These days, most large organizations have adopted a multi-cloud hybrid state to host their computing workloads and store data. Utilizing multiple cloud service providers (CSPs) can increase fault tolerance, bring performance optimizations, and empower development teams to choose “best of breed” architectures. For all these reasons and more, 90% of organizations report that multi-cloud is helping them realize their business goals.
Simultaneously, cloud-based services must often span multiple geographies, each with its own complexities around how enterprises must store data to meet privacy regulations. Doing so requires a zero-trust approach for internal assets, even for team members requesting access.
In a nutshell, navigating this new world of multiple clouds and geographies poses challenges to modern cybersecurity. Below, we’ll outline some of these risks and consider methods to protect multi-cloud, multi-geographic environments.
Which companies are the most important vendors in cybersecurity? Click here to see the Acceleration Economy Top 10 Cybersecurity Shortlist, as selected by our expert team of practitioner analysts.
Identifying Risk
In the last decade or so, many organizations shifted from physical server rooms to cloud computing. But what started with adopting a single CSP eventually led to using multiple clouds, whether from AWS, Azure, Google Cloud, Oracle, IBM Cloud or others. According to the 2022 Global Hybrid Cloud Trends Report, 82% of organizations have already adopted a hybrid cloud. In addition to CSPs, organizations have also come to rely on various web-based APIs to avoid reinventing the wheel for common functions.
The multi-cloud trend has a few important implications for cybersecurity. For one, multi-cloud complexity increases your total attack surface area. There are more secrets to be exposed and more environments that could be misconfigured. Further, in multi-cloud, you no longer can have one source of truth for security policies and must navigate inconsistencies regarding how each cloud handles identity and access management. Other cloud-native threats include insecure defaults, leaky endpoints, and software supply chain disruption.
Simultaneously, organizations must manage compliance amid many complex geo-specific data privacy standards. U.S. corporations doing international business must comply with the EU’s General Data Protection Regulation (GDPR), as well as follow the intricacies of emerging state-specific policies within California (CCPA), Virginia (VCDPA), Colorado (CPA), Utah (UCPA), and elsewhere. There are also industry-specific data regulations to consider, such as Health Insurance Portability and Accountability Act (HIPAA) standards for healthcare and open banking data decrees for finance.
It’s not only tracking customer data across geographies that’s a cybersecurity concern: Many teams have also become globally distributed, collaborating asynchronously across multiple countries and time zones. Plus, organizations now loop a mixture of full-time employees, contractors, and partners into the same value streams. These new working relationships are a boon for collaboration, but they introduce risk management concerns, highlighting the need for hardened cybersecurity for internal networks.
Establishing Standard Policies and Procedures
So, how can business leaders respond to new multi-cloud and multi-geo cybersecurity concerns?
Well, first, it’s crucial that you audit your surface area to get a better picture of the environments your business is operating in. Next, you’ll want to catalog the various data privacy standards that the company comes into contact with across geographies. Only by understanding your posture can you develop a comprehensive risk management plan and begin to implement standard policies and procedures.
Then, it’s a good idea to establish common security policies and centralize them with the help of a decoupled policy management layer. Certain open-source tools like Open Policy Agent and Kyverno can implement standard policies across various cloud-native infrastructures. (As a general rule of thumb, when developing user authentication and authorization policies, it’s a good idea to follow the principle of least privilege which assigns access to roles only on a need-to-know basis. This will help ensure access isn’t over-assigned to the various roles that interface with cloud-based architecture and customer data.)
Some CSPs bake in support to help manage customer and employee data across various geographies. For example, Microsoft 365 users can take advantage of Multi-Geo environments in which the Microsoft 365 Tenant is spread across a centralized location as well as satellite offices. This consolidates locations, groups, and user information in a central Azure directory structure and synchronizes them with distributed sites.
Some other tips include:
- Utilizing encryption to protect data at rest and in transit
- Establishing data storage and access policies
- Establishing network security policies
Deploying firewalls and other security measures - Evolving the traditional governance model
Monitoring and Maintenance
Next, businesses will want to ensure they are always meeting compliance requirements with security policies and procedures. This will require regular security assessments and audits. It’s also a good idea to schedule regular updates and patches to avoid code vulnerabilities within open-source software. For example, using tooling to automate the detection of zero-day vulnerabilities can help ensure applications are more secure across clouds.
In addition to regular security assessments, companies should implement a comprehensive monitoring system to track data access and usage. This system can help monitor system performance for frailties and investigate security threats to take necessary actions when misuse is discovered. In addition to regular monitoring, it’s important that software vendors are compliant with security regulations — as such, consider requesting a Software Bill of Materials (SBOM) from new vendors. This will help auditing efforts and ensure that the provenance of software dependencies is known.
Going Global With Multi-Cloud
As Satya Nadella, CEO of Microsoft, has said, “all companies are software companies.” And as they transition into software companies, they are producing software and data with a value that transcends geographical boundaries. But as companies seek to do business in multiple clouds and in numerous countries and states, they must face the reality of escalating data regulations and cloud-native threats.
To conduct business safely across distributed clouds and territories, information technology leaders must take action to wrangle the increasingly diverse number of deployments and databases in use today. Only by enabling robust authentication and authorization, and continually assessing risk can they begin to manage the compounding threat landscape. In addition to the policies described above, it’s good to stay up-to-date on security trends and best practices and train staff on your standard security protocols.
Want more cybersecurity insights? Visit the Cybersecurity channel: