An icon for a calendar

Published June 16, 2022

4 Multi-Cloud Misconceptions that Put Organizations at Risk

4 Multi-Cloud Misconceptions that Put Organizations at Risk

Shifting to the cloud? Multi-cloud environments enable organizations to expand their computing and storage capacities easily, but that comes with tradeoffs — topping the list: cybersecurity.

What makes cloud computing appealing is also a reason to worry. It is easy to access your cloud environment anywhere with internet access, but that also means it’s easy for cybercriminals and digital adversaries to access it.

With the explosion of data over the past 10 years, the adoption of 5G, and the global nature of business, embracing a multi-cloud strategy is almost non-negotiable. But there’s an overlooked factor in this shift that a lot of organizations still underestimate today. And that’s cybersecurity.

Traditional security strategies and tools intended to protect on-premises networks simply don’t work when defending in the cloud. Instead, design and implement a comprehensive security solution that can protect against an expanding array of threats and increasingly sophisticated attacks targeting multi-cloud environments.

Unfortunately, since shifting to the cloud is a relatively new strategy, some organizations are unknowingly shifting into more risks as they continue to believe the common misconceptions listed below.

1. Your organization’s cybersecurity strategy protects cloud assets

Unlike a traditional on-premises server that is often defended through a perimeter security model, anyone with an internet connection anywhere in the world can access the cloud.

This means organizations must rethink and redesign their security strategy and tools to include real-time, continuous monitoring, compliance, continuous integration/continuous delivery (CI/ CD) security, and runtime protection capabilities specifically for the cloud.

And if a breach occurs, organizations can use protective measures such as micro-segmentation and encryption to minimize damage and contain the threat.

2. The cloud provider completely secures your cloud assets

Cloud security follows a “shared responsibility model” where two parties are involved in securing assets stored in the cloud. The first is the cloud service provider (CSP), meaning the business or entity that owns and operates the cloud. The second is the end-users – the individuals, and companies using the cloud services.

The CSP monitors and responds to security threats related to the cloud’s infrastructure while the users protect their data, cloud apps, and other assets in the cloud.

This means that any organization using public cloud services from Amazon Web Services (AWS), Google Cloud, Microsoft Azure, or other third-party providers must still maintain their own robust cybersecurity capabilities to protect their stored assets and maintain compliance.

3. The organization’s cloud environment is isolated (even in the public cloud)

The public cloud offers the ability to scale quickly with minimal investment and maintenance costs. But these gains in potential savings sometimes mean compromising privacy and control. That’s because of multitenancy.

With multitenancy, each cloud user operates alongside other businesses or individuals. Because the cloud is a shared resource, a breach with one “tenant” could spread to neighbors, or more widely, throughout the cloud. This means that the security of each user is dependent not only on its own security strategy and that of the CSP, but also on its fellow cloud users.

So, ‌strive for total, holistic visibility of the threat landscape, as triggers within one segment of the cloud could predict potential avenues of attack elsewhere.

4. Multi-cloud means multi-layered security

Although multiple cloud providers may help improve reliability and availability, it often complicates security. First, not all cloud providers offer the same security features. Even when security controls are similar, their behavior, configuration, and implementation can vary. This can create a very complex environment for the IT or information security team to manage.

In fact, recent research suggests that many DevSecOps teams are in the process of consolidating platforms to create more consistency within the cloud environment. Organizations should identify a cybersecurity partner that not only specializes in cloud security but also understands the unique challenges of a multi-cloud environment.

Combatting these misconceptions requires an end-to-end strategy

Because of how complex a multi-cloud environment is, companies can be at risk from various sources including vendors, partners, tenants, open-source code, or image repositories. In many cases, humans are the proverbial weak link within this network, as they lack in-depth knowledge of the cloud, which can lead to misconfiguration, insufficient protections, or lax policies that digital adversaries can exploit.

For example, a large financial services company with sophisticated cloud security capabilities suffered a breach involving its cloud infrastructure. Their weak link? An application flaw was exploited to pull a temporary station-to-station (STS) key from the underlying host’s EC2 (Amazon Elastic Compute Cloud) metadata service.

The key was then used externally to access sensitive cloud resources, including Amazon Simple Storage Service (S3) buckets. This is a perfect example of a misconfiguration, as well as an image scanning issue that led to a sophisticated attack on an otherwise prepared organization.

Cloud-based security is complex and requires you to work with a partner who understands the need for a comprehensive, end-to-end strategy and solution.

This article originally appeared on csoonline.com, to read the full article, click here.

Check out this page to see Nastel’s support for multi-cloud environments.