Multi-Cloud Strategy is Appealing, but Security Confidence Lags
The use of multi-cloud architectures continues to grow among organizations, but many businesses are not well prepared to meet the security risks that come with multi-cloud strategies.
In addition, few companies have the tech talent and confidence they need to put in place a comprehensive security infrastructure across multiple clouds, according to a Valtix report.
While 95% of organizations surveyed said multi-cloud is a strategic priority in 2023, just 58% felt “confident” that they have the right architecture to support it.
The study also revealed 86% of respondents found managing multiple distinct security architectures with multi-cloud security is prohibitively expensive.
Vijay Chander, co-founder and CTO of Valtix, said what’s most concerning about the survey results is the divide between the multi-cloud aspirations driven by the business and the ability for IT teams to sustainably secure multi-cloud.
“Just 57% of IT leaders are sure that multi-cloud security is achievable with current resources and technology, but admitted they needed to embrace it anyway,” he said.
He explained that often organizations are “unintentionally” multi-cloud, which the survey indicated happens for multiple reasons.
“Number one was shadow IT, with the need to run different ISV apps on different clouds, with mergers and acquisitions being close behind,” Chander said.
For those taking a more strategic approach to multi-cloud, architecture is becoming an important way in which they are mitigating multi-cloud concerns.
The research revealed 95% of respondents sought a standardized and consistent way to apply security and policy across clouds.
“By creating more centralized and standardized approaches to security across clouds, we see them reaping benefits regarding efficiency and security,” he noted.
As organizations move to the cloud, the role of cloud security architect is becoming more common, with 86% of organizations currently employing an in-house cloud security architect.
In addition, nearly nine in 10 (89%) organizations surveyed said they required every cloud project to adhere to a cloud security reference architecture.
“Even though the cloud is different, understanding the fundamentals of security architecture and defense-in-depth are just as relevant in the cloud as on-premises,” Chander noted. “For example, in our research, understanding networking and CSP specifics were cited as the top skills required of cloud security architects.”
He added that the best candidates will bring some aspects of an on-premises understanding together with cloud specialization.
“On the other hand, cloud specialists who have only ever worked in the cloud, might need to be fully trained on enterprise security and compliance standards,” he said.
Overall, public cloud is a highly technical area given the interdependence of multiple native services provided by multiple CSPs that must be thoroughly understood.
“Secure multi-cloud network platforms alleviate some of these concerns since they abstract the underlying cloud complexity for end users–thus enabling tech employees to be more efficient,” he explained.
Chander added that Valtix frequently worked with cloud security architects to develop game plans for multi-cloud.
“Much of our discussions are about how to make sure that security is maintained across multiple disparate DevOps teams by applying best practices of secure cloud networking in in a standardized way across clouds,” he said.
He added that he was surprised to see how pervasive cloud security architects had become, with 86% percent of respondents employing them. As a result, 89% of organizations surveyed said they require every cloud project to adhere to a cloud security reference architecture.
“This is a good thing,” Chadner noted. “However, more work needs to be done through third-party communities to really create standards for multi-cloud security reference architectures that rival what’s available from each CSP.”
As most cloud security reference architectures will show, defense-in-depth is equally as applicable in the cloud as it was in the data center.
“It’s just how you do it that varies in a dynamic environment,” he explained.
Chander said ultimately, mitigating the possibility of open network paths to the public internet, inspecting traffic for threats, establishing segmentation to prevent lateral movement and having visibility and control to prevent unauthorized outbound connections provides the most effective means to secure the public cloud.
He adds a move towards cloud-native everything is one of the biggest trends in 2023.
“For years, organizations have done a mix of lift and shift along with cloud-first technologies,” he said. “Now, whether they are starting a cloud migration fresh or optimizing their existing environment, organizations are looking for technologies that fit into a cloud-native and multi-cloud operating model.”
