Security in the Multi Cloud Era | Key Management and Payments Security Blog - Thales e-Security

Data Security and Key Management - Thales e-Security

Security in the Multi Cloud Era

By C.J. Radford

As organizations are deciding where best to run their applications and store their data, many are debating whether to work with a single cloud service provider (CSP), or to work with two or more. According to IDC’s Worldwide Cloud 2017 Predictions, by the end of 2018, over half of enterprise-class businesses will subscribe to more than five different public cloud services. ESG research also shows that 75% of current public cloud infrastructure customers use multiple CSPs. Let me be the first to officially welcome you to the multi-cloud era!

Security in the Multi-Cloud Era

Getting Trapped in the Ecosystem

It comes as no surprise that CSPs want customers to use their services exclusively. To achieve this, CSPs offer a broader set of services to become the de facto cloud provider to organizations. The idea is to offer many services and fulfill many use cases for the organization. As the organization relies upon the cloud provider for more and more services, the harder it is to move to a different provider.

Trapping the organization is great from the CSP perspective, as it collects maximum spend from the organization. If the provider has a rich ecosystem of solutions that are specific to that provider only, this also traps organizations. The CSP wants the organization to not only consume native services but also solutions that are purpose-built for that specific cloud provider, again making it harder to leave.

There are also sales and economics tactics that make it difficult for organizations to leave service providers. For example, usually the price is lower for data transfers coming into a CSP versus the price to move data out of the provider. Another example is that some cloud providers like to lock organizations into multi-year commitments of minimum use with forced increase of usage in the outer years of a multi-year agreement.

However, CSPs are beginning to learn that many enterprise organizations want to adopt a multi-cloud strategy, and some CSPs are embracing this trend. At the recent Google Cloud Next conference in San Francisco, Google shared details about how the enterprise appetite for multi-cloud deployments are working in its favor. For the full scoop, check out ComputerWeekly’s coverage of the conference.

Single-Cloud + Security

If a business chooses a single cloud provider for its applications and data, it could be a good thing for the business, mainly if they don’t have security knowledge. A large cloud provider typically has a much larger and deeper pool of IT security talent than all but the largest enterprises can field to protect their organizations. Inherently, all CSPs have some security included in their service offerings, and some security is better than no security.

In fact, we found that concerns about using cloud environments are still quite high, but have dropped somewhat from a year ago – typically in the range of 8-12% from last year. That’s according to the 2017 Thales Data Threat Report – Advanced Technology Edition. Perhaps this is because most reported problems for cloud environments have stemmed from a compromised credential or account at the enterprise level, not the cloud provider.

For those companies who have significant security knowledge and follow security best practices (mainly Fortune 1000 businesses and governments), a single-cloud approach could have adverse effects on security. These companies need to use the “best-of-breed” security solutions on their data that is stored in the cloud, versus native solutions that are not considered “best of breed.”

Avoiding the Trap with a Multi-Cloud Approach

As part of the strategy towards using cloud, enterprises need to factor in a multi-cloud requirement from the get-go. Enterprises should consider at least two cloud providers to keep pricing in check, but also take advantage of the innovation each service provider has to offer to advance the business of the enterprise. This essentially forces the enterprise from day 1 to not place all eggs in one basket, which is too risky of a strategy. Recent cloud outrages have proven that redundancy of mission-critical applications is essential.

Additionally, enterprises should look at best-of-breed independent software vendor solutions that are portable from cloud to cloud provider to ease any transitions needed in the future – and to fight vendor lock in. These solutions should be across security, data management, identity and access management, applications, databases, developer tools and analytics.

Thales Enables Multi-Cloud

Whether your organization opts for a single-cloud or multi-cloud strategy, the security of any cloud service depends on the level of protection given to the cryptographic keys used to protect sensitive data. These keys are the root of trust in an enterprise’s entire system – if they are lost, so is the data. If they are stolen, secrets might not stay secret for long.

Thales partners with the leading CSPs – Amazon Web Services (AWS), Google, Microsoft and Salesforce – to ensure enterprises can control their cryptographic keys. This enables enterprises to trust that service with their most valuable assets, giving them the confidence to accelerate their cloud deployments.

As organizations transition to digital business models, security is one of the biggest inhibitors to their digital transformation. By collaborating with the world’s leading cloud service providers, Thales is making it easier to implement security in both traditional data center and cloud deployments.

Is your organization making the move to multi-cloud? Have questions? Leave a comment below, or feel free to tweet me @CJRad.

Posted in