The cataclysmic event of COVID-19 and the resulting new ways of working are fuelling a shift to a multi-cloud environment for businesses everywhere. Increasingly, businesses across industries are leveraging multiple public cloud services for critical workloads, helping them reduce costs and improve efficiencies.
As per IDC, in 2019 on average, companies purchased over 30 types of cloud services from as many as 16 different vendors. While the multi-cloud approach provides many advantages, it also comes with data security challenges. This distributed cloud landscape leads to uncertainty around ownership of data security in the cloud, policy ‘blind spots’, and potential for shadow IT to introduce vulnerabilities and misconfiguration leading to data loss.
Similarly, while digital transformation helps companies remain competitive and meet business goals, it can also aggravate the risk of a security exploit. The rush to achieve digital transformation often increases the risk of data breaches. What are the security challenges that businesses are likely to face and how can they improve their security best practices in this context?
Security challenges in a multi-cloud environment
The first challenge that businesses may likely face is the lack of understanding of what their cloud vendors’ security measures protect. Businesses need to accept that security is a shared responsibility between them and their cloud vendors. In Platform-as-a-Service (PaaS) or Infrastructure-as-a-Service (IaaS) models, the onus is primarily on them. Cloud vendors will put in place security measures to protect their infrastructure but these do not cover their client’s data and applications. Companies should be aware of the local data compliance regime and ensure they store sensitive data in a manner that is compliant with the organisation’s regulatory and internal risk policies. It is extremely critical to ensure that compliance controls are consistent and managed centrally across the multi-cloud environment.
Employees who have access to data and applications could also misuse their access. With remote work and a multi-cloud setup, network controls have been made more relaxed. Companies should enforce tighter controls, user identity, and access management (IAM) tools effectively across all the environments where these application and data is residing.
There may also be a lack of visibility into the company's entire environment, considering a multi-cloud environment can comprise dozens of cloud platforms. To solve this, companies should consider deploying security information and event management (SIEM) for visibility into the entire IT environment. Finding vulnerabilities of applications and software is also a challenge they may come across. For this, they should also consider threat intelligence software, periodic penetration testing, and software scans to enhance the vulnerability management for their software and applications.
Many cloud security tools tend to focus on real-time data use and not on historical data, presenting another obstacle: Each of the cloud vendors would have different levels of such protection mechanisms. Companies should build a platform to analyse and monitor these tools, track trends based on behavioural and historical anecdotes, have the abilities to hunt for threats in real-time and historical data—a platform that would work across this multi-cloud environment.
Lastly, data privacy regimes are different across different regions and regulatory boundaries, and existing data security controls may not meet new compliance requirements. To fight this challenge, companies should adopt improved data classification to detect different levels of sensitivity and create data-loss prevention policies to deal with data breaches.
Security challenges in digital transformation
Digital transformation itself is a superset of the multi-cloud environment and hence it's worthwhile to discuss the challenges from that perspective as well. We know that this transformation happens in phases. One of the security challenges that may arise is the creation of controls focussed on each transformation project only, in silos. Distinct security teams within the organisation may adopt processes and tools isolated within their department and project. Siloed security teams, processes and tools cannot scale, thus creating pressure on the security organisation to unify its resources.
To break security silos, companies must adopt a more comprehensive and open approach to data security by relying on ‘zero trust’ security practices that would address universal security challenges. The best way to do that is to focus on fostering business outcomes with acceptable levels of risks. Businesses must centralise device, identity and data security across their multi-cloud environment so they can easily visualize risks and employ AI and advanced analytics to understand more about the underpinning risks.
All the security programs within the organization have to ensure that they share relevant information across teams and collaborate on threat management, data security, and IAM to streamline risk investigations and fortify coordination for mitigation and remediation. More importantly, they must adopt open and flexible security architecture that can deploy any kind of cloud platform without creating security silos. There is a need to have clear visibility of regulatory obligations and compliance mandate, along with unique technical and policy-driven security challenges and external threats targeting the cloud.
Viswanath Ramaswamy is the Vice President at IBM Cloud & Cognitive Software & Services, IBM India/South Asia and Sudeep Das is the Technical Leader at IBM Security Systems, IBM India/South Asia