Risk management in a multicloud environment

(Image credit: Image source: Shutterstock/bluebay)

The nature of an enterprise’s most valuable assets has evolved. Traditionally, it was the physical and human capital that sat on the company’s balance sheet; now, it’s the application capital that defines the digital age. The value of many modern companies – inspired by the business models of Facebook, Amazon and Uber – is increasingly non-tangible and resides in its applications and data.

As the concept of value evolves, so does the approach required to protect it. Modern enterprises are managing complex IT estates that typically involve a blend of IT architectures and deployment models, with more reliance on multiple cloud-based digital services. These include software that once would have been housed in the enterprise’s private IT environment, but is now being managed ‘as a service’ (SaaS), virtualised computing infrastructure (IaaS) and platforms for developing, running and managing applications (PaaS).

Accessing these services provides enterprises with a stronger basis on which to drive efficiency and operational excellence, as well as innovating for the new. IDC predicts that by 2020, more than 90 per cent of enterprises will use multiple cloud services and platforms. Being ‘multicloud’ creates a strategic imperative for transforming the business and enhancing experiences for employees and customers.

Running applications in the cloud is normally reinforced with a higher level of security than enterprises would be able to manage independently – after all, cloud providers spend millions each year on infrastructure and talent to keep data safe. Security risks emerge around the management of enterprise applications and data. With this transition to a multicloud world, fundamental cybersecurity assumptions are changing. Enterprises must establish a framework to manage risk in order to explore the true benefits a multicloud environment can offer.

An evolving risk landscape

Organisations are now facing a vast range of IT risks. Cyber criminals are growing in sophistication and employing a variety of tactics to target enterprise data – many of which require little effort for the hacker, but persistent pain and frustration for the organisation. Such weapons include automated attacks via ‘botnets’, which can be activated in as little as 15 seconds and account for 77 per cent of web attacks (Verizon 2017 Data Breach Investigations Report), and distributed denial-of-service (DDoS) attacks, which can be initiated at a low cost and cause massive damage.

For enterprises the consequences can be extreme. Serious financial loss is sometimes compounded by irreparable damage to the brand’s reputation and the trust of its stakeholders. It’s not a remote risk either; nearly one in five companies experienced a breach in 2018 and an estimated 5 billion credentials were stolen in data breaches.

When it comes to public cloud data, cyber criminals aren’t the only threat. Enterprises need to be mindful of the risk of error arising from their own employees. There have been notable cases of mis-configuration of cloud resources, which have resulted in the exposure of private information to the Internet. Under the shared responsibility model, the duty to safeguard against this lies with the customer rather than the cloud service provider.

Gaining visibility and control of the application estate

In keeping the use of public cloud-based applications and data secure, one of the major issues enterprises have relates to visibility. Many enterprises still do not have a clear understanding of just how much they are consuming in the cloud. It’s estimated that the average large enterprise uses around 730 individual cloud services and capabilities. Gaining visibility over how employees use the cloud can help reduce risk and exposure, enabling them to better direct resources to areas of highest vulnerability.

The approach for achieving this lies less on a technical level and more on a human level. IT security teams can’t act to secure applications if they don’t know that they are being used. Employees in different departments can easily spin up applications, but if they don’t involve IT from the outset, they may open up vulnerabilities. To minimise the risk of using untrusted services, IT can enact a company-wide policy for a preferred vendor and encourage employees to adopt this service.

A common example is in the use of cloud-based storage applications such as Dropbox. If the IT team knows that users require this service, they can set up an enterprise license, install access procedures and take steps to mitigate risks. If users don’t involve IT and instead open a free account which they then use to store sensitive data, a range of risks open up – from who has login credentials through to who technically owns the data on the cloud server.

Installing governance

Secure multicloud usage needs strong governance protocols. Understandably, many enterprises struggle to modify their policies and procedures quickly enough to keep pace with their employees’ adoption of new cloud capabilities. Robust governance requires a full picture of the organisation’s cloud network, covering what the business is consuming, how new services can be added and what systems are in place for risk mitigation, along with data and privacy policies and processes.

Governance, however, can never be installed without knowledge. Enterprises therefore need to focus on training and awareness-building throughout the business – including at C-level – to increase understanding of how to use multiple cloud services securely. Simply put, security needs to be embedded in the organisational culture in order for governance to be effective.

Protecting the enterprise from new threats

Multicloud architecture is about allowing staff to seamlessly access the range of services they need to achieve their business objectives. It’s about transforming how internal IT functions, moving towards consuming ‘as-a-service’ and having the tools in place to architect across cloud platforms in a secure and sustainable way.

Innovation in the public cloud is happening at a staggeringly fast pace, so businesses must be prepared to re-evaluate decisions as the technology world moves on. Creating long-term IT strategies that are revisited every few years is unlikely to be effective in the context of such rapid change. Instead, organisations should have security embedded at the source, with emphasis on both the technical control as well as the human aspects of managing a multicloud environment.

The greatest importance should be attached to visibility, risk evaluation, and proper governance. With planning, strong controls and scalable cloud-based security technologies in place, enterprises can reduce risk while also increasing the security of the environment as a whole.

Dave Locke, World Wide Technology’s EMEA Chief Technology Advisor