Many organizations today are adopting a multi-cloud strategy, using services from several cloud providers and deploying offerings such as software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) to meet a variety of business needs.
A report from research firm Forrester Research and cloud company Virtustream released in July 2018, based on a global online survey of more than 700 cloud decision makers, found that 86% of enterprises have adopted a multi-cloud strategy, and 60% are moving critical applications to the public cloud.
As organizations increasingly focus on migrating applications to the cloud, investments in cloud technology and resources are on the rise as well. The researchers found that nearly half of enterprises report at least $50 million in annual cloud spending. And a large majority of respondents plan to increase or maintain their investments over the next two years, including resources devoted to internal staff and external vendors.
Most organizations today are adopting a multi-cloud strategy to optimize performance and meet their business objectives, the study said. They are leveraging multiple public and private clouds for different application workloads, with performance cited as the top consideration for most when matching workloads with cloud environments.
The multi-cloud strategy can lead to a number of benefits, such as reduced costs and increased flexibility. But it can also result in expected security and data management challenges.
An October 2018 article in CSO.com noted three top multi-cloud security challenges. One is increased complexity. Having to coordinate security policies, processes, and responses across multiple cloud providers and services and operating an expanded network of connection points adds layers of complexity, the article said. In some cases organizations will also need to deal with the issue of complying with regulations of multiple countries.
Another challenge is the lack of visibility. IT organizations oftentimes don’t know about all the different cloud services employees are using, because they can easily bypass IT to purchase cloud-based offerings on their own.
The third challenge is new security threats. Enterprise security leaders need to recognize that emerging multi-cloud environments can lead to new threats and vulnerabilities, the article said.
On top of that, it’s been established that a lot of organizations are confused when it comes to knowing who’s responsible for what when using cloud services. For example, a global survey of 1,200 global business and IT decision makers conducted by research firm Vanson Bourne in late 2017 revealed that significant misconceptions exist on the responsibility for data management.
About 70% of the organizations surveyed wrongfully thought data protection, data privacy, and compliance were the responsibility of the cloud service provider, according to the report, which was commissioned by Veritas Technologies.
Organizations surveyed indicated they use a variety of cloud service providers, including public clouds and hosted private clouds. With respect to IaaS specifically, about two thirds of organizations said they were using or planning to use two or more cloud providers. Forty-two percent said they were using or planning to use three or more cloud providers.
The research showed that when it comes to public clouds, there are likely misconceptions around which party holds the ultimate responsibility for data management, the customer or the cloud provider. For example, 83% of organizations that use or plan to use IaaS think their cloud service provider takes care of protecting their data in the cloud. More than half think it’s the responsibility of the cloud service provider to securely transfer data between on-premises and the cloud, and that it’s the responsibility of the cloud provider to back up workloads in the cloud.
The CSO.com article suggests a few best practices for building and managing a multi-cloud environment. One is to identify all the cloud services in which data resides and making sure the organization has a strong data governance program with complete visibility of data and related IT services and assets.
Another is to implement conventional security measures as needed for securing multi-cloud environments. This includes the use of encryption and identity and access management solutions such as two-factor authentication.
Organizations also need to standardize their policies and architecture to ensure consistent application, and automate as much as possible to help limit deviations from the security standards, the article says. They should adopt frameworks such as NIST from the National Institute of Standards and Technology, ISACA’s Control Objectives for Information Related Technology (COBIT), the ISO 27000 Series, and the Cloud Security Alliance’s Cloud Control Matrix (CCM).
In addition, organizations should deploy emerging technologies that are designed to allow cyber security teams to better manage and enforce multi-cloud security strategies. This includes cloud access security brokers, and artificial intelligence systems to more accurately detect anomalies that might indicate suspicious activity on networks.