Those of you who built a security plan and physical security technology stack for a single public cloud provider just a few years ago hopefully don’t also believe that you can replicate that to many cloud brands or multicloud. It just won’t work.
The security mistakes I see today with multicloud deployment and operations are around selecting and deploying security architecture and enabling technology. That being said, I’ve compiled three pieces of advice for deploying multicloud security.
First, traditional approaches to security won’t work. Those of you who have had success in enterprises using traditional security approaches, such as role-based, won’t find the same results in multicloud. Multicloud requires that you deal with the complexity it brings and leverage security that’s able to configure around that complexity. IAM (identity access management) married with a good encryption system for both at rest and in flight are much better options.
Second, you can’t use cloud-native security. Although the security that comes with AWS, Azure, and Google Cloud works great for the native platforms, they are not designed to secure a non-native or a competitor’s platform, for obvious reasons. Still, I run into enterprise users who use a cloud-native security platform as a centralized security manager and fail instantly.
The challenge with multicloud is that many common services (security, governance, management, monitoring, etc.) need to be managed as common services across all cloud brands within a multicloud deployment. This requires third-party security systems that can span different public cloud brands and also provide modern capabilities such as IAM.
Finally, you’re responsible for more than you think. Public cloud providers put forth the shared-responsibility model as a way to help their cloud customers understand that although the providers do offer some rudimentary security, ultimately enterprise cloud users are responsible for their own security in the cloud.
In a multicloud arrangement this is even more the case. A common security system and its use are the responsibility of the enterprise using multicloud. In this case it’s likely that you’ve not leveraged many cloud-native security services anyway to support a common model across cloud brands.
Security is a challenge for multicloud and requires a very different approach that most enterprises don’t yet fully understand. Hopefully, you’ll learn from these points and avoid the obvious mistakes.