To Get the Most from Your Multicloud Environment, Know Thyself

With the Right Team Working Together You Can Address the Security, Privacy, and Compliance Challenges of Multicloud 

We can all remember a time, not that long ago, when the cloud was a new frontier for many organizations. Now, the RightScale 2017 State of the Cloud Report finds that 85% of companies are using multiple clouds to address their business needs. On average, they are using four clouds and experimenting with four more, adopting more public cloud services as private cloud adoption falls. This isn’t surprising considering the range of cloud vendors and the number and types of services available – from the internet to Office 365, SaaS applications, and public cloud infrastructure.  

In this multicloud world, we are better able to respond to business opportunities and challenges with agility – adding new services as we need and rapidly expanding capacity during periods of peak demand. But are we leveraging the best these environments have to offer to innovate, reduce cost, improve efficiency, and move faster, while maintaining our ability to address privacy, security, and compliance requirements? 

Of the 85% of enterprises using multiple clouds, less than a third have a mature cloud strategy. So, while it’s easy to deploy new IT services, many of the security tools and processes that we’ve used in our networks and data centers will not work in public clouds. In a multicloud world, everything changes; the guiding principles for gaining visibility and control require different strategies. 

Organizations that don’t adjust how they address security and compliance are missing out. These differences provide us with an opportunity to reimagine and redefine how we operate as we move to a powerful, multicloud environment. As we do, we can shed the “security debt” we’ve accrued over the years. By security debt I’m referring to all the things you wanted to do to strengthen defenses but didn’t due to resource constraints, shifting priorities, and/or perceived risks. With a well-defined multicloud strategy for your organization, you can take full advantage of the capabilities different cloud service providers offer and leave your existing security debt behind.

One aspect to developing a comprehensive, multicloud strategy is to “know thyself.” This adage, espoused by the ancient Greek philosophers, holds the key to understanding some of the changes you must make to manage security and compliance before you adopt multiple clouds. This involves asking yourself the following questions, to devise an effective action plan:

1. What cloud services are being used across our organization and how are they being used? Cataloging all the services including application, vendor information and usage data, as well as identifying risky or malicious behavior will create a baseline for improvement. From there you can identify ways to enhance your own processes and controls, and understand how the controls offered by each cloud service provider can help you. Create a dynamic services catalog that includes the security profile of the approved services currently in use and defines the security criteria for adding new ones. This may be a lengthy exercise, but is foundational to your strategy.

2. Are we confident that we are meeting our data protection and privacy compliance requirements? Examine where financial, personally identifiable information (PII), and other sensitive data is stored and whether adequate controls are in place. There are two factors to consider – data location and data protection. In some instances, the limits on data location due to country, regional or industry privacy requirements may dictate how and where services are deployed and used. It’s also important to know that security solutions that were expensive and complex in the private cloud or on-premise can be more viable in a public cloud. For example, mechanisms for data encryption at rest are widely available in public clouds. Likewise, you may have easier access to tools that enable continuous verification and alerting so that you can know, for instance, when a deviation from accepted configuration occurs and can act. In addition, the high degree of telemetry available through cloud service providers improves visibility, allowing you to incorporate additional valuable data into detection and response tools. 

3. Do we have trained personnel in place to define and implement our cloud security strategy? As an example, your full-time Exchange administrator is likely to be freed up if you move email services to Office 365. You want to keep the technical and institutional knowledge they’ve gained over time; offer them training on new tools, policies, and procedures so that they can operate successfully in this new environment and continue to support the business. In the meantime, look for additional bench strength in the form of outsourced talent that can fill the skills gap and provide multicloud advisory and implementation services. They can help ensure changes to your environment are driven by a strategy that meets your specific business goals and maximizes value, securely.

With answers to these questions you can begin to develop a comprehensive strategy for long-term success. With the right multicloud strategy in place, you have an opportunity to reinvent the DNA of your company. You’re not just moving the IT back office, you’re forming partnerships with cloud service providers that can offer capabilities you’ve never had before. With the right team working together you can address security, privacy, and compliance challenges, and free your organization to become more agile and innovative. 

view counter

Ashley Arbuckle, Cisco’s VP of Security Services, is responsible for the oversight and global delivery of the Cisco portfolio of Advisory, Implementation, and Managed Services, bringing a pragmatic approach to helping Cisco’s clients solve their most complex security challenges. Arbuckle started his career in security consulting at PwC working with Fortune 500 customers. After PwC he joined PepsiCo where he led enterprise security and the strategic planning process for PepsiCo’s IT budget of over $2 billion. He has a BBA in MIS and Accounting from the Rawls College of Business at Texas Tech University, is a CPA, and holds a CISSP and CISM.

Previous Columns by Ashley Arbuckle:

Tags: