More than 90 percent of companies moving to the cloud will use services from multiple cloud providers, according to an IDC white paper sponsored by Cisco. They want all the benefits the cloud can offer – data security, scalability, ease of use, high availability, and more – without vendor lock in. But purchasing cloud services from multiple providers gives rise to a new set of challenges, especially when it comes to security. From my conversations with customers, there are many misconceptions about what the chief information security officer (CISO) should know before, during, and after deploying their multi-cloud strategy. Let’s set them straight.
Myth No. 1
Multi-cloud isn’t something I need to think about right now.
Organizations no longer ask why they need the cloud, but ask which cloud providers they should choose. The best cloud vendors are maniacally focused on better user experience, simplicity of deployment, and simpler API-based integrations. Because of this, it is easier than ever to use products from multiple vendors, become more agile in your IT strategy, manage costs better, and keep your applications current. This vendor flexibility is a massive shift: embrace it or lose one of the biggest strengths of the cloud.
Myth No. 2
Multi-cloud is the same as hybrid cloud.
People often use “multi-cloud” and “hybrid cloud” interchangeably, but both models have distinctive characteristics. Hybrid cloud is used to describe an environment with a mix of public cloud services and an on-premises, private cloud. Multi-cloud is a terminology used to describe an infrastructure consisting of two or more cloud providers. Organizations will typically use a combination of these models and should factor that into their strategic planning.
Myth No. 3
My multi-cloud environment is secure because each individual cloud is secure.
Cloud vendors can spend significantly more on security than most IT budgets allow. And, by shifting your data to multiple third parties, you disaggregate your application security risk. But, as applications and data spread out to different data centers, your challenge becomes consistency of policy enforcement and coverage. Any single vendor may have security offerings, but those are generally not multi-cloud. Organizations should look to cloud access security brokers (CASBs) to help manage this complexity. In fact, Gartner predicts that by 2020, 60 percent of large enterprises will use a CASB.
Myth No. 4
Multi-cloud has the same old security problems.
The shift to the cloud and “bring-your-own device” policies have weakened the traditional security perimeter. A sales rep sitting in a coffee shop no longer needs the VPN to access their CRM. Branch offices are adopting policies of “direct internet access” for cost savings. Organizations need to reestablish a new perimeter to match, starting with cloud-delivered security offerings. The most sophisticated CISOs are reinventing their whole security architecture to include a coordinated approach to security across networks, endpoints, and the cloud. They are augmenting traditional tools with new offerings designed to provide visibility, analytics, control, and responsiveness across multi-cloud.
Planning for the Future
As applications, data, and identities become increasingly distributed across the multi-cloud, security teams must manage the risk involved with losing control of the traditional network perimeter. To meet this challenge, I urge enterprises to take an architectural approach. Add the ability to apply consistent policies across your cloud environment. Recreate the perimeter with a combination of network, endpoint, and cloud delivered security. Invest in visibility and automation to help you see and respond to threats quickly. Recent research from Cisco shows that 39 percent of organizations are already reliant on automation, and this number is expected to continue to climb.
The shift to multi-cloud offers incredible IT benefits but creates significant new security problems. Now is the time to plan for this future and reap the rewards.