Adapting your risk management strategy to cater to a multi-cloud environment

The relevance and usefulness of a cloud strategy have always varied from industry to industry. However, this all changed when the requirement for remote working exploded. Organisations who rushed to accelerate their cloud adoption were confronted with an intensified cyber-threat vista and the need to shore up their defences.

The challenges over the last few years have meant that organisations have had to approach security from a different angle. The adoption of new collaboration and communication technologies were often deployed rapidly to get users online and productive to keep business functioning. With security-by-design principles often not considered upfront in the clamber to get applications live in the cloud, cybercriminals have taken full advantage of these potentially exposed attack surfaces.

Cloud threats and vulnerabilities will increase

Moving forward, these threats are becoming more sophisticated and frequent. More than 67% of organisations have now experienced a cloud account compromise that has exposed sensitive data, even though the perception of security risks in the cloud is relatively low.

These were the findings of a recent Ponemon Institute report in which only 39% of respondents said their organisations are vigilant in conducting security assessments of cloud apps before they are deployed. Furthermore, 80% of organizations worryingly believe their security teams lack visibility and control of the activity of every user and device. This includes controls such as conditional and multifactor authentication (MFA).

Multi-cloud multiplies the risks

Distributed networking and any-place-anywhere access have accelerated cloud adoption. On average, organisations use 2.6 public and 2.7 private clouds – and these cloud estates are rapidly expanding as they look for a competitive edge, swifter innovation, and a faster route to market.

Cloud estates are complex by their nature, made up of a mix of software as a service (SaaS), hyperscaler cloud services, on-premises data centres, and co-location. For a complete risk view, any location hosting an organisation’s IT services, cloud or not, must also be considered part of the overall multi-cloud estate.

There are also likely to be multiple cloud environments or multiple tenancies that exist without the same security rigour as the main corporate instance. There may even be shadow cloud environments that the IT department is unaware of. Traditional security tools cannot provide the level of monitoring and protection required to mitigate risk in a multi-cloud environment.

The shared responsibility model

You need to consider any risks regarding communications between the private data centre and cloud data centre, and user access to SaaS. Often employees can access SaaS applications without going through the enterprise’s data centre and authentication processes, which increases the risk of malware and malicious data exfiltration. Risk, therefore, needs to be assessed against the appropriate framework with the right tools.

Multi-cloud risk management isn’t a tick box exercise

Managing risks associated with multi-cloud computing is an ongoing process. IT teams need a full view of applications and data both at rest and in transit to mitigate risk. Determining risks is the first step to continuous cloud security.

Following on, you need to discover all the assets that currently sit in your cloud environment and ensure you maintain visibility of them, understanding the relationships between these assets and how they work. It is these potential weaknesses in the chain that malevolent actors swoop on.

Getting it right every time is not an easy task. Cloud adds another layer of complexity to the IT estate, and the more clouds you add, the more complex it gets.

Building a strategy to address the risks and regulatory procedures of your multi-cloud landscape will enable your organisation to harvest the benefits of a more secure cloud environment.