Eyad Shihabi, Managing Director, BT Middle East and Africa

From pandemic impacts to the shift to hybrid working, geopolitical and economic pressures continue to disrupt global markets and as a result create significant challenges to sustaining business operating models. For the modern organisation that aims to have built in resiliency to better ride the waves of change in an effective, yet cost-conscious way, multi-cloud is becoming increasingly popular as it offers more flexible infrastructure that fits with how organisations want to work today. 

Taking a multi-cloud approach not only makes the most financial and operational sense, allowing the agility to dynamically respond to evolving situations, but it also offers enhanced resilience - the ability to use different clouds for different workloads creates significant opportunities to gain a competitive advantage. However, on the flip side, securing the multi-cloud environment can be a challenging endeavour.

For starters, going the multi-cloud route greatly increases an organisation’s attack surface, and thus can expose an organisation to more security risks. This is compounded by uncertainty around regional compliance. Each cloud provider typically has a different model for defining the security responsibilities of the customer, which makes implementing efficient data governance and compliance measures across multiple clouds even more complex. 

Additionally, the demand for new cloud-based security measures cannot be adequately addressed with legacy security controls that can’t keep up with the dynamic nature of multi-cloud deployments. Yet another challenge is the need to establish comprehensive visibility across several cloud platforms. The lack of a unified view across all one's cloud environments makes detecting and responding to security threats even more difficult. These four challenges are further exacerbated by the shortage of cloud skills which remains a global problem. 

Organisations can begin addressing these concerns by re-assessing their multi-cloud strategies through a security-conscious lens, ensuring that every step forward in innovation and cost management that they take is done in a protected way. Additionally, there are several things that organisations can do to rise above these challenges and take advantage of the benefits of multi-cloud - and to do so securely.

#1 Standardise security policies 

Standardisation along with managing cloud governance and access is critical. Irrespective of the cloud platform being used, there’s a need to define data classification and categorisation policies and then implement the appropriate security measures for each category. Doing so enables businesses to control who has access to specific resources, services, and data by using identity and access management on a granular level. 

#2 Regain full visibility and improve monitoring 

Because one cannot protect what one cannot see, it is valuable to bring the monitoring data from all clouds and data centres into a single location. Taking this approach not only gives organisations visibility of their complete environment in a single pane, but it also helps to address configuration drift, where cloud setups diverge from policy over time as more changes are made. 

#3 Explore implementing automation

More specifically, by finding ways to automate configuration, policy enforcement and vulnerability scanning, along with introducing security measures earlier in the development cycle, organisations can benefit from a secure-by-design approach. Because cloud is API-driven, all interactions with cloud functionality can be authenticated, automated, logged and analysed, and it is valuable to take advantage of this.  

#4 Understand the nuances of the shared responsibility model

Typically, in a cloud setup, the shared responsibility model around security is straightforward. The cloud provider is usually responsible for the security of the cloud platform, while the user is responsible for the security within it. 

Multi-cloud makes this more complicated though, as different hyperscalers, namely AWS, Azure and Google Cloud Platforms, have their differences from one another, and their shared responsibility models may also be more complicated from one hyperscaler to the next. Meshing them together can add a layer of unwelcome complexity. For that reason, it is valuable to bring in external expertise to guide the organisation through this complexity when running a multi-cloud.  

Multi-cloud is certainly an attractive opportunity, and even though it does bring with it security challenges, these can be addressed, particularly if organisations go into multi-cloud with their eyes wide open and keep security at the forefront. To support organisations on their multi-cloud journey, we launched Global Fabric - a global, cloud-centric core network, built based on a network-as-a-service (NaaS) technical and commercial model - as an enabler of new way of connecting distributed workloads in a resilient, secure, frictionless manner for a multi-cloud world.