BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Public clouds are a viable platform for many enterprise applications, but security concerns remain. And, as organizations move to embrace multiple clouds for better versatility and availability, they often overlook emerging security issues, potentially causing data loss, compliance violations and more.
Evaluate the top multicloud security issues, along with ways to mitigate them in your organization.
The evolution of multicloud computing
In many cases, an enterprise's use of multiple cloud providers is cursory; for instance, an organization might duplicate a data store from AWS Simple Storage Service to a Google Cloud Storage bucket. In other cases, users might restart a virtual machine on an AWS Elastic Compute Cloud instance in Google Compute Engine. These use cases help improve data and application availability.
In an ideal multicloud scenario, multiple clouds are tightly integrated, and users load balance and failover applications between different cloud providers and platforms. However, because cloud providers don't use standard service suites and application programming interfaces (API), this level of integration is not yet possible. For example, an application deployed on AWS might use AWS Lambda for event-driven computing. But if other cloud providers don't have a corresponding service, that application might not be able to run on another provider's platform.
A closer look at multicloud security issues
One limitation associated with multicloud computing is the lack of similarities between clouds. Each public cloud provider uses different technologies, interfaces and even terminology to describe services or behaviors. There is no standardization of methodologies, services, instance sizes, performance or other attributes between public cloud vendors.
As a result, users often face interoperability issues between vendors, and need workarounds or APIs to operate an application that's deployed on different services. Otherwise, they could expose a potential attack surface. Tools like Oracle's Ravello use nested virtualization to encapsulate VMs and allow users to deploy apps on multiple clouds without making changes -- but that technology is still evolving.
There are other multicloud security issues to consider. The network, for example, remains a perennial security vulnerability because data needs to travel across the Internet, which can be insecure and pose its own configuration and security flaws. In addition, social engineering presents a risk, and hacked cloud accounts can expose a corporation's public cloud resources. If you use public clouds, educate administrators, employees and end users about proper security policies and confidentiality.
What's next for multicloud security?
There are additional security considerations that will impact multicloud computing in the future. For example, true integration -- including the ability to load balance and failover -- between multiple clouds requires a common way to establish and maintain trust between providers. This includes a common way to approach identity management between clouds. In addition, there must be a common way to handle policies, automation and monitoring so that organizations can detect and mitigate threats, regardless of which cloud is impacted.
Philippe Courtot, chairman and CEO of Qualys, believes that vendors need to start treating malware and threats in cloud like infectious diseases that can spread across the globe.
Someday, it may be possible to distribute data storage across multiple clouds in a RAID-like manner. Today's data duplication between clouds is reminiscent of data mirroring -- or RAID 1 -- where data is duplicated between cloud storage instances. Eventually, the integration of multiple clouds might allow organizations to distribute data across multiple storage instances, more closely resembling RAID 5. In addition to improving storage performance, this could support the distribution of error-correcting codes, and potentially allow one cloud provider to rebuild data that another provider may lose or corrupt.
Similarly, there is emerging interest in the concept of distributed trust -- or sharing key security elements, such as identity, across multiple cloud providers rather than duplicate trust separately with each provider. Distributing things like identity and authentication will boost multicloud security and help prevent attacks.
Multicloud adoption grows in the enterprise
Planning a multicloud deployment
Cloud management tools to prevent multicloud chaos