Question: Which cloud strategy should I consider for my organization — multicloud or multiregion?

Ryan Sydlik, Security Engineer, Telos Corp.: The lesson to be learned from the AWS outage is that a multiregion strategy within a single cloud is effective and a multicloud strategy has no added benefit. The outage affected US-EAST-1 Northern Virginia, but it did not affect US-EAST-2 Ohio. A workload that is able to fail over, whether automatically or with some manual effort, would have been able to weather the outage. This also highlights the importance of disaster recovery testing. When an outage is relatively short like this AWS outage, if you are not confident in failover, you might not judge it to be worth the risk for a few hours. There is also another pitfall without proper testing: The region you are failing over to might be fine, but your workload might still fail to recover because of a misconfiguration or bug in your failover process that was not found due to a lack of testing.

A multicloud approach would have worked if properly implemented, too. However, it would be far more complicated than a multiregion strategy with failover testing, and it means that you have more exposure to cloud outages. You would not only have to worry about an AWS outage, but you would also have to worry about Azure or Google Cloud Platform (GCP) outages as well. And as costly as a multiregional strategy is within a single cloud provider, a multicloud strategy is more expensive by orders of magnitude.

For security, multiregion is better, though not for the reason you might think. You could argue that multiregion is more vulnerable in that it requires only one platform to be breached to get access to everything. But you could also argue that multicloud is more vulnerable due to the increased exposure caused by being in multiple platforms. In practicality, however, multiregion is better simply from a risk management perspective. Securing three cloud platforms requires more tools and more hard-to-find experts than one platform does, and it is already difficult for most organizations to secure just one platform. If security is viewed through a lens of risk, and risk is viewed through the lens of cost, multiregion wins.