Multi-cloud environments promise major business benefits, from greater agility and scalability to best-in-class tools across providers. Implementing a multi-cloud strategy can enhance cyber resilience and accelerate disaster recovery. But this approach expands an organization's attack surface, increasing the number of potential vulnerabilities that must be managed.
While the benefits and the risks go hand-in-hand with multi-cloud computing, organizations can take steps to mitigate threats and maximize their cloud investments. This article explores such recommendations.
Chief Technical Officer at Netwrix.
Managing benefits and risks
A major attraction of cloud platforms is their pace of innovation. Providers are constantly updating their solutions, introducing frequent updates that bring new features and capabilities that aim to deliver more value to an organization.
For a number of an organization's employees, this is great as they use these new features instantly without the delay of implementation cycles. But for security teams, it creates a constant game of catch-up.
These new features may not be optimized for an organization's specific needs, which is especially concerning when dealing with sensitive data.
As organizations increase the number of cloud providers that they utilize, the greater the risk of security blind spots. AWS, Azure, and Google Cloud all work differently. Their documentation varies in depth and clarity, a fix that works in one environment might not apply in another, and even small differences, like how they handle user roles or encrypt data, can lead to security blind spots.
Organizations must take on the responsibility to stay current with continuous changes and ensure that the latest features are correctly configured to be effectively utilized while maintaining security. Automation and management tools can help in achieving these outcomes.
Aligning security across a fragmented cloud landscape
Managing a multi-cloud environment is like coordinating several sports teams during the Olympics, each playing a different game by their own rules but aiming for the same overall gold medal for their country.
While using multiple cloud providers allows organizations to tap into diverse capabilities and meet a variety of business needs, it also introduces a fragmented ecosystem of tools, policies and configurations that can be difficult to manage effectively.
Every cloud provider offers unique advantages. Some excel in data analytics, others in AI integration or compliance-ready services. However, with that specialization comes inconsistency.
For example, identity and access management (IAM) can differ significantly: one provider may rely on detailed, policy-based permissions, while another prioritizes role-based simplicity.
These differences can lead to mismatches in security expectations and implementation, especially when trying to create consistent access rules across platforms.
Rather than training staff to become experts in every provider’s native tools, which is both time-consuming and inefficient, some organizations are adopting cross-cloud security solutions.
These third-party platforms abstract away provider-specific complexity by offering a single pane of glass to manage controls such as access permissions, configuration auditing, and data protection.
This way, security teams can apply consistent policies, monitor configurations, and respond to threats, and thus reducing the mean time to respond (MTTR) across all environments.
Browser-based access: convenience meets vulnerability
The multi-cloud offers easy access from anywhere in the world that a modern company needs to offer to its employees. For a remote or hybrid workforce, browser access is essential. It's the fastest route to cloud apps and services. It’s also simple, scalable, and always available. The issue is that browsers also offer a clear path for cyberattacks to access critical systems and sensitive data.
Web sessions, once authenticated, often rely on session tokens and cookies to maintain access. If attackers get hold of these artifacts — whether via malware, session hijacking, or phishing — they can bypass multi-factor authentication (MFA) and impersonate legitimate users. Unlike a brute-force login attempt, this type of intrusion often goes unnoticed until damage is done.
To tackle this, organizations are increasingly shifting toward a Zero Trust security model approach where no request is inherently trusted, even after initial authentication. Contextual risk factors like device posture, geolocation, and time of access help shape dynamic decisions about whether a session should be maintained, challenged, or revoked.
In addition, hardening endpoint security helps secure session artifacts. Encrypting tokens at rest, enforcing auto-logouts on idle devices, and monitoring for anomalous session behavior all play a part. And of course, raising employee awareness around session hygiene, such as not leaving tabs open on shared devices, can close off simple but often exploited avenues of attack.
The clouded sky is the limit
Multi-cloud computing does offer many benefits to the companies that implement them. Flexibility, scalability and optimized performance to name a few. But organizations must be aware of the potential risks that come with these systems. They should investigate developing a robust security and compliance framework to ensure they are consistent across all the platforms in use.
We've featured the best encryption software.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.