Multi-cloud security

What is multi-cloud security?

Multi-cloud security is a cloud security solution that allows comprehensive data protection across multiple cloud platforms, including both private clouds and public clouds like AWS, Azure, Google Cloud Platform (GCP) and Oracle Cloud Infrastructure (OCI). Organisations can use multi-cloud security to protect all cloud platforms and their varying functions.

Why is multi-cloud security important? 

Multi-cloud adoption is no longer a choice – it's an essential element in the fast-paced, modern organisation where agility and flexibility impact business success. While multi-cloud environments offer tremendous benefits to organisations, they also create greater complexity that can lead to security gaps and inefficiencies, making it difficult for organisations to achieve the full benefit of cloud economics.

To harness the full benefit of cloud economics, organisations need a strategy for multi-cloud security. This article reviews multi-cloud security architecture, requirements, challenges and best practices to help organisations optimise their multi-cloud strategy regardless of where they are in their journey.

Multi-cloud is ubiquitous, security is not

Multi-cloud adoption has accelerated in recent years. In the 2022 Hybrid Cloud Trends report commissioned by Cisco, 82% of IT leaders reported they have adopted hybrid cloud and 58% of organisations use between two and three infrastructure-as-a-service (IaaS) clouds¹. Gartner reported that, by 2023, 40% of all enterprise workloads would be deployed in cloud infrastructure and platform services, up from 20% in 2020². Undoubtedly, organisations have embraced all the benefits multi-cloud environments have to offer. While the majority have already invested significantly into more than one cloud to support digital transformation and other initiatives, many plan additional investments to further enable their digital business. 

Multi-cloud success, however, remains elusive for many organisations. Among medium-sized organisations, for example, only 50% report that multi-cloud has helped achieve business goals, according to a 2021 survey by HashiCorp³. 

In conversations with customers, many have called out cost management, governance and visibility as common barriers to adoption and deployment of multi-cloud environments, but one factor that consistently lingers at the top is security. In a 2023 Valtix survey, 51% of IT leaders agreed or strongly agreed that their company doesn't want to expand to additional clouds because of the security complexities. 

One driver behind the challenges is the expectation that you can simply extend your data centre or on-premise-security framework into the cloud. However, to solve the security complexities associated with multi-cloud environments, your strategy needs to adapt to the dynamic environment with a cloud-first approach. 

This article recommends a security model that can help you advance on your multi-cloud journey at the speed of the cloud, and your business.

Figure 1. Tools used for achieving security requirements across cloud service providers

Challenges of multi-cloud security

Multi-cloud environments add additional layers of risk to organisations. Risk can stem from a multitude of challenges, including:

Cloud threats

Just as there are threats to on-premises environments, there are threats that affect multi-cloud environments too. Considering the diversity of threats that can affect an organisation's cloud environment, it's no surprise that 73% of organisations are very or extremely concerned about cloud security. Some of these threats include:

• Botnets
• Zero-day exploits
• Cryptomining
• Malware
• Malicious insiders
• Ransomware and lateral movement of threats

Data loss and breaches

The risk of breaches and data loss command the most attention. In the 2023 IBM Cost of a Data Breach Report⁴, the average cost for a data breach across the boards was USD 4.45 million. Additional datapoints included cloud environments, noting 82% of breaches involved data stored in the cloud and 39% of breaches spanned across multiple environments. Breaches spanning across multiple environments also incurred a higher-than-average cost of USD 4.75 million, making data loss prevention and protection against lateral movement a necessary focal point in any multi-cloud strategy.

Complexity

While navigating the cloud threat landscape, organisations must grapple with numerous multi-cloud security challenges, including: 

• The complexities – and the grey areas and vagaries – of the shared responsibility model 
• Risks that are unique to the cloud, such as reduced visibility and control 
• The inherent open model of the cloud, which requires additional considerations 
• The inconsistent architecture and infrastructure of the various cloud environments 
• Additional issues such as talent shortage and compliance 

Many of these aspects require granular expertise – not only in cloud networking and security but also in each cloud provider's product offerings and services, architecture, automation and security tools – compounding the challenges. 

The shared responsibility model: Complex, vague and rigid 

The shared security responsibility model of the public cloud keeps security teams on their toes. Providers typically offer guidelines, but in practice, you can't rely on them completely – and the lines sometimes appear fuzzy. This became especially evident considering recent exploits we've seen within cloud-provider services, which required the end users to mitigate while waiting for a fix. 

In a traditional service outsourcing model, your provider would work with your team to clearly define the boundaries. That's not the case in the cloud. 

Things get even more challenging in the constant parade of updates and new services from providers. They introduce dozens of services, hundreds of new features every year and numerous updates. Developers eagerly consume the services because they solve specific problems or add new capabilities. The rapid pace of change makes their job easier, and the security team's job harder.

This throws security teams into a perpetual cycle of catch-up, trying to figure out the implications of each change. Multiply this challenge by the number of clouds you've deployed, and the problem is quickly exacerbated. 

Figure 2. Shared responsibility model

Other challenges 

Unique cloud security risks 

Reduced visibility and control are common problems, with 53% of surveyed cybersecurity professionals identifying a lack of visibility and 46% calling out inadequate control as their top barrier to adoption3. Other risks include insecure APIs and lack of a centralised view across multi-cloud. 

The talent gap

The cybersecurity industry has grappled with a talent shortage for years, with the latest data showing a gap of 3.1 million security workers globally in 2025. Provider-specific security requires deep expertise with each cloud's configurations, intensifying the talent issue.

Policy enforcement 

The variations in controls in individual clouds and app architectures result in inconsistent policy enforcement across your environment, leading to gaps in protection and reduced security posture.

Building layered defences in the cloud 

Although your cloud architecture and security approach are different from on-premises, the tenet of multi-layered security still applies. There's no one-size-fits-all solution that covers all the threat vectors and types of attacks. When building out your security layers, consider capabilities such as: 

• Visibility into all your assets (apps, APIs, workloads, etc.) across all your clouds, as well as into your security monitoring and whether it's working as expected 
• Cloud network security, such as firewall, data loss protection (DLP), segmentation and intrusion detection/intrusion prevention systems (cloud IDS/IPS) 
• Protection against web threats through web application firewall (cloud WAF) and malicious IP blocking  
• Context-aware security across app lifecycle (dev, test, prod) and type of apps (general, sensitive, compliance) 
• Extending these security layers from the data centre or bolting them on top of your architecture is ineffective and introduces new problems, such as orchestrating and automating the tools across multi-cloud. 

In contrast, a solution that delivers both networking and security in a cloud-native way has many benefits, it: 

• Offers advantages such as agility, scalability and elasticity 
• Works seamlessly with your cloud apps 
• Enables continuous discovery of new apps and infrastructure and automatic policy based on app context

Implement active defence 

Cloud vulnerabilities are one of the biggest challenges for security teams. Consequently, these teams devote much of their time to patching. But managing vulnerabilities alone will not protect you against zero-day threats. By the time a vendor knows about a new threat and creates a patch, it may be too late. 

Just like on-premises, the multi-cloud needs both proactive and reactive defences. Active defence enables you to block attacks, restrict unauthorised access to assets and defend against new and emerging threats. The goal should be to break the attack kill chain in multiple places and not rely on a single point of failure in your defences. For example, to stop an attacker on a breached server, a malicious insider or a ransomware attack, an effective last stop is to restrict all outbound traffic to known categories of sites, domains and URLs. 

Requirements for a multi-cloud security solution 

Although multi-cloud security solutions have different functionalities based on their category, they share a set of common criteria, such as simplicity of deployment and management. When evaluating a vendor's multi-cloud security solution, consider the following aspects: 

Continuous visibility 

To detect malicious activities such as data exfiltration, you need to combine your cloud asset information and threat intelligence with complete visibility into all traffic flows, including inbound from and outbound to the internet, east-west and to platform-as-a-service (PaaS) services. 

Comprehensiveness 

A solution with a thorough and robust feature set will reduce or eliminate the need for multiple point products and enable you to consolidate your cloud security. Look for critical capabilities such as dynamic policy enforcement, segmentation, network protection (cloud firewall) and web protection. 

Active defence capabilities 

If your security only allows you to react to threats rather than proactively stop them, your team will always remain at least one step behind the adversary. In the past, active defence required an agent-based solution. Now, organisations can achieve active defence with an agentless approach, reducing deployment and maintenance challenges. 

Cloud scalability 

Business requirements and environments continuously change, and security needs to be able to quickly scale in and out to adapt to those changes. The multi-cloud security solution should automatically scale security to meet demand, discover new assets as they are implemented in the production environment, and apply context-based policy – so your team doesn't have to constantly worry about operating the tool across multiple clouds, regions and accounts. The multi-cloud security solution should automatically scale security to meet demand, discover new assets as they are implemented in the production environment, and apply context-based policy – all without manual intervention, so your team doesn't have to constantly worry about operating the tool across multiple clouds, regions and accounts. 

Ease and speed of deployment

Your cloud security solution shouldn't amplify the complexities of an already complex multi-cloud environment, yet many vendors' products are difficult and time-consuming to deploy across public cloud infrastructure. Look for a turnkey solution that simply achieves outcomes, is fast to implement and works natively in your environment. This will eliminate the need for admins to manually adapt the environment – instead, the solution ‘learns’ the environment through the APIs in that cloud. 

Single policy framework 

A centralised control plane across disparate clouds enables you to enforce security policies consistently from one controller, simplifying multi-cloud management and alleviating complexity. To achieve this, the security solution should provide an abstraction layer that decouples the control plane and data plane. 

Figure 3. Cisco Multicloud Defense's comprehensive approach to multi-cloud network security

Adopt unified, simplified, multi-cloud network security with Cisco Multicloud Defense 

Cisco Multicloud Defense solves the complexities of deploying and managing security in multi-cloud environments. Delivered as a service, it unifies security controls across AWS, Azure, GCP and OCI through a single control plane, bringing simplicity to complex multi-cloud environments. 

Cisco Multicloud Defense delivers: 

• Layered, proactive defence through advanced security controls (including firewall, WAF, DLP and IDS/IPS) 
• Deployments in as little as five minutes without additional infrastructure 
• Continuous, dynamic, real-time visibility into all your cloud apps and infrastructure 
• A single, dynamic policy framework for consistent, automatic policy enforcement across the multi-cloud 
• A flexible, open platform that integrates threat intelligence feeds and third-party solutions such as security information and event management (SIEM) and security orchestration and automation response (SOAR) 

Today's IT and DevOps teams move fast to support digital transformations and other initiatives that keep your business competitive. Cisco Multicloud Defense helps your teams to achieve the full benefit of cloud economics with the skilled resources you already have and without compromising on security. 

Figure 3. Cisco Multicloud Defense's comprehensive approach to multi-cloud network security

Embrace the multi-cloud world with the control you need 

Multi-cloud adoption is no longer a choice – it's an essential element in the fast-paced, modern business environment where agility impacts the success of your business. Without understanding the full spectrum of challenges and requirements of the multi-cloud, it would be difficult to account for the obstacles and risk you may face on your cloud journey. You can overcome the hurdles by shifting to a cloud-first mentality – implementing security solutions that minimise complexity and risk by design, helping your organisation securely stay in control in an ever-changing multi-cloud world. 

Do you have questions? Do you want to see Cisco Multicloud Defense in action? Take our product tour, request a demo or try it for yourself with our free trial. 

References 

1. 2022 Global Hybrid Cloud Trends Report. 451 Research and Cisco Systems, 2022
2. Gartner Hype Cycle™ for Workload and Network Security, 2022
3. HashiCorp State of Cloud Strategy Survey, 2021 
4. IBM Cost of a Data Breach Report, 2023 
5. ISC2 Cybersecurity Workforce Study, 2020