With multicloud, beware the misconfiguration gap

Lionel Dartnall, Check Point

---

Organisations are constantly adopting new tools and technologies, including multiple cloud platforms, to stay competitive, agile and secure. But according to Strata’s ‘State of Multicloud Identity Report’, over 75% of enterprises do not know where applications are deployed and who has access. This is a problem when you consider that cloud security breaches have surpassed on-premises breaches (as per the ‘Verizon Data Breach Investigations Report’) in 2023.

While the ability to dilute cybersecurity risks across multiple platforms sounds great, with the adoption of multicloud comes greater complexity in monitoring and managing infrastructure. The more clouds, the bigger the attack surface, and with multicloud, there’s always going to be a problem of multiples – multi-identity, multi-geography and the resulting fragmentation that is often the root cause of security risks. “If you have to ask why the cloud is so prone to breaches, the number one thing we’re seeing is misconfigurations,” says Lionel Dartnall, a security engineering manager at Check Point. “Because of the nature of the cloud, you can spin up workloads easily, and security is often an afterthought.”

Ensuring security within multicloud environments is more complex than simply adopting more security tools. From assets that are overexposed on the network because of unpatched critical vulnerabilities, to overprivileged identities where people can access elements they’re not supposed to (like encrypted data), maintaining multiple clouds is complicated. According to Gartner’s research, 99% of cloud security failures will be the customer’s fault – human error. This means most security incidents in Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS) deployments occur due to lack of knowledge on the part of the cloud consumer. Add this to the fact that there is already a global shortage of security professionals, with the global deficit running into the millions. Finding a highly skilled expert in one cloud infrastructure environment is a challenge; multicloud makes it even more difficult to find developers, security analysts and engineers with the right skill set to manage – and secure – the different platforms. A report from Pluralsight found that only 9% of technologists have extensive experience with more than one cloud provider.

“If you had to spin up an environment in Google Cloud and you have another environment in AWS or Azure, you would have to skill up individuals across these three environments because they are not the same,” says Dartnall, adding that while a business may begin their cloud journey by choosing one public cloud, it never stays that way for long. “They start by simply moving some workloads into Azure and then realise that there’s something happening on AWS that they actually need or that there’s a good pricing model for Kubernetes and very soon, you end up with multicloud,” he says.

The biggest problem with securing a multicloud architecture is visibility. Things can get complicated quickly when IT teams are left to handle security and compliance challenges and they tend to miss risks (such as overall exposure to risk and access leaks) if there is no centralised view of cloud access and activity across each cloud environment. “How do you see your cloud assets across the entire estate?” asks Dartnall. “Customers need to have one single pane of glass to see the security posture of the organisation and all of the assets. Next, depending on the business case or specific customer, a good entry point is deciding on a framework or a benchmark that fits the environment.”

While a good security framework can protect your business, Dartnall says that there isn’t a one-size-fits-all approach. Check Point Software, for example, has compliance engines that can compare a specific framework or benchmark to a customer’s environment in the cloud, reporting on any mismatches and the steps that need to be taken to get closer to full compliance. Dartnall also recommends choosing a framework based on the industry you’re in as a baseline as different sectors (such as healthcare or finance) have specific benchmarks to work towards.

Cloud security is a team sport, also known as the shared responsibility model. And the model you’re using – IaaS, PaaS or Software-as-a-Service (SaaS) – will dictate who’s responsible for specific security tasks. Usually, greater responsibility is placed on the customer as they move from SaaS to IaaS. “Depending on the cloud service model, the responsibility for various security aspects is distributed differently between the provider and the client,” says Amritesh Anand, vice president and MD, Technology Services Group at In2IT Technologies.

• In IaaS, the cloud provider supplies the fundamental infrastructure (servers, network, storage), while the client is responsible for the security of operating systems, applications, and data they deploy in the cloud.
• In PaaS, the provider offers not only the infrastructure but also a development platform, including operating systems and development tools. The client is responsible for the security of the applications they develop and the data these applications process.
• In SaaS, the provider delivers ready-to-use applications and is responsible for their security. However, the client is responsible for their configuration and the security of the data they store and process in these applications and for managing access to this data.

As cybersecurity threats grow more sophisticated and the use of multicloud continues to rise, it’s never been more important to safeguard the data and mission-critical applications deployed within multicloud environments. A single pane of glass to gain visibility into assets, configurations and vulnerabilities across multiple cloud environments is critical for managing security. Without this comprehensive view, organisations will lose visibility into their overall infrastructure, making it more difficult to meet compliance mandates. A lack of visibility across cloud workloads and services also makes it easier for hackers to find exploitable vulnerabilities.

Posture management tools are important to simplify assessments and identify security gaps spanning an organisation’s entire multicloud footprint. Managing individual clouds separately, without this unified view, increases security risks and the potential for breaches or attacks as vulnerabilities may fall through the cracks. “It all comes down to posture management – that’s what gives you the overview,” says Dartnall. “After deciding on a framework, you need to do a full posture check against what is happening in that cloud environment to secure it in the best way possible…and, of course, best practice would be to have a tool that does all of that for you.” There are a number of frameworks to consult, such NIST, COBIT or ISO 27001.