Developing a multicloud security strategy

Even before the COVID-19 pandemic, many organizations were operating in a multicloud environment. Indeed, eighty percent of 150 Federal IT decision makers surveyed by MeriTalk in 2019 said their agency already uses multiple cloud platforms. In the post COVID-19 era, as organizations adjust to a more decentralized workforce and recalibrate their business models, this reliance on multiple cloud platforms will increasingly become the norm.

Beyond the pandemic, main drivers of multicloud adoptions include mergers and acquisitions, and cost and capability differences among providers that might require a more diversified approach. Yet, as with most every technological advancement, the move toward multiple cloud environments, which brings added flexibility and scalability, can also pose new, and often unanticipated, risks. And maintaining multiple cloud providers can create confusion if mature enterprise governance is not in place.

A recent white paper from ISACA (where I am a board director) on the security impacts of a cloud environment provides context around why the multicloud security landscape is becoming prevalent and what organizations need to do to adapt. As the white paper indicates, “Implementations can be driven by different groups: One business team may employ a different cloud provider from the one strategically selected for broader organizational use.” By the time IT is aware of the usage, several business processes may have been set in motion that are dependent upon it.

Developing a multicloud strategy is a security imperative

Proper multicloud governance comes with benefits, including cost advantages, lowering initial investments in an OPEX vs CAPEX model, and better integration with existing security processes.

The key is cultivating a sound multicloud security strategy, beginning with a discovery phase that includes an inventory of current cloud providers in use and how they are being deployed. As the ISACA paper indicates, “To develop a multicloud strategy, it is important for an enterprise to do more than simply recognize that multicloud is occurring. Instead, the enterprise must align its tools, processes, monitoring capabilities, operational mindset and numerous other elements of its security plan to consider that multiple providers are in play. Compliance requirements and risk tolerance must also be considered. The enterprise must have a solid business case driving multicloud usage—one that identifies risk impact, whether that risk is increased or decreased).”

The strategy should also seek to ensure the IT department is well-informed and connected to the organization’s cloud usages and that there is an ongoing mechanism in place to monitor cloud relationships. This includes the ability to drive forward any needed changes to those relationships based on regulatory changes, the organization’s internal business environment and other factors that necessitate flexibility.

For enterprises that choose to pursue a multicloud environment, the success of that approach will be dictated by whether a holistic strategy is in place and executed to ensure value is being added while mitigating the related security vulnerabilities. To do so, organizations need a clear understanding of their current state and then should align any additional cloud usages with foundational elements of their overarching enterprise security and vendor management plans. Multicloud environments can play a big part in enhancing enterprises’ ability to optimize technology, provided they are intentional about the way their cloud services are deployed and secured.