Many enterprises are not aware of the complexities that multicloud brings and make a leap of faith, hoping everything will magically work out. Of course, in the majority of cases, it doesn’t. Others are actually unaware that they are multicloud, even though they are using software as a service (SaaS) along with other cloud services. They only become aware of their complex cloud scenario when an incident happens that becomes a major escalation.
Enterprise cloud security pain points typically derive from two key areas: first, a complete lack of visibility of their cloud assets and resources; and second, a misconception of the shared security responsibilities they have with their cloud service providers. As a result, we see often preventable security vulnerabilities in the form of data leakage and theft.
Through to 2022, at least 95% of cloud security failures will be the customer’s fault, according to Gartner. It is therefore imperative that CIOs design and plan their cloud adoption carefully, look at why they are migrating to the cloud and their main objectives.
If they want to boost their time to market or if they want to reduce costs, for example, they must design for this. And leverage the best cloud providers’ services to reach this objective. Different cloud models and providers have different risks and control consequences, which need to be reflected in the cloud design. In addition, CIOs must make sure they implement and enforce policies around cloud ownership, risks and responsibilities.
Understanding the regulatory aspects of cloud
Multicloud significantly increases the threat vista. Enterprises need to understand how they can scale up security to deal with growth in cloud usage and multiple data center locations, while consistently tracking and securing their assets and workloads.
Using multicloud providers brings many benefits such as scalability, flexibility and agility, but it also increases potential vulnerabilities. Enterprises, for example, need to pay attention to the differences in the APIs of the services being consumed from different cloud providers. When an enterprise spawns a new virtual machine (VM), it may assume that all cloud providers have firewalls that are enabled by default – but this may not be the case. And even so, default rules may not filter out the same connection requests.
Enterprises also need to be aware that with multicloud, they will be using and spinning up resources in multiple data centers in multiple locations. It is therefore essential that they know how their cloud providers work and the regulations that come into play from different hosting locations and contractual requirements. Enterprises should expect their cloud providers to adhere to compliance frameworks such as ISO 27001 standards for information risk and security management and ISO 20000-1, the international IT service management standards. Many cloud providers also allow enterprises to run their own international (or industry) regulations and operations audits to measure third-party risk.
Together, this all makes for a very complex picture and one that many enterprises find intimidating. They will need to run a homogenous security strategy across all their cloud providers to minimize risk. To achieve this, enterprises must have the IT and legal skills in house to coherently fit the different pieces of multicloud together.
Alternatively, they could work with a proven and trusted partner who can take care of the complexities of a multicloud environment for them. Orange Business Services, for example, has developed a professional services catalog that allows customers to pick and choose the multicloud services they require, from cloud design and migration to security assessments and monitoring. This helps ensure enterprises get optimum value from their cloud investments.
Shadow IT woes
Unfortunately, unsanctioned cloud adoption across departments continues to be an issue. Most enterprises still vastly underestimate the amount of shadow cloud applications that are being used. These are applications that have not been sanctioned by the IT department.
The Ponemon Institute estimates that of the IT and IT security practitioners it recently surveyed, only 25% are very confident that they know all the cloud services their enterprise is using.
Security, data protection and cost are the biggest issues here. IT departments must take back control, or shadow IT in the cloud can easily spiral out of control. This means IT departments need to accept that their roles have fundamentally changed from being builders and providers of resources, to selecting and managing resources. IT departments can’t stop business units getting the services they want, but they can and should provide advice on the right services and make sure these services are verified and put under control so they can keep track of budgets and shore up security.
Securing your multicloud evolution
IDC predicts that, by 2020, over 90% of enterprises will use multiple cloud services and platforms. To ensure that these enterprises secure their data adequately and have end-to-end visibility on their assets requires a new mindset. One that centers on design.
The biggest threat right now to enterprises moving to the cloud or expanding their multicloud ecosystem is bad design. Essentially, bad design results in gaping holes in security and cloud services being used incompetently, inefficiently and defectively. A flawless move to cloud is one that is backed by a well-architected and thought-out design plan, with the right skills onboard from ideation up to the build and run.
To learn more about reducing complexity in multicloud with increased visibility, control and security, download our guide: Reduce complexity in multicloud.
Cédric Prévost has been providing IT and security strategy for enterprises within both the private and public sector for 18 years, holding senior positions within the French Ministry of Defense and Présidence de la République (French Presidency), before becoming CTO of Cloudwatt, an acquosition of Orange Business Services. Most recently, he led the deployment of the new Orange Business Services cloud services offer "Flexible Engine" across Paris, Singapore and Atlanta. Cédric is now Director for Security and Managed Services at Orange Cloud for Business.