Cloud awareness and adoption continues to grow as more enterprises take advantage of the benefits that come with multiple cloud platforms. As this trend continues its upward trajectory, we see more tech vendors coming to market with new tools designed to address a variety of different challenges.
Whether you are switching up your multi-cloud strategy or starting from scratch, here are a few things your organization needs to know first about multi-cloud.
Determine what features will either make or break your multi-cloud strategy
When picking the best multi-cloud structure for your business, be bold. Build a vision for what you need cloud services to do for your company; worry less about “how” and more about the “why” and “what” you need from your providers. The reality is that top cloud providers in IaaS/PaaS and, separately, SaaS spaces are offering extremely versatile capabilities and compelling value. It is important to understand what features are make or break and which ones change the way your organization works when it comes to selecting vendors.
Outside of single requests for a new or different capability, your organization needs to rationalize the different needs for each down to “collections” of related needs. For example, consider SaaS for well-known, repeatable needs first, then look to move or re-deploy capability into IaaS or build natively in PaaS for efficient applications.
Security measurements that are important when architecting a multi-cloud structure
First and foremost, avoid looking at your new cloud infrastructure as a separate environment. It’s not merely a new data center, so an organization also needs to consider how switching to a cloud infrastructure will shift how the organization secures assets. Consider looking to resources like the MITRE ATT&CK matrix and the Center for Internet Security’s Basic and Foundational Controls list as a guide for answering this question: “In the future, how do I maintain unified visibility and security when I incorporate new cloud providers?”
For a successful multi-cloud migration, use your cloud access security layer and a platform that ultimately unifies your policy and threat identification approaches. Identity is another common challenge area. Moving to the cloud at scale often requires your organization to “clean up” your identity directory to be ready and accommodating of shared sign-on. By using an identity management and/or aggregation platform to expose identity to well-known cloud services, you will be able to ease the cloud implementation burden and threat exposure of any given provider.
It’s important to know that your organization’s compliance requirements are not mitigated or transmuted simply because the data has left your internal environment and entered the one your cloud provider(s) uses. As your organization matures, the way you manage and align your cloud provider’s capabilities to your compliance requirements should evolve accordingly.
Initially, ensure that your company requires business unit executives to apply or accept the risk of compliance obligations where service providers may not have every requirement. Your legal team should be a part of the initial purchase decisions, armed with technical knowledge to help identify potential “rogue” cloud services and policy guidelines that dissuade employees from adding services “on a credit card” without appropriate oversight.
As your organization gains more experience with the cloud, request that providers share copies of the SSAE16 attestations / audits. This, together with more formal due diligence processes, should become commonplace. Organizations looking to advance in this space would be well-advised to look at the Cloud Security Alliance’s STAR attestation and the associated Cloud Controls Matrix as a ready accelerator to benchmark cloud providers.
Approaching buy-in from exec/C-level on a multi-cloud strategy
Use of cloud services should reflect the strategic focus of the business. Technology leaders can leverage the benefits of these services to underpin initiatives in efficiency, bringing innovation to market and controlling costs. To strengthen this message, technology department heads should consider the metrics and operations adjustments that will allow them to demonstrate the enhanced value of the cloud beyond just the bottom line. If you are trying to get exec/C-level buy in, consider the following:
- How will you measure the speed of introducing new capabilities?
- Are new areas of value or product enhancement made possible through cloud services?
- How will the organization measure and control usage to hit your cost targets?
- How do you know whether your organization is getting what you have contracted for from cloud providers?
- Do you have a mechanism for commercial coverage of the organization when things go wrong?
Protect your organization and secure the cloud
Organizations will often “upgrade” in some areas of basic security (perimeter, basic request hygiene) when making the move to well-known cloud providers. How the overall security posture is affected depends heavily on the level of diligence that goes into onboarding new cloud providers. Implementing critical technical measures like the Cloud Access Security layer and policy around how the cloud is procured and technically implemented should drive basic control requirements.
As the number of cloud providers scales in the environment, your organization needs to assess and document them based on how much your organization depends on a given service and the sensitivity of the data those services will hold. Services that are prioritized higher on these two fronts should have increased organizational scrutiny and technical logging integration in order to maintain the overall defensive posture of the company.
As with any other technology trend, the missteps in making the transition to business and consumer cloud services have received outsized coverage. Take the time to dive into the “hows” and “whys” of early cloud breaches to avoid becoming a potential victim. A resource like the Cloud Security Alliance’s “Top Threats to Cloud Computing: Deep Dive” and McAfee’s report on “Practical Guidance and the State of Cloud Security” can be a great place to start.
Learning from someone else’s experiences is always highly preferred, though. After all, learning about cloud incident response after the fact can be a hard, costly lesson!