It seems that for every yin, there is a yang. This is certainly true when organizations utilize multiple clouds: Every advantage they aim to achieve, such as greater flexibility, scalability, and access to specialized services, is matched by important challenges that may not have been fully anticipated.
For example, implementing a multi-cloud strategy can mitigate security and business continuity risks by enhancing cyber resilience and speeding disaster recovery. However, this strategy expands the organization’s attack surface by creating more territory to defend and more potential vulnerabilities to manage.
This article explores why every cloud is a double-edged sword that offers both important business advantages and significant security risks. For each one, it offers recommendations for mitigating the risks to gain the most value from cloud investments.
Frequent Enhancements: New Capabilities Demand Careful Management
One of the key benefits of cloud computing is continual innovation: Cloud providers frequently introduce new features and capabilities that can deliver more value to the business. Even better, since cloud providers handle platform updates, organizations can begin using those enhancements immediately, without the delay inherent in on-premises testing and implementation cycles for updates.
However, delegating platform maintenance to cloud providers means ceding control over the timing and technical details of updates. New features may be released with default settings that are not optimal for your organization, especially when it comes to sensitive data. The more cloud providers an organization engages with, the more risk it incurs from the constant influx of changes and updates.
It is an organization’s responsibility to keep pace with the perpetual state of change, ensuring that new features are configured properly so they can be leveraged effectively while maintaining robust security. Organizations should leverage automation and orchestration tools that streamline operations to reduce the risk of overlooked misconfigurations.
Expanded Reach: More Diversity Comes with a High Learning Curve
As companies expand into global markets, they are often drawn by the promise of new customers and increased revenue. However, this expansion brings its own set of challenges, including navigating different languages, customs and regulatory landscapes.
This complexity is mirrored in the world of multi-cloud computing. To better serve a diverse customer base, organizations frequently turn to additional cloud vendors. By leveraging the unique strengths of each provider, they can optimize application performance, comply with data sovereignty requirements and more.
But these advantages can quickly be overshadowed by the complexities of managing diverse cloud environments. Each vendor brings its own set of native controls, particularly in critical areas like identity and access management (IAM). For instance, these two leading cloud providers handle IAM in fundamentally different ways:
- AWS offers complex JSON-based IAM policies that indirectly reference the resources that they provide access to, enabling granular control but requiring familiarity with JSON syntax.
- Azure employs a role-based access control (RBAC) approach tied to the hierarchy of the resources themselves. While this approach is more intuitive, it does offer less fine-grained control.
As a result, implementing consistent security and governance across multiple cloud platforms can be a steep challenge. IT teams must become proficient in multiple systems, each with its technical intricacies and best practices. Therefore, continuous investment in training when adopting a multi-cloud strategy is vital when adopting a multi-cloud strategy.
To tackle this challenge, organizations turn to platform-agnostic security tools from third-party vendors that provide cybersecurity solutions with a unified interface and a single operational model across multiple cloud environments. This approach allows for consistent data classification, file tagging and access control policies across all the major cloud platforms. As a result, security personnel need to master just one access control policy system, instead of having to gain deep expertise in each one individually.
Convenience: Easy Browser Access Opens Attack Paths
Regardless of which cloud providers an organization utilizes, the browser is the primary means of access. This model offers the flexibility that the modern workforce demands: Users can easily access cloud data and workloads from their corporate-issued desktop in the office or a personal device at home or while traveling.
Of course, attackers are eager to abuse this easy path to sensitive data and critical systems. In particular, they could steal browser cookies and extract critical tokens issued after the user has authenticated to a service like Azure and successfully satisfied any MFA steps and any conditional access policies. By injecting these tokens into a new browser session, the adversary can potentially bypass security checks and access any data and systems that the authenticated user has been granted permission to use.
Best practices for mitigating this serious risk include the following:
- Enhancing endpoint security to prevent the compromise of browser cookies.
- Adopting a Zero Trust model that does not rely solely upon initial authentication but instead assesses every access request based on risk.
- Training users on the risks associated with leaving sessions open on shared or unsecured devices and other core aspects of browser security.
Conclusion
It is vital for both IT teams and senior leadership to recognize both sides of the coin — the strategic opportunities as well as the potential gotchas — that come with adopting a multi-cloud strategy. Successfully transitioning to a multi-cloud model requires the development of a robust security and compliance framework that enforces consistent governance policies and procedures across all platforms.
By Michael Paye, VP of Research and Development at Netwrix