Multicloud security

Multicloud security: architecture and ultimate guide

Understand multicloud network security architecture for AWS, Azure, GCP, and OCI. Read more to learn the details. 

What is multicloud security?

Multicloud security is a cloud security solution that allows comprehensive data protection across multiple cloud platforms, including both private clouds and public clouds like AWS, Azure, Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI). Organisations can use multicloud security to protect all cloud platforms and their varying functions.

Solution

Cisco Multicloud Defense

Simplify security and gain multidirectional protection across public or private clouds to block inbound attacks, lateral movement, and data exfiltration.

Why is multicloud security important? 

Multicloud adoption is no longer a choice—it's an essential element in the fast-paced, modern organisation where agility and flexibility impact business success. While multicloud environments offer tremendous benefits to organisations, they also create greater complexity that can lead to security gaps and inefficiencies, making it difficult for organisations to achieve the full benefit of cloud economics.

To harness the full benefit of cloud economics, organisations need a strategy for multicloud security. This article reviews multicloud security architecture, requirements, challenges, and best practices to help organisations optimise their multicloud strategy regardless of where they are in their journey.

Multicloud is ubiquitous, security is not

Multicloud adoption has accelerated in recent years. In the 2022 Hybrid Cloud Trends report commissioned by Cisco, 82% of IT leaders reported they have adopted hybrid cloud and 58% of organisations use between two and three infrastructure-as-a-service (IaaS) clouds1. Gartner reported that, by 2023, 40% of all enterprise workloads would be deployed in cloud infrastructure and platform services, up from 20% in 20202. Undoubtedly, organisations have embraced all the benefits multicloud environments have to offer. While the majority have already invested significantly into more than one cloud to support digital transformation and other initiatives, many plan additional investments to further enable their digital business. 

Multicloud success, however, remains elusive for many organisations. Among midsize organisations, for example, only 50% report that multicloud has helped achieve business goals, according to a 2021 survey by HashiCorp3

In conversations with customers, many have called out cost management, governance, and visibility as common barriers to adoption and deployment of multicloud environments, but one factor that consistently lingers at the top is security. In a 2023 Valtix survey, 51% of IT leaders agreed or strongly agreed that their company doesn't want to expand to additional clouds because of the security complexities. 

One driver behind the challenges is the expectation that you can simply extend your data center or on-premise-security framework into the cloud. However, to solve the security complexities associated with multicloud environments, your strategy needs to adapt to the dynamic environment with a cloud-first approach. 

This article recommends a security model that can help you advance on your multicloud journey at the speed of the cloud—and your business.

Figure 1. Tools used for achieving security requirements across cloud service providers

Challenges of multicloud security

Multicloud environments add additional layers of risk to organisations. Risk can stem from a multitude of challenges, including:

Cloud threats

Just as there are threats to on-premises environments, there are threats that affect multicloud environments too. Considering the diversity of threats that can affect an organisation's cloud environment, it's no surprise that 73% of organisations are very or extremely concerned about cloud security. Some of these threats include:

  • Botnets
  • Zero-day exploits
  • Cryptomining
  • Malware
  • Malicious insiders
  • Ransomware and lateral movement of threats

Data loss and breaches

The risk of breaches and data loss command the most attention. In the 2023 IBM Cost of a Data Breach Report4, the average cost for a data breach across the boards was US$4.45 million. Additional datapoints included cloud environments, noting 82% of breaches involved data stored in the cloud and 39% of breaches spanned across multiple environments. Breaches spanning across multiple environments also incurred a higher-than-average cost of US$4.75 million, making data loss prevention and protection against lateral movement a necessary focal point in any multicloud strategy.

Complexity

While navigating the cloud threat landscape, organisations must grapple with numerous multicloud security challenges, including: 

  • The complexities—and the gray areas and vagaries—of the shared responsibility model 
  • Risks that are unique to the cloud, such as reduced visibility and control 
  • The inherent open model of the cloud, which requires additional considerations 
  • The inconsistent architecture and infrastructure of the various cloud environments 
  • Additional issues such as talent shortage and compliance 

Many of these aspects require granular expertise—not only in cloud networking and security but also in each cloud provider's product offerings and services, architecture, automation, and security tools—compounding the challenges. 

The shared responsibility model: Complex, vague, and rigid 

The shared security responsibility model of the public cloud keeps security teams on their toes. Providers typically offer guidelines, but in practice, you can't rely on them completely—and the lines sometimes appear fuzzy. This became especially evident considering recent exploits we've seen within cloud-provider services, which required the end users to mitigate while waiting for a fix. 

In a traditional service outsourcing model, your provider would work with your team to clearly define the boundaries. That's not the case in the cloud. 

Things get even more challenging in the constant parade of updates and new services from providers. They introduce dozens of services, hundreds of new features every year, and numerous updates. Developers eagerly consume the services because they solve specific problems or add new capabilities. The rapid pace of change makes their job easier—and the security team's job harder.

This throws security teams into a perpetual cycle of catch-up, trying to figure out the implications of each change. Multiply this challenge by the number of clouds you've deployed, and the problem is quickly exacerbated. 

Figure 2. Shared responsibility model

Other challenges 

Unique cloud security risks 

Reduced visibility and control are common problems, with 53% of surveyed cybersecurity professionals identifying a lack of visibility and 46% calling out inadequate control as their top barrier to adoption3. Other risks include insecure APIs and lack of a centralised view across multicloud. 

The talent gap

The cybersecurity industry has grappled with a talent shortage for years, with the latest data showing a gap of 3.1 million security workers globally in 20205. Provider-specific security requires deep expertise with each cloud's configurations, intensifying the talent issue.

Policy enforcement 

The variations in controls in individual clouds and app architectures result in inconsistent policy enforcement across your environment, leading to gaps in protection and reduced security posture.

Building layered defenses in the cloud 

Although your cloud architecture and security approach are different from on-premises, the tenet of multilayered security still applies. There's no one-size-fits-all solution that covers all the threat vectors and types of attacks. When building out your security layers, consider capabilities such as: 

  • Visibility into all your assets (apps, APIs, workloads, etc.) across all your clouds, as well as into your security monitoring and whether it's working as expected 
  • Cloud network security, such as firewall, data loss protection (DLP), segmentation, and intrusion detection/intrusion prevention systems (cloud IDS/IPS) 
  • Protection against web threats through web application firewall (cloud WAF) and malicious IP blocking  
  • Context-aware security across app lifecycle (dev, test, prod) and type of apps (general, sensitive, compliance) 
  • Extending these security layers from the data center or bolting them on top of your architecture is ineffective and introduces new problems, such as orchestrating and automating the tools across multicloud. 

In contrast, a solution that delivers both networking and security in a cloud-native way has many benefits, it: 

  • Offers advantages such as agility, scalability, and elasticity 
  • Works seamlessly with your cloud apps 
  • Enables continuous discovery of new apps and infrastructure and automatic policy based on app context

Implement active defense 

Cloud vulnerabilities are one of the biggest challenges for security teams. Consequently, these teams devote much of their time to patching. But managing vulnerabilities alone will not protect you against zero-day threats. By the time a vendor knows about a new threat and creates a patch, it may be too late. 

Just like on-premises, the multicloud needs both proactive and reactive defenses. Active defense enables you to block attacks, restrict unauthorised access to assets, and defend against new and emerging threats. The goal should be to break the attack kill chain in multiple places and not rely on a single point of failure in your defenses. For example, to stop an attacker on a breached server, a malicious insider, or a ransomware attack, an effective last stop is to restrict all outbound traffic to known categories of sites, domains, and URLs. 

Requirements for a multicloud security solution 

Although multicloud security solutions have different functionalities based on their category, they share a set of common criteria, such as simplicity of deployment and management. When evaluating a vendor's multicloud security solution, consider the following aspects: 

Continuous visibility 

To detect malicious activities such as data exfiltration, you need to combine your cloud asset information and threat intelligence with complete visibility into all traffic flows, including inbound from and outbound to the internet, east-west, and to platform-as-a-service (PaaS) services. 

Comprehensiveness 

A solution with a thorough and robust feature set will reduce or eliminate the need for multiple point products and enable you to consolidate your cloud security. Look for critical capabilities such as dynamic policy enforcement, segmentation, network protection (cloud firewall), and web protection. 

Active defense capabilities 

If your security only allows you to react to threats rather than proactively stop them, your team will always remain at least one step behind the adversary. In the past, active defense required an agent-based solution. Now, organisations can achieve active defense with an agentless approach, reducing deployment and maintenance challenges. 

Cloud scalability 

Business requirements and environments continuously change, and security needs to be able to quickly scale in and out to adapt to those changes. The multicloud security solution should automatically scale security to meet demand, discover new assets as they are implemented in the production environment, and apply context-based policy—so your team doesn't have to constantly worry about operating the tool across multiple clouds, regions, and accounts. The multicloud security solution should automatically scale security to meet demand, discover new assets as they are implemented in the production environment, and apply context-based policy—all without manual intervention, so your team doesn't have to constantly worry about operating the tool across multiple clouds, regions, and accounts. 

Ease and speed of deployment

Your cloud security solution shouldn't amplify the complexities of an already complex multicloud environment, yet many vendors' products are difficult and time-consuming to deploy across public cloud infrastructure. Look for a turnkey solution that simply achieves outcomes, is fast to implement, and works natively in your environment. This will eliminate the need for admins to manually adapt the environment—instead, the solution "learns" the environment through the APIs in that cloud. 

Single policy framework 

A centralised control plane across disparate clouds enables you to enforce security policies consistently from one controller, simplifying multicloud management and alleviating complexity. To achieve this, the security solution should provide an abstraction layer that decouples the control plane and data plane. 

Figure 3. Cisco Multicloud Defense's comprehensive approach to multicloud network security

Adopt unified, simplified, multicloud network security with Cisco Multicloud Defense 

Cisco Multicloud Defense solves the complexities of deploying and managing security in multicloud environments. Delivered as a service, it unifies security controls across AWS, Azure, GCP, and OCI through a single control plane, bringing simplicity to complex multicloud environments. 

Cisco Multicloud Defense delivers: 

  • Layered, proactive defense through advanced security controls (including firewall, WAF, DLP, and IDS/IPS) 
  • Deployments in as little as 5 minutes without additional infrastructure 
  • Continuous, dynamic, real-time visibility into all your cloud apps and infrastructure 
  • A single, dynamic policy framework for consistent, automatic policy enforcement across the multicloud 
  • A flexible, open platform that integrates threat intelligence feeds and third-party solutions such as security information and event management (SIEM) and security orchestration and automation response (SOAR) 

Today's IT and DevOps teams move fast to support digital transformations and other initiatives that keep your business competitive. Cisco Multicloud Defense helps your teams to achieve the full benefit of cloud economics with the skilled resources you already have and without compromising on security. 

Figure 3. Cisco Multicloud Defense's comprehensive approach to multicloud network security

Embrace the multicloud world with the control you need 

Multicloud adoption is no longer a choice—it's an essential element in the fast-paced, modern business environment where agility impacts the success of your business. Without understanding the full spectrum of challenges and requirements of the multicloud, it would be difficult to account for the obstacles and risk you may face on your cloud journey. You can overcome the hurdles by shifting to a cloud-first mentality— implementing security solutions that minimise complexity and risk by design, helping your organisation securely stay in control in an ever-changing multicloud world. 

Do you have questions? Do you want to see Cisco Multicloud Defense in action? Take our product tour, request a demo, or try it for yourself with our free trial

References 

  1. 2022 Global Hybrid Cloud Trends Report. 451 Research and Cisco Systems, 2022
  2. Gartner Hype Cycle™ for Workload and Network Security, 2022
  3. HashiCorp State of Cloud Strategy Survey, 2021 
  4. IBM Cost of a Data Breach Report, 2023 
  5. ISC2 Cybersecurity Workforce Study, 2020