It’s no secret that more companies are turning to or, at the very least, exploring multi-cloud environments to store and manage data. This choice is often driven by multi-cloud’s potential to help companies avoid vendor lock-in, decrease costs, and enable them to select the best tool for each job.
Unfortunately, multi-cloud environments are complex; in cybersecurity, complexity often translates to risk. Preparing your workforce to navigate these complexities through focused security training is one valuable way to manage the risk. In this analysis, I’ll discuss why security training is so crucial in multi-cloud environments and provide some security training best practices for reducing threats.
Which companies are the most important vendors in cybersecurity? Click here to see the Acceleration Economy Top 10 Cybersecurity Shortlist, as selected by our expert team of practitioner-analysts.
Multi-Cloud Security Threats
In a multi-cloud environment, security threats arise due to a lack of standardization. Cloud providers generally offer the same types of services but their pricing models are naturally different; documentation may be better with one over another; or there may be differentiated features. When there is a mix of different tools in place, security policies often are not consistently applied, and potential blindspots can arise.
The lack of standardization can introduce risk to an organization through assumptions about what’s configured and how, ownership of patches, the control plane and scope thereof, to name several examples. Assumptions can be dangerous in cybersecurity, particularly when they result in vulnerabilities that go unnoticed or unresolved.
Visibility across environments can also present issues. Visibility into hosts, services, and configuration states may all be handled differently within each provider. Dealing with connection requests across providers, network zones, and regions introduces more complexity. Lack of visibility can degrade an organization’s ability to detect and respond to security issues effectively.
Importance of Security Training in Multi-Cloud Environments
There are technical countermeasures to dealing with challenges relating to visibility and assumptions detailed above. Security-focused training can also play a significant part in reducing risk in these situations. All employees with access to multi-cloud resources — developers, administrators, and any other users involved in setting up or managing infrastructure — should be properly trained. Security training geared to multi-cloud should include the following:
- Cloud Security Fundamentals: Employees should understand cloud security basics, including authentication, access control, and encryption. They should also be aware of the specific security protocols of their cloud platforms. It’s vital that training covers each of the platforms in use. Generic training that doesn’t reference the nuance of a particular provider is unlikely to be helpful.
- Compliance Requirements: Multi-cloud environments are likely to be subject to different regulatory requirements, such as the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA). Employees should be trained on these requirements to ensure that data is stored and managed in compliance with regulations. This will be specific to the organization and industry.
- Best Practices: Employees should be trained to secure data in multi-cloud environments. Providers often include best practices in their documentation, but in some cases, there is a need to engage external sources like security research blogs or conferences. Employees should know the importance of protecting cloud credentials and applying secure configuration, among other best practices. Roles and responsibilities are also important to outline.
Best Practices for Security Training
Training can be conducted in many ways depending on resources, goals, time, and team makeup. Experimenting with these different approaches will help identify the best training approach. The following are some proven approaches to consider:
- Regular Instructor-Led or Computer-Based Training: Security training should be conducted regularly. This will help employees stay up-to-date with the latest security protocols and regulations. Smaller, frequent engagements can help.
- Use Simulations: Simulation-based training can be effective in helping employees understand how to respond to security threats. Simulations can provide a safe environment to test security measures without the risk of compromising actual data. An example of this would be a more theoretical tabletop exercise across the team or a purple team exercise.
- Pairing Exercises: Live pairing exercises with multi-disciplinary teams can be a powerful way to cross-pollinate knowledge across functions and groups. This might happen through testing, service deployment, or development.
As organizations continue to explore and adopt multi-cloud strategies, they must implement security training. Security training in these environments helps to reduce the risk of threats by educating employees on cloud security fundamentals, compliance requirements, and best practices. Additionally, embracing an active learning culture can minimize risk when adopting a multi-cloud strategy.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: