Most businesses now have an IT infrastructure that makes use of multiple cloud services providers. A new study from Business Performance Innovation (BPI) Network finds that multi-cloud security has become the biggest immediate IT challenge for businesses, as the authorization and authentication handoffs between these different services provide ample opportunity for things to go wrong.
Mapping multi-cloud architecture with BPI
The mass movement of businesses to a multi-cloud provider model can be traced back to a number of things: a desire to not be locked in to one vendor’s products, lack of necessary tools from a single vendor (or that vendor not offering those particular tools at a competitive price point), and network improvements such as lower latency and downtime.
There is, however, a widespread errant belief that somehow a multi-cloud setup is inherently more secure. This can be true, but only if sensitive data is exclusively stored on and accessed from a private part of the cloud that is properly monitored and managed by IT staff. What tends to happen in reality is that these disparate cloud components end up being difficult to integrate and train company personnel on. This leads to all sorts of mishaps, from misconfigured storage buckets being breached to vendors being given access to a much higher level of sensitive data than is required.
These are some of the themes seen in BPI’s “Mapping the Multi-Cloud Enterprise,” a survey of the multi-cloud security practices of 127 business and IT decision-makers at a mix of international companies of varying sizes. The survey revealed that 8 out of 10 businesses have implemented a multi-cloud infrastructure, and just over half of these have moved more than half of their applications to the cloud. Over the next two years, 84% expect to increase their use of public or private clouds and only 2% planned to decrease their use. 52% are planning to incorporate additional cloud services in the near future, with only 13% ruling out the possibility.
Though these businesses seem to almost universally be shifting to a multi-cloud approach, only 11% rated their transition as “highly successful.” Multi-cloud security is the #1 issue cited. These companies reported difficulty in juggling all of these cloud services, finding and training personnel capable of securely managing them, troubles with automation and performance, visibility issues and issues with scaling among their central problems.
63% of the companies named multi-cloud security as one of their top challenges. Specific security needs were led by centralized authentication (62%), centralized security policies (46%), web application firewalls (40%) and DDoS protection (33%).
Only 9% of the companies surveyed reported being “extremely satisfied” with the current state of their multi-cloud security. The vast majority of respondents (82%) were either currently re-assessing their security and cloud services suppliers or are at least considering such an evaluation. The majority (51%) reported either only being “somewhat successful” with their cloud implementation or entirely unsuccessful.
Two-cloud (36%) and three-cloud (17%) setups are the most common multi-cloud configurations. About 10% of respondents have adopted four or more cloud services as part of their digital transformation.
Multi-cloud security: Incompatible with complexity?
Complexity and security are two concepts that are always inherently tough to reconcile. As Dave Murray, BPI research chief put it: ““IT and business leaders are struggling with how to reassert the same levels of management, security, visibility and control that existed in past IT models.”
The most common multi-cloud security issue is the potential for misconfigurations, and the temptation to simply weaken authorization processes to make sure everything moves from one app to another smoothly. The more disparate cloud components added, the more that visibility also becomes a problem. This is often the reason that unsecured data buckets are found and breached online.
Another underlooked (but potentially serious) issue that impacts enterprises worldwide is the increased burden of regulatory and legal compliance expenses, particularly in regions such as the EU that require extremely detailed data tracking and reporting. Even if a company deploying multi-cloud is not strictly required by law to have a data protection officer, they may find a need to create such a position (or even a team) simply to track compliance issues and data requests as the cloud architecture expands.
The increased possibilities of “shadow IT” and unauthorized access also need to be accounted for in any multi-cloud security plan. Frustrated by inability to get different services working together, staff may simply create insecure workarounds. Vendor compromise and third-party data breaches have also been in the news recently just as much as unsecured Amazon S3 buckets have; the cause of this is often simply handing third-party partners too much access to circumvent having to navigate complex or non-functional authentication procedures…[…] Read more »…