It’s easy,  perhaps too easy, to think organisations fall into two neat categories regarding cloud strategy.

The first ‘easy’ category is a hybrid cloud approach. We often see a mix of legacy, on-premise infrastructure and private and public clouds driven by rapid take-up of popular cloud services like Salesforce or Microsoft Office 365. This move is often accelerated in response to the pandemic and the quick digital transformation it introduced. 

The second category is a multi-cloud approach. The standard belief is that this is a more strategic, planned trajectory towards using many public cloud environments and no private data centres or clouds. Typically, this route leverages on-demand capabilities such as big data services from Google, AWS applications, and Microsoft Office suite products.  

However, I believe what’s happening is a staged mix of the two to form a single approach.

In many cases, this complex cloud environment came about to save costs, facilitate operational changes in response to the challenges brought on by the pandemic, and provide new and more adaptive products and services for customers.

These changes have often been made with far less governance and control than with previous business transformations. As a result, many Chief Information Security Officers (CISOs) don’t have clear visibility of how the organisation’s IT teams have moved their applications and data workloads across to multiple cloud environments; therefore don’t understand if they have the correct controls in place, and face hidden risk.

In the dark about their attack surface, organisations are relying on heavily adapted protections and tactically federated access controls. They’re trying to correlate events and telemetry across multiple cloud domains and identify anomalies from a disconnected mix of traditional and cloud security controls. This poses significant risks and can lead to: 

• poor hybrid and multi-cloud security risk and threat management coverage
• reduced high-confidence risk alerting
• minimal inspection and reporting of traffic flows between clouds
• no tracking or management of security posture and risk/compliance changes over time
• uncertainty around cloud vendor responsibility models
• lack of consistency amongst security policies for workloads within different clouds.

Many businesses haven’t re-imagined their security approach for the cloud, or sufficiently developed an inclusive cloud security architecture, instead simply choosing to extend and adapt existing tooling and processes. But in many cases, existing security controls are unsuitable for cloud environments’ dynamic nature, particularly when properly securing multi-cloud deployments.

Luckily, standalone cloud security vendors and hyperscalers are developing a wide range of ‘point’ cloud security solutions with security controls embedded within their platforms. 

It’s an attractive path to cloud security compliance and a ‘one-stop shop’ to procure the cloud infrastructure and the control.

Before deploying these solutions, however, it’s important for businesses to ask six fundamental security questions:

1. Has our business data been optimally discovered and classified?
2. Are user access and entitlement controls effective and enforceable?
3. Are cloud asset inventories and configurations being discovered and monitored?
4. Are consistent and appropriate cloud application access controls in place?
5. Are cloud security posture management tools delivering actionable events?
6. Have continuous endpoint posture, user validation, and response controls been deployed?
    

Faced with these considerations, the seeming simplicity of a single point of control across multiple clouds and legacy infrastructure becomes more complex, leaving organisations unsure of how to proceed.

An inclusive cloud security architecture is the best way forward, but choosing the best approach depends on an organisation’s specific needs.

With approach one, organisations embrace native cloud controls, but these require significant integration and orchestration within a distributed heterogeneous estate – so expert security support is essential. 

But suppose an organisation chooses approach two with a single vendor partner. In that case, it must look at the strength and coverage of the partner’s portfolio, their ability to address core requirements, and the strategic vision in their roadmap.

It’s by partnering with a trusted third party that can objectively review and contribute to strategic multi-cloud adoption, as this will mean a smoother deployment and the option for the co-management of selected security controls.

It’s an approach that balances in-house control and cost efficiencies best.