I’ve addressed concerns with multicloud security many times before. Here’s the essence of what I and others assert: Multicloud complexity causes systemic security issues. That’s a fact. Today let’s talk about how we can mediate this complexity to deal with security risks, and what will solve the problems.
It does not take a rocket scientist to figure out the core problem. When we deploy a cloud solution, we deal with security for that deployment using whatever native tools are best for that cloud. As we all march toward multicloud, we soon discover that what is functional for a single cloud deployment is not functional for a multicloud deployment.
Why?
Two main problems: First, the number of moving parts triples or quadruples because we must deal with two or three very different native-cloud security systems. Second, the security operations budget remains static. It can’t be doubled or tripled just because we now use more than one cloud. Thus, as far as security goes, you don’t have the budget to hire the talent needed to run all public clouds the way that each needs to run.
You solve this problem, as I’ve mentioned here before, by using the concepts of abstraction and automation. These allow you to deal with each native-cloud security system as a single layer of abstraction. You don’t work with native security systems on their own terms; instead, you have a common dashboard that provides security observability services and common mechanisms to work with each cloud’s specific native security layer. It’s the only way we can make multicloud work.
It’s one thing to say and another to do. Here’s the problem we now face: Generally speaking, most of those who build multicloud systems or manage multicloud security have little idea how it’s done or what technology to use. To get as much abstraction and automation as you can, this technology stack will be made up of many different technologies that can work together. This includes cross-cloud directories that support common identity and access management systems, common encryption services (both in flight and at rest), support for common security logging and observability, and so forth.
The bigger issue? The solutions you must build around your requirements are extremely different from multicloud to multicloud. Moreover, with few exceptions, a single cross-cloud security technology will not do the job. What works for one use case likely won’t work for yours. Success lies more with the right security architecture talent than tossing technology and money at the problem.
The takeaway: You need to get started on cross-cloud security right now before your multicloud exists, or if it already exists, before it becomes too complex to manage. Invest in the talent to figure things out the right way—and “things” includes testing, deployment, and operations.
I hate to give you bad news, but we needed to figure this one out yesterday.