Securing the future – where are the risks in multi-cloud?

An abstract image of a magnifying glass over a digital cloud.
(Image credit: Shutterstock/Illus_man)

Covid-19 has been a significant catalyst for organizations to move to the cloud, with widespread remote working pushing companies along their digital transformation journeys at a faster rate than ever before. As businesses integrate and adopt numerous services, many are combining different methods across public, private, hybrid cloud, and on-premises solutions. This has made multi-cloud, in one form or another, an increasingly essential part of the everyday operations for many businesses.

With this in mind, some have gone as far to predict that 2021 will be the “year of multi-cloud”. According to IDC, with many organizations set to maintain remote or hybrid working as a permanent fixture, multi-cloud will become the standard as businesses migrate old - and store new - data in multiple cloud environments. The multi-cloud strategy presents many new opportunities, namely they reduce vendor lock-in, and allow organizations to adopt the best functionality rather than compromise.

However, with these new opportunities come fresh challenges, as threat actors look to expose the vulnerabilities of the distributed workforce operating in and with the cloud. If multi-cloud is set to boom in the coming year, then what are the potential threats that businesses should be aware of from a security perspective, and how can you get ahead of the potential new threat actors targeting your business?

Cyber-criminals can hold you to ransom on the cloud

So how can businesses fight back against these attackers and protect themselves?

Businesses are combining multiple, public cloud services, choosing different vendors for different functions to get the best value for money and scalability. In addition, many are undergoing a sudden transition and transformation to the cloud, in part due to the pressure to adapt to remote working in the age of Covid-19, while also needing to improve workflow and efficiencies in the current climate. However, this approach brings additional security demands, as businesses must locate and secure data across multiple clouds, supported by different cloud vendors.

On top of that, businesses have to deal with the increased risk that remote working brings. Through a transition to the cloud, employees are accessing that data from untrusted networks. So not only are businesses dealing with multiple data sets sitting in multiple clouds, they are being accessed via insecure networks and therefore the surface attack area for attackers is growing. The attacker’s first port of call is to attempt to compromise weak credentials, unprotected devices or untrusted networks in their efforts to steal valuable data or hold businesses to ransom.

A noticeable trend during the pandemic has been a spike in application attacks on websites. These attacks are looking for weaknesses in your website, either in the coding or in obsolete components used within. Once exposed, the damages can be huge as can be seen in the myriad of different breaches disclosed every year. In a recent Akamai panel discussion on the topic of multi-cloud, its researchers revealed that they detected a 200 percent rise in attacks on applications during the pandemic, with one million a day in January rising to around approximately three million a day in September.

Keep on your toes – how to knock out the attackers

Businesses are reaping the rewards from using multi-cloud, which enables them to adopt different services based on their individual requirements, and reduce the chances of lock in. The counter side of this is the complexities that come with it, as it requires different skill sets and can impact the speed of deploying new applications. Different cloud providers also mean different security measures, and the associated knowledge to ensure that they are all at the same level. This is no mean feat as it sometimes comes down to matching apples with oranges. So additional orchestration is needed to manage the multiple security configurations.

As we all know, the last thing businesses need is unnecessary layers of complexity. So, it is key when operating across multiple cloud services to try and achieve an overarching cloud security solution. This is by far the best way of securing different cloud platforms and making sure that the sensitive data being stored within a multi-cloud environment is as protected as possible.

As with any style of security, organizations need to lock down a singular security policy. The issue with the cloud is ultimately geared around flexibility, developers, and the speed of delivery – it is a great enabler for agile workforces. This is great news for building in additional functionalities within the business itself. However, the flip side is that cloud services which enable companies to keep on adding new features can potentially result in several functionalities that may not be as secure or too exposed. The “Click next-next-next” deployment process can easily lead to unsecured blobs and buckets that are all too easily exposed and breached.

Take no chances, adopt a zero-trust approach

When this is combined with the majority of users now accessing these cloud solutions from untrusted networks the risk is increased. It is necessary, therefore, to adopt a zero-trust approach to security, when accessing both cloud and non-cloud-based applications. This can be done in a variety of ways, but the most effective, productive and simple would be through a cloud-based Identity Aware Proxy (IAP). With the proxy approach, not only are users authenticated against your own identity platform with additional MFA if required, but are also checked for authorization too.

IAP relies on application-level access controls, not firewall rules; meaning configured policies can reflect user and application intent, not just ports and Ips. Through the cloud, this can also be delivered as a service. This is a function within the Secure Access Service Edge (SASE), created by Gartner as a mechanism that merges the functions of a network and security point solutions into a unified, global cloud-native service. It allows enterprises to reduce complexity and enables their IT staff to eliminate mundane aspects of the network and network security operations – essentially reducing their technical debt.

Once the correct security architecture is in place, it is also essential that businesses remember to constantly test, probe, and update their defenses. For cyber-criminals, it is essentially a numbers game – many of these opportunistic hackers will be deterred against wasting their time if they see that your business has built in an adequate cyber-defense. As a result, by testing and reviewing infrastructure effectively, organizations can better understand the current methods cyber criminals are using and build-in protections against potential new threat vectors. If you keep your house clean and tidy, it is less likely to attract mice; similarly, if you practice cyber-hygiene and make cloud security a top business priority, the environment is made much less attractive for attackers.

Ultimately, the buck stops with businesses

Multi-cloud was always going to grow in adoption, as businesses look to become more efficient and streamlined. The pandemic has, nonetheless, been a massive accelerator this year in terms of cloud adoption and digital transformation. Realistically, every company preparing for success had five-year transformation plans, many of which were constricted down to 18 months, as the world saw wholesale changes. With this in mind, multi-cloud will develop in a slightly different format as we head into 2021, as businesses start to refocus on the plans that they had in place before Covid-19 hit and accelerate plans at a greater pace than ever or launch new ones they were previously too cautious to kick off.

The basic security rules first learnt some 20 years ago with secured networks are still very much applicable in the cloud though. Just because the world we operate in today is in large part virtual, it does not mean the rules have changed. It is still the responsibility of businesses to take ownership and responsibility for the data they collect and store. They are the ones that will suffer the fines and reputational damage if a breach occurs and they have not put the necessary protections in place.

Ultimately, it does not matter if businesses are investing in public cloud, hybrid cloud, or mixing these environments with on-premises solutions. As the world accelerates its digital transformation strategies, having that overarching single security policy in place that protects applications and users, is essential to negate the potential risks that comes with storing sensitive data in multiple places and keeping the company secure.

Richard Meeus, Director of Security Technology and Strategy EMEA, Akamai

Richard Meeus

Richard Meeus is Security Technology and Strategy Director for Akamai's EMEA region and is responsible for technical strategy across the region.

He is a highly experienced and commercial pre-sales executive with a strong 20+ years track record in EMEA, including 11 years of continuous knowledge building of MEA countries. Focussed on building solutions and ensuring customer satisfaction. Passionate about delivery and technical development, commercially aware and with strong stakeholder management skills.