How to develop security policies for multicloud environments

Multicloud is the new trend in cloud computing, with more than 80% of organizations actively operating inside a multicloud environment. And yet, many organizations lack the talent, tools, and time to securely execute this kind of strategy. According to Gartner, this cybersecurity gap directly causes 99% of cloud failures and data breaches.

Even organizations (76% of them) will admit they moved to the cloud without properly understanding the skills, maturity curve, and complexities of making it work securely, according to a CloudBolt survey. Ready or not, multicloud is here to stay (at least for the foreseeable future). You need a strategy for deploying security across multiple cloud platforms.

Multicloud environments are complex. They require the same attention to detail as a singular cloud computing strategy when it comes to data storage, access management, compliance, malware, and cyberattacks. But with multicloud, you double (at least) your attack surface. Meaning there are more and more ways for things to go wrong as you add more services. 

Combine those risks with the fact that the cloud providers don’t exactly play well together, there’s very little cybersecurity talent available on the market, and most organizations didn’t start get into multicloud with a clear, sound security strategy. This is a powderkeg primed to blow if you’re not prepared. 

A multicloud security strategy helps you and your teams manage these risks, increase visibility across cloud providers, implement proactive monitoring, and establish a disaster recovery process.

From a technical perspective, your multicloud security strategy rests on three pillars: automation, abstraction, and authority. Understanding each of these is critical to your success in multicloud. More than that, you need to shift their mindset when it comes to multicloud securely. 

There’s no question anymore that the cloud is secure. Each of the cloud providers have robust cybersecurity strategies and plans in place. The issue, as Gartner pointed out, is that organizations don’t know how to use the cloud securely. Once you shift your mindset, it’s much easier to develop and implement a multicloud security strategy.

Here’s where we are: organizations are trying to use on-premises models for cloud computing, and it’s not working. They have developers with little to no cloud or cybersecurity experience provisioning and deploying cloud resources. Automation is the answer.

You should be developing clear security practices and implementing them up front so developers don’t have to worry about it. It’s a key part of the DevSecOps movement that puts security in the hands of developers, but only 6% of organizations are currently doing it. Even more startling than that, only 3% of organizations are leveraging immutable infrastructure to destroy and rebuild resources.

The goal is to move away from click-ops configuration to a more infrastructural orchestration (a la AWS CloudFormation). The tricky bit is finding a solution that works across multiple platforms (unlike AWS CloudFormation). Many organizations are looking to HashiCorp’s Terraform, an open-source infrastructure-as-code tool, to fill that gap.

Organizations are looking to get their teams skilled in this kind of multicloud automation. In 2022, our HashiCorp Terraform course doubled in views.

Once your team is certified in the tool, you can insert, as part of your IaaS templates, some basic security practices. You can enable login, version control, and encryption up front so developers are automatically including those security elements as part of your built-in core practices. You can also leverage immutable infrastructures to harden those environments and increase the resiliency of your solutions.

There are many more ways to leverage automation in your multicloud security strategy, but these are some low-hanging fruit to get you started down the path.

The next pillar in your multicloud security strategy is abstraction. Love it or hate it, abstraction is the best way to handle the complexity of a multicloud environment when your teams are already spread thin. Abstraction makes it easier (though not always easy) to maintain visibility and control over your multicloud environment, while still managing the variance between the providers’ different shared responsibility models.

The number one reason to build a multicloud solution is to take advantage of the different services offered by different cloud vendors. But now you’re trying to create a layer of visibility that allows your team to manage those different services. There are really two ways to implement abstraction as a way to gain that visibility.

The first is to find an umbrella service like VMWare that offers many services to manage the complexity of a multicloud environment. These types of services provide full protection and visibility across your multicloud environment. And more protection equals better protection, right? The downside to these kinds of umbrella services is they limit your agility.

The other option is an API-driven approach that focuses on specific areas to abstract. This offers more agility in your larger-scale multicloud strategy and makes the most of the limited resources you have internally. Some examples of these services are: Laceworks, Orca, Trend Micro, and Sysdig.

Leaders are engaged in a balancing game between speed to market and security. You don’t want to end up in the news because of a data breach, but you have developers pushing you to move faster. This is an even more dangerous balancing act when you have limited resources to manage your multicloud environment. The answer? Establish a Cloud Center of Excellence (CCoE).

The goal of the CCoE should be to provide organizations with a minimum viable cloud product that answers the question: How do you empower developers to deliver consumer value while still meeting organizational needs?

That’s the question a lot of CCoEs are still trying to answer. They’re playing their own balancing game between centralizing information and processes without impeding innovation and speed to market. The solution is requiring yet another mindset shift. Security teams are having to move away from the traditional static configuration that locks everything down and puts in a lot of controls because that’s not sustainable in a cloud (and especially multicloud) environment.

Instead, what you’re seeing is more proactive policy and rules engines that codify policies, making them available across multiple clouds. And that means defining authority, hierarchies of need, and the minimally viable practices to ensure teams across divisions have policies and practices to securely build multicloud solutions. 

Once you reach this stage, you can identify levers to adjust or change that provides leeway for developers without compromising the organizational integrity of your multicloud solutions.

Your multicloud security strategy shouldn’t be a set it and forget it tactic. It’s not a box to check off and move on. Too much in the cloud computing market is changing. You have to be open to new ideas, ask questions, and explore new opportunities. There are a lot of vendors creating fear, uncertainty, and doubt about cloud solutions, especially as it relates to security. But if you’re willing to learn and keep an open mind, you’ll make better, smarter decisions about the cloud providers now and as they release new services.

Dive deeper into developing a multicloud security solution with our top four tactical tips.