Mitigating Risk and Communicating Value in Multicloud Environments

More companies are taking a multicloud approach as part of their digital transformation efforts to support distributed teams working in hybrid and remote models. And just as hybrid work environments are here to stay, the multicloud approach has taken hold. Gartner predicts that global cloud revenue will reach $474 billion by 2022, with 90% of enterprises already working towards a multicloud strategy.

When properly leveraged, a multicloud strategy can make many processes more efficient. It also provides greater resilience to disruptions and more vendor flexibility than a single-cloud strategy. Additional benefits include:

  • Avoid vendor lock-in with one cloud provider. An organization with a global footprint and specialized data can choose the location of the data center with the least impact on its business. For example, Microsoft Azure is currently the leader in the Middle East from a data center location perspective.
  • The ability to take advantage of the different features offered by each cloud provider, such as unique database solutions in Google Cloud or the ability to manage your local and cloud resources much more seamlessly in Microsoft Azure.
  • Better costs and business resilience with specific services cheaper through a specific supplier and protection against service disruptions. Both require designing your services to take advantage of the benefits, but once established, your organization can recoup its investment over two to three years, resulting in long-term cost savings.

However, these benefits come at a cost. Ensuring that data and cloud infrastructure are secure and aligned with your commitments and controls can be challenging when different environments are hosted through multiple providers. Telling a unified story around data, configuration and security in these environments can be nearly impossible.

CISOs embracing a multicloud data approach must focus on two main security concerns: managing risks from vendors and their different cloud operating models, and demonstrating the value of their security controls and strategies in the face of increased costs of operating in a multicloud world.

Managing risks across clouds

The impact and frequency of cyber attacks have grown in parallel with the escalating focus on multicloud strategies. Ransomware attacks, data breaches and major IT outages topped the Allianz Risk Barometer this year for only the second time in the survey’s history, with executives ranking them as more worrying than supply chain disruptions, natural disasters and the pandemic. Businesses are right to be concerned: Organizations worldwide experienced 50% more weekly cyber attacks in 2021 compared to 2020.

Business leaders are catching up to the importance of cyber attacks, but most are underinformed about the risks posed by their supplier partners. In PwC’s “2022 Global Digital Trust Insights Survey,” 57% of business leaders said they expect a jump in attacks on cloud services, but only 37% said they understand cloud risks. The approach and operating models to security vary among cloud providers, and protecting against risk is a shared responsibility that only becomes more complex as you add mainstream cloud services that use different approaches, such as identity and access management (IAM) or virtualized servers.

For example, different cloud vendors have their own approach to role-based access. Amazon Web Services handles identity by attaching IAM policies directly to a virtual server, allowing the server to take actions. Google Cloud’s offering, on the other hand, focuses on creating service accounts (users) and then attaching those accounts to the server so that it can interact with another resource. These small differences add up at enterprise scale, increasing the security complexity to ensure least privilege and other security requirements across both clouds.

Because cloud services are not designed to integrate with their competitors, learning how to use security tools for each cloud provider is only the beginning. IT teams will need to centralize their security monitoring with a Security Information Event Management (SIEM) tool along with other third-party tools to increase the interoperability of cloud services. These added systems require additional training and resources and perhaps even additional IT staffing to ensure expertise in each cloud platform and how these platforms work together.

In addition to these built-in differences between their services, most cloud vendors prioritize their own specifically tailored security offerings. This brings a host of complications that plague cloud security. For example, a cloud web application firewall (WAF) can be used to protect your network, but it only works with a specific cloud service provider and cannot be extended across multiple cloud offerings. Duplicating these functionalities for different providers requires either duplicating teams to support and manage these important security tools, or purchasing a cloud-agnostic service—which adds another vendor to the mix.

This additional risk and cost, typically not discovered until late in the implementation of a multicloud model, can push out timelines, increase costs and trigger audit findings. Failure to plan and mitigate these risks can leave a company susceptible to financial losses, regulatory actions, lawsuits and reputational damage.

Communicating value with risk quantification

Gartner estimates that by 2023, 30% of CISOs’ effectiveness will depend on their ability to demonstrate value. As multicloud data strategies become the norm and the cost of security controls within that strategy increases, risk quantification can help managers communicate their value consistently by expressing the multicloud risk position in clear monetary terms.

According to PwC, organizations that reported the greatest improvement in data confidence scores had two things in common: They predicted an increase in their cybersecurity spending, and they incorporated business intelligence and data analytics into their operational models, including risk quantification.

To assess the financial risks of a multicloud strategy, CISOs must consider the costs of each platform weighed against their perceived risks. These considerations should include the data governance and cybersecurity practices of all the cloud providers you are considering, along with any cloud-agnostic tools and platforms you will use for joint monitoring.

With so many factors at play, you can’t afford to rely on imprecise, gut-feeling scales like “low, medium, high” and “red, yellow, green.” Expressing risk data in financial terms is a powerful tool because it offers a common language to communicate changing risk priorities, improve alignment between CISOs and the board, and facilitate better informed risk management decisions.

Here’s an example: A CISO looks at the financial value associated with the various risks of multicloud architecture. Comparing tactics for mitigating a cybersecurity incident, they find that better control over administrative privileges reduces the financial cost of the event far more than implementing a cybersecurity training program. While the CISO understands the technical details of cyber risk within multicloud architecture, the rest of the C-suite will benefit from the clarity of monetary values ​​associated with each risk and mitigation tactic. By empowering CISOs to make their case to their peers and the board, risk quantification brings more transparency to the many moving parts of a multicloud strategy.

According to Gartner, more than 85% of organizations will operate as cloud-first by 2025, and they will not be able to fully realize their digital strategies without using cloud-native technologies. A Gartner executive put it this way: “There is no business strategy without a cloud strategy.”

It is imperative that business leaders pursue strategies to protect their data and communicate their multicloud priorities to align across the organization with a common language of values.

William

Leave a Reply

Your email address will not be published.