Multi-Cloud Environments: How Secure Are They?

Avi Shua is the Chief Innovation Officer at Orca Security.

We live in a multi-cloud world, and there’s no going back.

As organizations continue to prioritize flexibility amid rapid growth, the adoption of multi-cloud environments has become commonplace. A recent study from Orca Security, in partnership with Gatepoint Research, found that 53% of organizations are already using a hybrid cloud approach, while 64% operate up to half of their environment in the public cloud.

As cloud migration continues, leaders are working to adapt their existing security processes to these new environments. The research furthermore reports that 55% of organizations report using at least five different security tools to protect their cloud infrastructure.

Despite the obvious benefits of multi-cloud environments, such as improved flexibility, reduced vendor lock-in, and the ability to leverage best-of-breed services from different cloud providers, this approach comes with a critical caveat: such increased complexity directly translates to heightened security risks.

Multi-Cloud As The New Norm

For most organizations, transitioning to a multi-cloud environment is no longer a matter of if but when. Smaller organizations often delay this transition for as long as possible. It’s an understandable strategy; despite the many benefits of operating across multiple clouds, the level of complexity it adds to managing and securing those environments can prove a daunting task for ill-equipped organizations. We’ll explore some common key drivers that lead organizations down this path.

M&A Activity: During an acquisition, it’s not just the employees and IP they take on; they’re also inheriting existing cloud infrastructures, which may be tied to critical business functions that cannot be disrupted. This can create an environment where different clouds are used for different purposes, applications or business units.

Financial Incentives From Cloud Providers: Cloud providers often offer attractive financial incentives, such as credits and discounts, to lure organizations onto their platforms. These incentives provide immediate cost savings, but these short-term benefits often create significant technical debt later on. Companies usually find themselves locked into a particular cloud provider long after the incentives have expired, with migration costs becoming prohibitively high.

Technology Fit: The rapid pace of technological evolution means that certain applications or services simply work better in specific clouds. For example, the strategic partnership between Microsoft and OpenAI has made it easier for organizations to leverage AI and machine learning tools within Microsoft's cloud ecosystem. As a result, some companies may find it more practical to use different clouds based on the specific technologies they require.

These factors combine to make it incredibly rare for organizations to remain loyal to a single cloud provider. This is because moving workloads and data from one cloud to another is always more complex and costly than anticipated. In fact, at Orca, we have seen companies still running cloud services from a direct competitor years after an acquisition, simply because untangling these systems proves too challenging and disruptive.

Developers tend to prefer the path of least resistance, and re-architecting entire cloud infrastructures is unlikely to rise to the top of the to-do list when immediate business needs demand attention. As a result, multi-cloud environments have emerged as one viable option.

The Growing Risk Profile Of Multi-Cloud Environments

Enterprises across the world rely on multi-cloud environments to serve as the backbone of their business, but it’s become increasingly clear that the transition to a multi-cloud environment dramatically increases an organization's cyber risk exposure. This elevated risk manifests in several ways, including:

Increased Complexity: Each cloud platform has its own set of tools, languages and services, which makes it difficult for organizations to maintain consistent security policies. As the number of cloud providers grows, so does the number of moving parts that must be managed.

Data Inconsistency and Increased Costs: Managing data across multiple clouds introduces the potential for data inconsistency. Organizations often find themselves hosting the same data in multiple locations, leading not only to increased storage costs, but to uncertainty around how to slice and dice what data “lives” where.

Larger Attack Surface: It’s simple math: the more cloud platforms an organization uses, the larger its attack surface becomes. Each cloud service introduces new potential vulnerabilities, both known and unknown. These vulnerabilities can be exploited by malicious actors, who are increasingly targeting multi-cloud environments.

Attack Chains Involving Multiple Clouds: The rise in multi-cloud environments has also contributed to a growth in the number of sophisticated attack chains that span more than one cloud provider. Cybercriminals are increasingly targeting organizations' multi-cloud environments, orchestrating attacks that move seamlessly between platforms.

From our research of 8+ million attack paths, we found that 9% of all organizations have at least one cross-cloud provider attack path, and 31% have at least one cross-account attack path. Those numbers will continue to grow unless organizations implement comprehensive security practices.

Reducing The Risk Of Multi-Cloud Environments

While multi-cloud environments are inherently more complex and riskier, there are strategies that organizations can implement to reduce those risks and ensure they are properly protected.

Develop A Unified Security Strategy: Establish a unified security strategy that applies consistent policies across all cloud platforms. This approach ensures no single platform becomes a weak link in your security chain.

Take A Risk-Centric Approach To Security: Focus on identifying and addressing your greatest security risks—by impact and likelihood—rather than simply responding to alerts.

Understand Known Attack Paths: Understanding how attackers might exploit your multi-cloud environment is essential for reducing the risk of cyber attacks. By mapping your cloud infrastructure and identifying potential attack vectors, you can more effectively protect your cloud environment.

Leverage AI To Enhance Security: Artificial intelligence (AI) can play a critical role in enhancing detection and response capabilities within multi-cloud environments. By using AI-powered tools, organizations can automate the detection of anomalies, speed up investigations, and accelerate the remediation of security issues.

As the use of multi-cloud environments continues to grow, organizations must be vigilant about the security risks that come with them. In an increasingly interconnected world, understanding and managing the risks of multi-cloud environments is no longer optional—it's a necessity for every business.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?