Multicloud security is a cloud security solution that allows comprehensive data protection across multiple cloud platforms, including both private clouds and public clouds like AWS, Azure, Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI). Organizations can use multicloud security to protect all cloud platforms and their varying functions.
Multicloud adoption is no longer a choice—it's an essential element in the fast-paced, modern organization where agility and flexibility impact business success. While multicloud environments offer tremendous benefits to organizations, they also create greater complexity that can lead to security gaps and inefficiencies, making it difficult for organizations to achieve the full benefit of cloud economics.
To harness the full benefit of cloud economics, organizations need a strategy for multicloud security. This article reviews multicloud security architecture, requirements, challenges, and best practices to help organizations optimize their multicloud strategy regardless of where they are in their journey.
Multicloud adoption has accelerated in recent years. In the 2022 Hybrid Cloud Trends report commissioned by Cisco, 82% of IT leaders reported they have adopted hybrid cloud and 58% of organizations use between two and three infrastructure-as-a-service (IaaS) clouds1. Gartner reported that, by 2023, 40% of all enterprise workloads would be deployed in cloud infrastructure and platform services, up from 20% in 20202. Undoubtedly, organizations have embraced all the benefits multicloud environments have to offer. While the majority have already invested significantly into more than one cloud to support digital transformation and other initiatives, many plan additional investments to further enable their digital business.
Multicloud success, however, remains elusive for many organizations. Among midsize organizations, for example, only 50% report that multicloud has helped achieve business goals, according to a 2021 survey by HashiCorp3.
In conversations with customers, many have called out cost management, governance, and visibility as common barriers to adoption and deployment of multicloud environments, but one factor that consistently lingers at the top is security. In a 2023 Valtix survey, 51% of IT leaders agreed or strongly agreed that their company doesn't want to expand to additional clouds because of the security complexities.
One driver behind the challenges is the expectation that you can simply extend your data center or on-premise-security framework into the cloud. However, to solve the security complexities associated with multicloud environments, your strategy needs to adapt to the dynamic environment with a cloud-first approach.
This article recommends a security model that can help you advance on your multicloud journey at the speed of the cloud—and your business.
Figure 1. Tools used for achieving security requirements across cloud service providers
Multicloud environments add additional layers of risk to organizations. Risk can stem from a multitude of challenges, including:
Just as there are threats to on-premises environments, there are threats that affect multicloud environments too. Considering the diversity of threats that can affect an organization's cloud environment, it's no surprise that 73% of organizations are very or extremely concerned about cloud security. Some of these threats include:
The risk of breaches and data loss command the most attention. In the 2023 IBM Cost of a Data Breach Report4, the average cost for a data breach across the boards was US$4.45 million. Additional datapoints included cloud environments, noting 82% of breaches involved data stored in the cloud and 39% of breaches spanned across multiple environments. Breaches spanning across multiple environments also incurred a higher-than-average cost of US$4.75 million, making data loss prevention and protection against lateral movement a necessary focal point in any multicloud strategy.
While navigating the cloud threat landscape, organizations must grapple with numerous multicloud security challenges, including:
Many of these aspects require granular expertise—not only in cloud networking and security but also in each cloud provider's product offerings and services, architecture, automation, and security tools—compounding the challenges.
The shared security responsibility model of the public cloud keeps security teams on their toes. Providers typically offer guidelines, but in practice, you can't rely on them completely—and the lines sometimes appear fuzzy. This became especially evident considering recent exploits we've seen within cloud-provider services, which required the end users to mitigate while waiting for a fix.
In a traditional service outsourcing model, your provider would work with your team to clearly define the boundaries. That's not the case in the cloud.
Things get even more challenging in the constant parade of updates and new services from providers. They introduce dozens of services, hundreds of new features every year, and numerous updates. Developers eagerly consume the services because they solve specific problems or add new capabilities. The rapid pace of change makes their job easier—and the security team's job harder.
This throws security teams into a perpetual cycle of catch-up, trying to figure out the implications of each change. Multiply this challenge by the number of clouds you've deployed, and the problem is quickly exacerbated.
Figure 2. Shared responsibility model
Reduced visibility and control are common problems, with 53% of surveyed cybersecurity professionals identifying a lack of visibility and 46% calling out inadequate control as their top barrier to adoption3. Other risks include insecure APIs and lack of a centralized view across multicloud.
The cybersecurity industry has grappled with a talent shortage for years, with the latest data showing a gap of 3.1 million security workers globally in 20205. Provider-specific security requires deep expertise with each cloud's configurations, intensifying the talent issue.
The variations in controls in individual clouds and app architectures result in inconsistent policy enforcement across your environment, leading to gaps in protection and reduced security posture.
Although your cloud architecture and security approach are different from on-premises, the tenet of multilayered security still applies. There's no one-size-fits-all solution that covers all the threat vectors and types of attacks. When building out your security layers, consider capabilities such as:
In contrast, a solution that delivers both networking and security in a cloud-native way has many benefits, it:
Cloud vulnerabilities are one of the biggest challenges for security teams. Consequently, these teams devote much of their time to patching. But managing vulnerabilities alone will not protect you against zero-day threats. By the time a vendor knows about a new threat and creates a patch, it may be too late.
Just like on-premises, the multicloud needs both proactive and reactive defenses. Active defense enables you to block attacks, restrict unauthorized access to assets, and defend against new and emerging threats. The goal should be to break the attack kill chain in multiple places and not rely on a single point of failure in your defenses. For example, to stop an attacker on a breached server, a malicious insider, or a ransomware attack, an effective last stop is to restrict all outbound traffic to known categories of sites, domains, and URLs.
Although multicloud security solutions have different functionalities based on their category, they share a set of common criteria, such as simplicity of deployment and management. When evaluating a vendor's multicloud security solution, consider the following aspects:
To detect malicious activities such as data exfiltration, you need to combine your cloud asset information and threat intelligence with complete visibility into all traffic flows, including inbound from and outbound to the internet, east-west, and to platform-as-a-service (PaaS) services.
A solution with a thorough and robust feature set will reduce or eliminate the need for multiple point products and enable you to consolidate your cloud security. Look for critical capabilities such as dynamic policy enforcement, segmentation, network protection (cloud firewall), and web protection.
If your security only allows you to react to threats rather than proactively stop them, your team will always remain at least one step behind the adversary. In the past, active defense required an agent-based solution. Now, organizations can achieve active defense with an agentless approach, reducing deployment and maintenance challenges.
Business requirements and environments continuously change, and security needs to be able to quickly scale in and out to adapt to those changes. The multicloud security solution should automatically scale security to meet demand, discover new assets as they are implemented in the production environment, and apply context-based policy—so your team doesn't have to constantly worry about operating the tool across multiple clouds, regions, and accounts. The multicloud security solution should automatically scale security to meet demand, discover new assets as they are implemented in the production environment, and apply context-based policy—all without manual intervention, so your team doesn't have to constantly worry about operating the tool across multiple clouds, regions, and accounts.
Your cloud security solution shouldn't amplify the complexities of an already complex multicloud environment, yet many vendors' products are difficult and time-consuming to deploy across public cloud infrastructure. Look for a turnkey solution that simply achieves outcomes, is fast to implement, and works natively in your environment. This will eliminate the need for admins to manually adapt the environment—instead, the solution "learns" the environment through the APIs in that cloud.
A centralized control plane across disparate clouds enables you to enforce security policies consistently from one controller, simplifying multicloud management and alleviating complexity. To achieve this, the security solution should provide an abstraction layer that decouples the control plane and data plane.
Figure 3. Cisco Multicloud Defense's comprehensive approach to multicloud network security
Cisco Multicloud Defense solves the complexities of deploying and managing security in multicloud environments. Delivered as a service, it unifies security controls across AWS, Azure, GCP, and OCI through a single control plane, bringing simplicity to complex multicloud environments.
Today's IT and DevOps teams move fast to support digital transformations and other initiatives that keep your business competitive. Cisco Multicloud Defense helps your teams to achieve the full benefit of cloud economics with the skilled resources you already have and without compromising on security.
Figure 3. Cisco Multicloud Defense's comprehensive approach to multicloud network security
Multicloud adoption is no longer a choice—it's an essential element in the fast-paced, modern business environment where agility impacts the success of your business. Without understanding the full spectrum of challenges and requirements of the multicloud, it would be difficult to account for the obstacles and risk you may face on your cloud journey. You can overcome the hurdles by shifting to a cloud-first mentality— implementing security solutions that minimize complexity and risk by design, helping your organization securely stay in control in an ever-changing multicloud world.