How to protect data in a multi-cloud environment? A beginner's guide

With the rise in cloud adoption, companies face increasing pressure to safeguard their data in multi-cloud settings. Yet, managing data access and ensuring its security pose significant challenges.

According to Crystal Morin, a cybersecurity strategist at Sysdig, the threats encountered in multi-cloud environments are akin to those in single-cloud setups. However, Sysdig's Threat Research Team has observed attackers shifting between environments during attacks, highlighting a worrying trend for multi-cloud users.

As multi-cloud environments gain popularity, attackers are expected to increasingly move laterally through these setups to gain additional privileges and access sensitive data stored across the environments, says Morin. The diverse nature of the cloud landscape, encompassing multi-cloud and hybrid setups, creates a fragmented network that expands the attack surface and complicates monitoring and protection, explains Phani Dasari, chief information security officer of HGS. To address this, enhancing visibility across the entire cloud environment is crucial for reducing cyber risks and is a top priority for security teams.

Magic gnomes are not a solution

Wayne Anderson, director of cloud, security, and infrastructure at BDO Digital, emphasizes the importance for companies to restrict access to specific company data to only those individuals who require it for their roles.

Anderson emphasizes the need for organizations to have business units that regularly communicate with the security team, willing to invest time in the planning process as much as in acquiring tools. He suggests that the best security teams act as advisors, building trust with the business to strike a balance between fast implementation and ensuring business protection.

Brandon Leiker, principal solutions architect for security at 11:11 Systems, highlights role-based access control (RBAC) as an effective method for managing permissions within an organization. RBAC involves creating roles based on user types or access levels, then assigning user accounts to these roles. However, managing access and permissions across multiple cloud environments using each environment's identity and access management solution can be challenging. Leiker suggests implementing single sign-on solutions to alleviate these challenges. This approach allows administrators to manage access and permissions across various cloud environments through a centralized platform, providing users with a single portal for accessing these environments using one set of credentials.

Backups are a target for attackers

Evan Pease, technology leader at Launch Consulting Group, emphasizes the importance of data security in a multi-cloud environment. One key approach for companies is to maintain backups in multiple locations and have robust recovery plans.

Steve Costigan, field CTO for EMEA at Zadara, agrees, stating that organizations should ensure backups are portable across different environments and locations. He advises against tying oneself to a locked-in solution with limited recovery options, emphasizing the need for true isolation between systems to restrict lateral movement in case of a compromise.

Costigan also suggests considering immutable or air-gapped offsite backups, noting that most attacks on environments now specifically target backups.

Dasari also highlights the need for versioning mechanisms and strong disaster recovery plans in multi-cloud environments. Accessible historical versions can facilitate quick restoration in the event of data loss or corruption. Rigorous testing of the disaster recovery plan is essential to minimize downtime and ensure data availability.

It's more than just the technical tools

Protecting data in a multi-cloud environment extends beyond simply using the right technical tools; it involves a holistic approach covering both administrative and technical aspects, according to Nick Harrahill, director of customer support at Spin.AI, a software-as-a-service (SaaS) security company.

Harrahill emphasizes the importance of technical measures such as data encryption for data at rest and in transit, regular monitoring of data integrity using digital signatures or hashes, and robust identity and access management controls. Additionally, he highlights the need for comprehensive auditing, timely vulnerability management, adoption of data management platforms, strengthened network security, and automated disaster recovery solutions.

On the administrative side, Harrahill stresses the significance of thorough vendor evaluations and contracts ensuring compliance with service-level agreements and high security standards. He also recommends frequent third-party audits, robust data security policies, a well-defined incident response strategy, and stringent data lifecycle management guidelines.

Harrahill emphasizes the need for partnership between clients and vendors, with each contributing their expertise and controls. He advocates the mantra 'trust but verify,' which is foundational to building and maintaining strong, secure relationships in the multi-cloud space, ensuring data integrity and safety.

Mike Fraser, VP of DevSecOps at Sophos, a provider of cybersecurity solutions, underscores the importance of understanding each cloud provider's security mechanisms and aligning them with internal protocols. He highlights the need for data encryption at rest and during transit, with enhanced security achieved when organizations manage their encryption keys.

Fraser also notes the significance of cybersecurity posture management and data security posture management in maintaining secure and compliant configurations of cloud services and data, often integrated seamlessly into modern DevSecOps pipelines for enforcement through automation.

In conclusion, as cyber threats evolve and regulations become more stringent, organizations globally will prioritize cyber investments to protect "business-impacting" data, says Dasari. This involves understanding such data across the organization and continuously assessing its introduction into the environment, whether through the cloud, SaaS solutions, core applications, or third-party relationships. This approach leads to more resilient cybersecurity programs and minimized risks for organizations.