in with technology recommendations.

Instead, we look at the specific requirements of your organisation and the security team resources you’ve got available. Then we draft in specific expertise from areas such as networking, cyber security, cloud app security or cloud computing security.

Only when we've done a thorough assessment and created a core team to help you understand your cloud security strategy do we provide guidance.

Read more about our cloud solutions.

We draw on our ecosystem of world-leading technology partners to supply the solutions or products you’ve chosen. And we deliver all the latest cloud security technologies you may need, including: 

  • Zero Trust architecture
  • Secure Access Service Edge (SASE)
  • artificial intelligence to automate security with our Eagle-i platform.

When it’s time to take another look at your multi-cloud security strategy, our experts are ready to guide you through.