JD Sherry, a Client Partner at ISTARI, explains how cyber breaches will increasingly take advantage of gaps in poorly architected multi-cloud infrastructure.

The shift to cloud computing over the last decade was driven by the frustrations of application developers who needed to work with greater speed on coding rather than wait for sluggish digital infrastructures to support them, especially in the move from development to testing to production. As Agile and DevOps methodologies became more popular, teams saw the cloud as the future.

The growth of Amazon Web Services, which started as an in-house platform for the e-commerce giant before turning into a standalone business, offered companies access to new levels of computing power. But companies have started realising the risks of relying on a singular provider - note, for instance, the major AWS outages in December 2021. They also have more choice, as the shift to cloud computing has sparked more start-ups, vendors and specialist providers into the market.

Most organisations are now developing a multi-cloud, multi-year strategy, leveraging IaaS (Infrastructure as a Service), SaaS (Software as a Service), and PaaS (Platform as a Service). While this multi-cloud approach brings diversification benefits, the cyber risks become more complex, because ascertaining the identity of a person, service or machine, to provide access to the relevant data or capability, becomes harder. 

​​Sandy Bird, CTO and Co-Founder of Sonrai Security, a cloud security company, was right when he told Silicon Angle that identity is about more than people: “When we talk about identity, we always think of people. But it’s not, of course. Sometimes it’s a machine; sometimes, it’s a cloud service. It could be many different things.” The question for companies, he argued, is to efficiently and safely ensure all those ‘identities’ can access a resource and plan for what happens when a bad actor takes over an identity.

Bad actors can infiltrate cloud systems by targeting the identification gaps between them. As application teams sprint ahead, they often leave the security and compliance teams scrambling to protect their digital footprint across several clouds. As cloud complexity and identities increase, organisations fall further behind in ensuring that clouds are properly configured and monitored.

 

Creating greater visibility in the cloud 

The C-suite has viewed the cloud as a magical medicine that cuts costs, increases speed and improves operational performance - to be sure, it can do all of these things. But they are dwarfed by the financial, reputational and material fallout of cyber vulnerabilities that result from poorly architected clouds, which result from a lack of foresight over how to govern identity and access in a fragmented cloud environment.

To achieve intra-cloud resilience, organisations need greater visibility into their clouds and to establish guardrails or swim lanes for controlling how data can be accessed and by whom. They need to create graphical visualisations of how data and identities are intertwined to ensure maturity levels can be baselined and enforced. Cybersecurity must be integrated into their cloud roadmap. They can prioritise by focusing on identity, data classification and entitlement (access) enforcement as baseline controls for their multi-cloud security strategy. ‘Shifting left’ - designing security upfront into the process - is critical in this new operating model.

Clients are going to use more than one cloud. They need to be thoughtful about what ‘multi-cloud’ looks like and the right architecture and strategy to get the benefits of cloud, without compromising operational and cyber resilience. Our adversaries are counting on us to move fast and forget the basics.

 

This article first appeared on cybermagazine.com.