As cloud transformation continues, companies are now turning to a combination of public clouds (AWS, Azure, & Google Cloud) to meet their business goals. Organizations adopt a multi-cloud strategy for many different reasons, such as avoiding vendor lock-in, taking advantage of best-of-breed solutions, and strengthening their resilience capabilities. But from a security and risk point of view, multi-cloud environments present some clear governance, visibility, and security challenges that can put organizations at risk.
While multi-cloud strategies have their clear strengths, security and governance vulnerabilities can arise along the way — particularly because each provider has its own take on identity, privilege, and entitlements management. This complicates security and compliance for identity and security teams. And if not addressed, can leave companies vulnerable to breaches, attacks, and other security events.
We recently sat down with two cloud security experts, Chris Owen, Director of Product Management for Saviynt, and Raghuram Raghavan, Managing Consultant, IAM, IBM Security, to talk through these challenges, and learn ways that your organization can safely embrace multi-cloud without introducing new security and compliance challenges. Read on to hear what they had to say and get their advice for navigating multi-cloud governance and security in the modern era.
In recent years, organizations have had to adopt remote working due to the pandemic. This has led to a proliferation of new devices connecting to corporate networks. For example, workers connecting personal laptops to cloud resources (since they may not have corporate laptops), or corporate email systems with their personal smartphones.
Under the circumstances, when organizations adopted cloud, they didn’t have time to go through the usual security and governance processes – in large enterprises these processes can take months, if not years, to complete. The pressure for fast access as IT teams/Ops teams tried to adapt, resulted in:
Additionally, most global organizations use multiple cloud providers. Corporate data may be stored in Azure because they have to support Microsoft Office 365, but Amazon and Google Cloud Platform (GCP) are also used for computing, applications, and containers. This leaves IT teams to manage and maintain security across cloud environments where multiple monitoring and management consoles operate differently. Meanwhile, they still have to make sure that every user has the right access — and data isn’t falling into the wrong hands.
The biggest challenge is sheer complexity. Because each cloud is different, many organizations that have embraced cloud technology still have separate teams managing each public cloud: they have an Azure team, one that manages GCP, one that manages AWS. So there’s often a lack of visibility and collaboration across teams — especially when provisioning and deprovisioning access to resources as users move throughout the identity management lifecycle. You’ve got development teams, you’ve got application teams, IT teams, infrastructure teams, etc. All this complexity leaves the door open for cyber attackers because there is no centralized view. This is why the need for greater visibility across clouds is so critical.
And that visibility is not just for joiner, mover, leaver processes that deal with access, says Owen. “It’s also about cloud security posture management (CSPM) and cloud infrastructure entitlements management. We are moving beyond human identities and their access to groups or applications. It’s now identities which are both human and non-human, their access to policies, roles, and the setup of services.” And that requires more comprehensive visibility into everything people are doing on the cloud.
“Governance can provide the starting point where processes and policies are put in place,” says Raghavan, “Companies should create a committee or designate a person who oversees the whole cloud adoption to ensure that the policies are in place and people follow them accordingly so that people get appropriate access.”
They should also avoid the “lift and shift” mentality. “We’re all used to how governance works in an on-prem world,” says Owen, “Lots of organizations are trying to take the same methodologies that they used from on-prem into the cloud, the same technologies and ways of working. But this is not the right approach if companies want to really take advantage of the flexibility and scalability of the cloud.”
Rather than being the “set it and forget it” prospect it used to be, “governance has become a journey, and we have to continuously update our processes going forward, because things are always changing in the real world,” says Raghavan. Cyber attacks are getting more common and more powerful, and they always rely on innovative approaches to breach security.
There’s been a proliferation of security tools that attempt to deal with this problem. The recent Panaseer 2022 Security Leaders Peer Report found that cloud adoption over the last few years has driven a 19% increase in the number of security tools each organization must manage. The number is now up to a whopping 76 tools. But adding more security tools is not necessarily the answer. In fact, tools that are replaced by something new may cause security gaps themselves if they fall under the radar through disuse. “Organizations need to make sure a security tool is a good fit before adding it,” says Raghavan, “Otherwise, it will just contribute to the very problem the organization is trying to fix.”
When securing multi-cloud infrastructures, each cloud provider has its own model for how identities and privileges are managed. Those models have different roles, and different security controls, creating the need for solutions that can manage identities across clouds.
In response, “we’re starting to see converged platforms that consolidate some of this effort, to perform these tasks with a single set of credentials, a single consistent policy,” says Owen. One of the biggest security risks in multi-cloud management is privileged access sprawl. A converged platform that can reduce privileged access sprawl with just-in-time, time-bound, and just-enough access across multi-cloud architectures is needed.
At Saviynt, we understand multi-cloud management and governance. Our cloud-native Enterprise Identity Cloud helps enterprises conquer multi-cloud security challenges, secure cloud workloads, and accelerate cloud adoption. This helps organizations manage access and governance for any identity, app, or cloud through a unified platform and security controls.
To learn more, explore our Multi-cloud Management & Governance solutions or schedule a demo today.