Multi-cloud security is a cloud security solution that allows comprehensive data protection across multiple cloud platforms, including both private clouds and public clouds like AWS, Azure, Google Cloud Platform (GCP) and Oracle Cloud Infrastructure (OCI). Organisations can use multi-cloud security to protect all cloud platforms and their varying functions.
Multi-cloud adoption is no longer a choice – it's an essential element in the fast-paced, modern organisation where agility and flexibility impact business success. While multi-cloud environments offer tremendous benefits to organisations, they also create greater complexity that can lead to security gaps and inefficiencies, making it difficult for organisations to achieve the full benefit of cloud economics.
To harness the full benefit of cloud economics, organisations need a strategy for multi-cloud security. This article reviews multi-cloud security architecture, requirements, challenges and best practices to help organisations optimise their multi-cloud strategy regardless of where they are in their journey.
Multi-cloud adoption has accelerated in recent years. In the 2022 Hybrid Cloud Trends report commissioned by Cisco, 82% of IT leaders reported they have adopted hybrid cloud and 58% of organisations use between two and three infrastructure-as-a-service (IaaS) clouds1. Gartner reported that, by 2023, 40% of all enterprise workloads would be deployed in cloud infrastructure and platform services, up from 20% in 20202. Undoubtedly, organisations have embraced all the benefits multi-cloud environments have to offer. While the majority have already invested significantly into more than one cloud to support digital transformation and other initiatives, many plan additional investments to further enable their digital business.
Multi-cloud success, however, remains elusive for many organisations. Among medium-sized organisations, for example, only 50% report that multi-cloud has helped achieve business goals, according to a 2021 survey by HashiCorp3.
In conversations with customers, many have called out cost management, governance and visibility as common barriers to adoption and deployment of multi-cloud environments, but one factor that consistently lingers at the top is security. In a 2023 Valtix survey, 51% of IT leaders agreed or strongly agreed that their company doesn't want to expand to additional clouds because of the security complexities.
One driver behind the challenges is the expectation that you can simply extend your data centre or on-premise-security framework into the cloud. However, to solve the security complexities associated with multi-cloud environments, your strategy needs to adapt to the dynamic environment with a cloud-first approach.
This article recommends a security model that can help you advance on your multi-cloud journey at the speed of the cloud, and your business.
Figure 1. Tools used for achieving security requirements across cloud service providers
Multi-cloud environments add additional layers of risk to organisations. Risk can stem from a multitude of challenges, including:
Just as there are threats to on-premises environments, there are threats that affect multi-cloud environments too. Considering the diversity of threats that can affect an organisation's cloud environment, it's no surprise that 73% of organisations are very or extremely concerned about cloud security. Some of these threats include:
The risk of breaches and data loss command the most attention. In the 2023 IBM Cost of a Data Breach Report4, the average cost for a data breach across the boards was USD 4.45 million. Additional datapoints included cloud environments, noting 82% of breaches involved data stored in the cloud and 39% of breaches spanned across multiple environments. Breaches spanning across multiple environments also incurred a higher-than-average cost of USD 4.75 million, making data loss prevention and protection against lateral movement a necessary focal point in any multi-cloud strategy.
While navigating the cloud threat landscape, organisations must grapple with numerous multi-cloud security challenges, including:
Many of these aspects require granular expertise – not only in cloud networking and security but also in each cloud provider's product offerings and services, architecture, automation and security tools – compounding the challenges.
The shared security responsibility model of the public cloud keeps security teams on their toes. Providers typically offer guidelines, but in practice, you can't rely on them completely – and the lines sometimes appear fuzzy. This became especially evident considering recent exploits we've seen within cloud-provider services, which required the end users to mitigate while waiting for a fix.
In a traditional service outsourcing model, your provider would work with your team to clearly define the boundaries. That's not the case in the cloud.
Things get even more challenging in the constant parade of updates and new services from providers. They introduce dozens of services, hundreds of new features every year and numerous updates. Developers eagerly consume the services because they solve specific problems or add new capabilities. The rapid pace of change makes their job easier, and the security team's job harder.
This throws security teams into a perpetual cycle of catch-up, trying to figure out the implications of each change. Multiply this challenge by the number of clouds you've deployed, and the problem is quickly exacerbated.
Figure 2. Shared responsibility model
Reduced visibility and control are common problems, with 53% of surveyed cybersecurity professionals identifying a lack of visibility and 46% calling out inadequate control as their top barrier to adoption3. Other risks include insecure APIs and lack of a centralised view across multi-cloud.
The cybersecurity industry has grappled with a talent shortage for years, with the latest data showing a gap of 3.1 million security workers globally in 2025. Provider-specific security requires deep expertise with each cloud's configurations, intensifying the talent issue.
The variations in controls in individual clouds and app architectures result in inconsistent policy enforcement across your environment, leading to gaps in protection and reduced security posture.
Although your cloud architecture and security approach are different from on-premises, the tenet of multi-layered security still applies. There's no one-size-fits-all solution that covers all the threat vectors and types of attacks. When building out your security layers, consider capabilities such as:
In contrast, a solution that delivers both networking and security in a cloud-native way has many benefits, it:
Cloud vulnerabilities are one of the biggest challenges for security teams. Consequently, these teams devote much of their time to patching. But managing vulnerabilities alone will not protect you against zero-day threats. By the time a vendor knows about a new threat and creates a patch, it may be too late.
Just like on-premises, the multi-cloud needs both proactive and reactive defences. Active defence enables you to block attacks, restrict unauthorised access to assets and defend against new and emerging threats. The goal should be to break the attack kill chain in multiple places and not rely on a single point of failure in your defences. For example, to stop an attacker on a breached server, a malicious insider or a ransomware attack, an effective last stop is to restrict all outbound traffic to known categories of sites, domains and URLs.
Although multi-cloud security solutions have different functionalities based on their category, they share a set of common criteria, such as simplicity of deployment and management. When evaluating a vendor's multi-cloud security solution, consider the following aspects:
To detect malicious activities such as data exfiltration, you need to combine your cloud asset information and threat intelligence with complete visibility into all traffic flows, including inbound from and outbound to the internet, east-west and to platform-as-a-service (PaaS) services.
A solution with a thorough and robust feature set will reduce or eliminate the need for multiple point products and enable you to consolidate your cloud security. Look for critical capabilities such as dynamic policy enforcement, segmentation, network protection (cloud firewall) and web protection.
If your security only allows you to react to threats rather than proactively stop them, your team will always remain at least one step behind the adversary. In the past, active defence required an agent-based solution. Now, organisations can achieve active defence with an agentless approach, reducing deployment and maintenance challenges.
Business requirements and environments continuously change, and security needs to be able to quickly scale in and out to adapt to those changes. The multi-cloud security solution should automatically scale security to meet demand, discover new assets as they are implemented in the production environment, and apply context-based policy – so your team doesn't have to constantly worry about operating the tool across multiple clouds, regions and accounts. The multi-cloud security solution should automatically scale security to meet demand, discover new assets as they are implemented in the production environment, and apply context-based policy – all without manual intervention, so your team doesn't have to constantly worry about operating the tool across multiple clouds, regions and accounts.
Your cloud security solution shouldn't amplify the complexities of an already complex multi-cloud environment, yet many vendors' products are difficult and time-consuming to deploy across public cloud infrastructure. Look for a turnkey solution that simply achieves outcomes, is fast to implement and works natively in your environment. This will eliminate the need for admins to manually adapt the environment – instead, the solution ‘learns’ the environment through the APIs in that cloud.
A centralised control plane across disparate clouds enables you to enforce security policies consistently from one controller, simplifying multi-cloud management and alleviating complexity. To achieve this, the security solution should provide an abstraction layer that decouples the control plane and data plane.
Figure 3. Cisco Multicloud Defense's comprehensive approach to multi-cloud network security
Cisco Multicloud Defense solves the complexities of deploying and managing security in multi-cloud environments. Delivered as a service, it unifies security controls across AWS, Azure, GCP and OCI through a single control plane, bringing simplicity to complex multi-cloud environments.
Today's IT and DevOps teams move fast to support digital transformations and other initiatives that keep your business competitive. Cisco Multicloud Defense helps your teams to achieve the full benefit of cloud economics with the skilled resources you already have and without compromising on security.
Figure 3. Cisco Multicloud Defense's comprehensive approach to multi-cloud network security
Multi-cloud adoption is no longer a choice – it's an essential element in the fast-paced, modern business environment where agility impacts the success of your business. Without understanding the full spectrum of challenges and requirements of the multi-cloud, it would be difficult to account for the obstacles and risk you may face on your cloud journey. You can overcome the hurdles by shifting to a cloud-first mentality – implementing security solutions that minimise complexity and risk by design, helping your organisation securely stay in control in an ever-changing multi-cloud world.
Do you have questions? Do you want to see Cisco Multicloud Defense in action? Take our product tour, request a demo or try it for yourself with our free trial.
