Can you keep a single security strategy in a multi-cloud environment?

A guest blogpost by James Tucker, Director of System Engineering at Baffin Bay Networks

Did you know that about 96% of all enterprises are using the cloud in some way?

It seems shocking until you start thinking about how many cloud services you use in the course of a day. The average office worker might start thinking about Gmail or Office365 for mail, file sharing on Dropbox, tracking customers in Salesforce, and so on. Meanwhile the IT staff is thinking of all the infrastructure they have moved to the cloud, and perhaps thinking about what to do with all the extra rack space in the server room in the basement. Regardless of your perspective, it’s clear that the cloud is here to stay. But it gets even more complex.

As cloud computing becomes more of a commodity, it makes sense to shop around and put your assets into the cloud which provides the best cost to benefit ratio for that particular asset or application. You may have an infrastructure project with high bandwidth usage, so it would make sense to find the most cost efficient solution for that project. On the other hand, the marketing department may be running their own sites, and would prefer something that was as easy as possible to use.

With all the options out there, it’s no surprise that 81% of businesses have a multi-cloud strategy, according to this report from RightScale. There are benefits to a single cloud strategy. It makes it easier for IT Staff to know where an asset might be, it simplifies compliance and IT Governance. That being said, the advantages of multiple cloud providers often quickly outweigh the drawbacks, particularly if the organization can ensure a few key processes are in place.

First, there needs to be a process to track and inventory all assets across your environment. This includes the servers in your datacenters, cloud assets, as well as ‘sites around town’. Sites around town are those one time use sites, say ELASTX has a Movember campaign and creates This might be created by non-technical staff or a third party agency, and put in a web host outside the typical business processes. In a year, this site will be forgotten, unmaintained and a potential security risk. In a perfect world, these sites are shut down soon after the event, but in practice they are often forgotten.

To put it bluntly, you can’t protect what you don’t know about. While the legal responsibility for a breach might not be yours, there is a potential for data leakage and loss of reputation due to forgotten assets.

Second, the wider your assets are spread, the harder security becomes. Many IaaS vendors provide very basic security services for assets you have with them. If you are running two or more cloud vendors, this becomes a challenge to know what level of security each provides. What ends up happening far too often is you end up with a mix of different security levels, disjointed information, and are left confused during an incident. At Baffin Bay Networks, we advise our customers to avoid having multiple different security regimes for assets in the cloud. Instead, you should establish a high baseline for the minimum security requirement and add additional protections where needed. Ideally all assets, regardless of where they are deployed should share the same security.

Finally, remember that proper security is based on policies and procedures. Having a coherent security policy and detailed plans on how to implement them is the single best way you can spend your security budget. Not only will this reduce the overall number of security incidents you see in a year, it will reduce the time to resolution across the board. Following on that, these policies should be communicated via a strong IT Governance organization to ensure that your cloud strategy and security strategy are aligned with the goals of the business at large. After all whole purpose of a cloud strategy is to enable the business to do more, faster. Just make sure you do it securely!

//James Tucker, Director of System Engineering at Baffin Bay Networks

Baffin Bay Networks is a Swedish tech startup based in Stockholm, founded in 2016, poised to disrupt the cloud-based cyber security market. Their team consist of gifted cyber security experts, passionate about building a world-class Threat Protection Platform that helps their customers to mitigate both network based and application level cyber threats.

Click here to read more about Baffin Bay Networks!
Cartoon with an angry man that yells at cloud