Why Cloud-Forward Companies Need Cross-Cloud Security Solutions

A strong cross-cloud security strategy is essential to move the needle on business success.

September 29, 2022

In this article, Art Poghosyan, CEO & co-founder, Britive, delves into the impact DevOps, SecOps, and CloudOps can have on an organization’s security posture. It explores the various solutions available for each and provides best practices that security professionals can apply to their respective organizations.

Imagine a company building a new video streaming service in a multi-cloud landscape, using AWS for operations and GCP for their data storage and analytics. The company, let’s call them Company Y, is hiring talent left and right to gain expertise across multiple cloud environments. The building stage is going well and Company Y developers are making great headway. Despite the impressive progress being made on the build, the associated identity and privilege sprawl across the multi-cloud environment is quickly becoming a security concern. The pressure is on for the DevSecOps team to address Company Y’s growing attack surface, especially with an audit on the horizon.   

This is a common story in today’s digital marketplace. Business objectives and cloud security struggle to coalesce, as one’s progress can sometimes impede the other’s. But in the same way that progress is required to move the needle on a new business initiative, so too is a strong cross-cloud security strategy.  

See More: Interoperability: Why the Metaverse Needs to be Cloud-native 

Cross-Cloud Security Impact on DevOps, SecOps, and CloudOps  

Nearly 90% of companies working in cloud environments today use some form of a multi-cloud landscape, and 84% of organizationsOpens a new window have experienced an identity-related data breach. The need for a cross-cloud security solution that tackles issues of identity sprawl is clear. The impact of an efficient access management security tool—one that secures identities and privileges without slowing development   can be felt across an organization, particularly for DevOps, SecOps, and CloudOps.

1. Security at the speed of DevOps  

DevOps is all about speed. With human and synthetic identities working around the clock, DevOps wants frictionless security solutions. Primary objective is to develop and deliver the software the company needs efficiently, and security must be able to keep up.  

At Company Y, DevOps recognizes the need for access control but resists bringing any tool onboard that will make them jump through a bunch of security hoops. An efficient, cross-cloud security solution that solves issues of over-privileged access without causing friction or delays will keep DevOps happy while safeguarding Company Y against the vulnerabilities of identity sprawl.   

2. Enabling SecOps with cross-cloud visibility

SecOps, on the other hand, has more skin in the game when it comes to the visibility functions of their cross-cloud security tool. They need greater visibility into who has access to what across their organization’s multi-cloud landscape. Following the Company Y example, SecOps would be responsible for securing identities on GCP, AWS, and SaaS applications. They must be able to identify high-risk privileges and standing permissions with ease. SecOps also needs to understand access behavior to develop better security strategies and enforce security policies without impeding DevOps efforts. 

Once the SecOps of Company Y has this access visibility in hand, it then needs to be able to accurately interpret the results and know which permissions and privileges to scale back. This process is difficult and extremely time-consuming, and it will not hold up as Company Y continues to scale. SecOps needs a cross-cloud security tool that will not only increase access visibility across their multi-cloud environment but also provide appropriate analysis. 

3. Giving CloudOps the tools to succeed

CloudOps is tasked with building a control system that provides visibility and access management across multiple cloud environments. This is noble work, but it is massively time intensive and usually is a work in progress at best. There’s no guarantee of success in this mission, which can cause security vulnerabilities.  

Company Y would be left high and dry in attempting to build in-house cloud controls if the person working their CloudOps were to leave the company suddenly. Realistically, can a fully in-house control system scale and evolve at the same pace as the rest of the company? Likely, the answer is no. CloudOps needs to team up with a cross-cloud security solution that can handle privileged entitlements and secrets for Company Y’s human and synthetic identities. 

Cloud-Forward Companies Need Cloud-Native Security Solutions 

Company Y is between a rock and a hard place—they must continue building to meet business goals, but they must put better security tools in place and enforce cloud security best practices through improved policies. How should they move forward? The answer is that cloud-forward organizations like Company Y require cross-cloud visibility and enforcement security solution.  

A multi-cloud security solution can quickly visualize and understand how privileges and permissions are being used, surmise the level of risk the company deems acceptable, and implement tools to protect privileged access. This allows organizations to develop faster while meeting key business objectives. It will also ensure that compliance is met and keep organizations prepared for future audits. The objective is to secure identities and privileges through a cross-cloud security tool, which may even allow organizations to merge SecOps and DevOps into DevSecOps.  

Organizations like Company Y need a solution that can provide modern security strategies like Just-in-time (JIT) access controls, ephemeral secrets governance, and cross-cloud visibility and analysis. These access controls can mitigate cross-cloud risks by granting and revoking privileges. JIT permissions expire in the minimum amount of time required to accomplish their tasks, or users can manually end them sooner, allowing frictionless granted access without creating situations of over-privileged entitlement. Cloud secrets governance combines a secrets vault that secures static secrets, while dynamic cloud secrets are automatically granted and revoked using JIT permissioning. Meanwhile, cross-cloud visibility and analytics provide cloud visibility and insight into misconfigurations, high-risk permissions, and unusual admin activity across SaaS, IaaS, PaaS, and DaaS solutions.   

Success Hinges on Cloud-Native Security 

The business outcome of Company Y is dramatically impacted by its decision of whether or not to adopt a cross-cloud privileged access management security solution. If Company Y chooses not to use such a solution, their environments may be compromised, and their business objectives may be missed. Should Company Y select a modern security solution, they will be able to succeed in building and scaling their video streaming platform because developers will have the access they need. At the same time, their privileges are secured, and security compliance is met. With a security solution that can keep up with the speed of a cloud-native business, customers will grow while the company stays secure and efficient. 

Although Company Y is just a hypothetical scenario, the tension between efficient business development and maintaining strong security measures is a reality for many organizations building in the multi-cloud. Cloud-native companies are looking to scale and need to implement modern security strategies that work for a multi-cloud environment. Just-in-time (JIT) access controls, ephemeral secrets of governance, cross-cloud visibility, and advanced data analysis are critical elements of a comprehensive cloud security tool.  

Are you a cloud-forward company? How are you implementing cross-cloud security? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .

MORE ON CLOUD SECURITY

Art Poghosyan
Art Poghosyan is CEO and Co-founder of Britive. Art is an entrepreneur with 20+ years InfoSec experience. Prior to Britive he co-founded leading Identity and Access Management (IAM) consulting company Advancive, acquired by Optiv in 2016. There, he shared the confidence of enterprise execs as they wrangled with protecting growing cloud landscapes.
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.