News, news analysis, and commentary on the latest trends in cybersecurity technology.

Mitigating Risk and Communicating Value in Multicloud Environments

Protecting against risk is a shared responsibility that only gets more complex as you mix the different approaches of common cloud services.

Heath Anderson, Vice President of Information Security & Technology at LogicGate

September 23, 2022

6 Min Read
Illustration of a cluster of cartoony clouds hanging on a blue wall. The clouds have little eyes.
Source: simon bratt via Alamy Stock Photo

More enterprises are taking a multicloud approach as part of their digital transformation efforts to support distributed teams working in hybrid and remote models. And just as hybrid work environments are here to stay, the multicloud approach has taken hold. Gartner predicts global cloud revenue will reach $474 billion in 2022, with 90% of enterprises already working toward a multicloud strategy.

When leveraged correctly, a multicloud strategy can make many processes more efficient. It also offers greater resilience to outages and more vendor flexibility than a single-cloud strategy. Additional advantages include:

  • Avoiding vendor lock-in with one cloud provider. An organization with a global footprint and specialized data can select the location of the data center with the least impact to its business. For instance, Microsoft Azure currently leads in the Middle East from a data center location perspective.

  • The ability to take advantage of distinguishing features offered by each cloud vendor, such as unique database solutions in Google Cloud or the ability to manage your on-premises and cloud resources much more seamlessly in Microsoft Azure.

  • Better costs and business resiliency, with specific services less expensive through a specific vendor and protections against service disruptions. Both require designing your services to leverage the benefits, but once established, your organization can recoup its investment over two to three years, resulting in long-term cost savings.

However, these advantages come at a cost. It can be challenging to ensure data and cloud infrastructure is secure and aligned to your obligations and controls when disparate environments are hosted through multiple providers. Telling a unified story around the data, configuration, and security within those environments can be nearly impossible.

CISOs who are embracing a multicloud data approach must focus on two main security concerns: managing risks posed by vendors and their different cloud operating models, and demonstrating the value of their security controls and strategies in the face of increased costs of operating in a multicloud world.

Managing Risk Across Clouds

The impact and frequency of cyberattacks has grown in parallel to the escalating focus on multicloud strategies. Ransomware attacks, data breaches, and major IT outages topped the Allianz Risk Barometer this year for only the second time in the survey's history, with executives ranking them as more worrisome than supply chain disruption, natural disasters, and the pandemic. Companies are right to show concern: Organizations worldwide experienced 50% more weekly cyberattacks in 2021, compared with 2020.

Business leaders are catching up on the importance of cyberattacks, but most are underinformed about risks posed by their vendor partners. In PwC's "2022 Global Digital Trust Insights Survey," 57% of business leaders said they anticipate a jump in attacks on cloud services, but only 37% said they understand cloud risks. The approach and operating models of security vary among cloud providers, and protecting against risk is a shared responsibility that only gets more complex as you add common cloud services that use different approaches, such as identity and access management (IAM) or virtualized servers.

For example, different cloud vendors have their own approach to role-based access. Amazon Web Services handles identity by attaching IAM policies directly to a virtual server, which grants the server the ability to take actions. Google Cloud's offering, in contrast, focuses on creating service accounts (users) and then attaching those accounts to the server so it can interact with another resource. These small differences add up at enterprise scale, driving security complexity to ensure least privilege and other security requirements across both clouds.

Because cloud services aren't designed to integrate with their competitors, learning how to use security tools for each cloud provider is just the beginning. IT teams will need to centralize their security monitoring with a security information event management (SIEM) tool, along with other third-party tools to increase interoperability of cloud services. These added systems require additional training and resources and perhaps even additional IT staffing to ensure expertise in each cloud platform and how those platforms work together.

In addition to these in-built differences between their services, most cloud vendors prioritize their own specifically tailored security offerings. This drives a host of complications that plague cloud security. For one example, a cloud Web application firewall (WAF) can be used to protect your network, but it will only work with a specific cloud service provider and cannot be expanded across multiple cloud offerings. Duplicating these functionalities for different providers requires either duplicating teams to support and manage these key security tools or buying a cloud-agnostic service — which adds yet another vendor to the mix.

This additional risk and cost, typically not discovered until late in the deployment of a multicloud model, can push out timelines, increase cost, and trigger audit findings. Failure to plan for and mitigate these risks can leave a company susceptible to financial loss, regulatory action, litigation, and reputational damage.

Communicating Value With Risk Quantification

Gartner estimates that by 2023, 30% of CISOs' effectiveness will hinge on their ability to demonstrate value. As multicloud data strategies become the norm and the cost of security controls within that strategy increases, risk quantification can help leaders communicate their value consistently by expressing the multicloud risk posture in clear monetary values.

According to PwC, organizations that reported the most significant improvement in data trust outcomes had two things in common: They predicted an increase in their cybersecurity spending, and they incorporated business intelligence and data analytics into their operational models, including risk quantification.

To assess the financial risks of a multicloud strategy, CISOs must take into account the costs of each platform weighed against their perceived risks. Those considerations must include the data management and cybersecurity practices of all the cloud providers you're considering, along with any cloud-agnostic tools and platforms you'll be using for joint monitoring.

With so many factors at play, you can't afford to rely on imprecise, gut-feel measuring scales like "low, medium, high" and "red, yellow, green." Expressing risk data in financial terms is a powerful tool because it offers a common language to communicate changing risk priorities, improve alignment between CISOs and the board, and facilitate better-informed risk management decisions.

Here's an example: A CISO is looking at the financial value associated with the various risks of multicloud architecture. By comparing tactics for mitigating a cybersecurity incident, they find that better controls over administrative privileges reduce the financial cost of the event far more than implementing a cybersecurity training program. While the CISO understands the technical details of cyber-risk within multicloud architecture, the rest of the C-suite will benefit from the clarity of monetary values associated with each risk and mitigation tactic. By empowering CISOs to make their case to their colleagues and the board, risk quantification brings more transparency to the many moving parts of a multicloud strategy.

According to Gartner, more than 85% of organizations will function as cloud-first by 2025, and they won't be able to fully realize their digital strategies without using cloud-native technologies. A Gartner leader put it this way: "There is no business strategy without a cloud strategy."

It's imperative that business leaders pursue strategies to safeguard their data and communicate their multicloud priorities, aligning across the organization with a common language of value.

About the Author(s)

Heath Anderson

Vice President of Information Security & Technology at LogicGate

As the Vice President of Information Security & Technology at LogicGate, Heath enjoys the opportunity to take on the challenge of building a thoughtful and proactive security and data-driven culture at a scaling tech company and learn from customers and their approaches to GRC. In past lives, Heath spent time consulting, deploying, and operating InfoSec programs for various Fortune 1000 companies as well as working in the Air Force to design, test, and integrate security into awesome new software for our growing Space effort.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights