This document discusses security challenges in multi-cloud environments. It begins with an introduction to multi-cloud strategies and reasons for adopting a multi-cloud approach. Key challenges include knowledge gaps, cost management, deployment difficulties, and vendor lock-in. Regarding security, the top threats are discussed such as data breaches, weak identity management, insecure APIs, and vulnerabilities. Solutions proposed to mitigate these challenges include centralized security tools, identity federation, access management, and embedding security practices in development processes. Overall, the document advocates for a multi-cloud strategy, training, automation, and integrating security across cloud platforms.

1. Security challenges
in a multi-cloud
environment
Eyal Estrin, Cloud Architect, CCSP, CCSK, @eyalestrin

2. Agenda
▪ What is Multi-Cloud?
▪ Reasons for Multi-Cloud
▪ Multi-Cloud Challenges
▪ Security Challenges in a Multi-Cloud Environment

3. About me
▪ Cloud Architect, with 20 years of experience in IT, information security and cloud
services from various industries (Hi-Tech, Pharma, Banking and Academia)
▪ Working with cloud services since 2015
▪ Cloud related certifications: CCSK, CCSP and AWS security specialty
▪ Owner of the blog Security & Cloud 24/7

4. What is Multi-Cloud?
“Managing resources across two different clouds or more,
regardless of location (i.e. multiples of public and/or private
cloud; a mix of on-premises and public cloud with
integrated platforms)”
Foresight Factory report (http://www.digitalbizmagazine.com/wp-content/uploads/2018/09/Informe-
Future-of-Multi-Cloud_F5.pdf)

5. Multi-Cloud Strategy

6. Reasons for Multi-Cloud
▪ Vendor Lock-In
• Split resources between cloud vendors
▪ Price
• Choose the most cost-efficient solution
▪ Reliability
• Shift workloads between cloud vendors
▪ Optimal Application Environment
• Use the best tool (echo-system) or service for the job

7. Reasons for Multi-Cloud (Continue)
▪ Continuous Public Cloud Innovation
• Benefit from infrastructure such as containers and Serverless for
innovation and providing value to organization in a short time-to-
market
▪ Regulatory Compliance
• Selecting services and providers from different data center
regions and availability zones

8. Multi-Cloud Challenges
▪ Challenge: Knowledge Gap
• Requirement to have knowledge working with several cloud providers
▪ Solution
• Training for IT, development and researchers about the use and
maintenance of various cloud services
• Self-study / online courses:
▪ A Cloud Guru
▪ Cloud Academy
▪ Linux Academy

9. Multi-Cloud Challenges (Continue)
▪ Challenge: Cost Management
• Requirement to control the budget and monthly cost over multiple
accounts in several cloud providers
▪ Solution
• Train dedicated employees (such as IT, DevOps, finance) about the use
of cloud services (such as reviewing the monthly bill, produce cost
reports, etc.)
• Deploy cost management tools such as:
▪ CloudHealth
▪ Cloudyn / Azure cost management
▪ APPTIO

10. Multi-Cloud Challenges (Continue)
▪ Challenge: Environment Deployment
• Requirement to have the ability to deploy computer environments
(compute, storage, network, application) in multiple clouds
▪ Solution
• Train your employees about automation, scripting and Infrastructure as
a Code
• Deploy and use cloud-agnostic automation tools such as:
▪ Terraform
▪ Ansible
▪ Chef / Puppet

11. Multi-Cloud Challenges (Continue)
▪ Challenge: Vendor Lock-in
• Requirement to have the ability to move workloads between multiple
cloud providers
▪ Solution
• Build new applications and base your infrastructure on containers,
micro-services architecture and API
• Deploy and use Kubernetes managed solutions:
▪ Google Kubernetes Engine (GKE)
▪ Amazon Elastic Container Service for Kubernetes (EKS)
▪ Azure Kubernetes Service (AKS)
▪ RedHat OpenShift

12. Attack Surface of a Multi-Cloud Environment

13. What are the top threats in the Cloud
Cloud Security Alliance – “Treacherous 12”
Reference: https://cloudsecurityalliance.org/working-groups/top-threats/#_downloads
• Data Breaches • Advanced Persistent Threats (APTs)
• Weak Identity, Credential and Access
Management
• Data Loss
• Insecure APIs • Insufficient Due Diligence
• System and Application Vulnerabilities • Abuse and Nefarious Use of Cloud
Services
• Account Hijacking • Denial of Service
• Malicious Insiders • Shared Technology Vulnerabilities

14. Data Breaches
▪ Challenge: Safeguard Organizational Data
• Requirement to have incident response and forensics capabilities, over multiple
cloud
▪ Solution
• Deploy central SaaS based SIEM/SOC solution
• Use built-in cloud services to monitor and respond to critical security incidents (from
thousand of alerts and logs), such as:
▪ Amazon Guard​Duty
▪ Azure Security Center or Azure Sentinel (currently in preview)
▪ Cloud Security Command Center
• Deploy automation for handling security incidents
▪ Example: AWS CloudFormation Guardrails

15. Weak Identity, Credential and Access Management
▪ Challenge: Manage multiple identities and handle weak
authentications over multiple cloud providers
• Default authentication methods:
▪ AWS: IAM Users
▪ Microsoft Azure: AD Azure, Microsoft Live (outlook.com)
▪ GCP: Google G Suite, Gmail
▪ Solution
• Use federation-based solution (SAML, Oauth)
▪ Example of vendors: Okta, OneLogin
• Use MFA (Multi-Factor authentication)

16. Insecure APIs
▪ Challenge: Protect applications deployed in the cloud and
accessible from the Internet, from application-layer API
related attacks (such as data breaches, DoS, etc.)
▪ Solution
• Embed application security controls inside the software
development lifecycle (SDLC)
▪ “Pushing Left, Like a Boss - By Tanya Janca”
• Deploy API protection solutions, such as:
▪ Salt Security

17. System and Application Vulnerabilities
▪ Challenge: Protect cloud environments (both system and applications)
from vulnerabilities over multiple clouds
▪ Solution
• Embed solutions for locating vulnerabilities in open source:
▪ WhiteSource
▪ Synopsys Black Duck
▪ Snyk
• Embed solutions for locating system vulnerabilities:
▪ Tenable Nessus
• Use automated patch management solutions:
▪ AWS Systems Manager
▪ Azure Update Management

18. Data Loss
▪ Challenge: Locate sensitive data over multiple cloud providers and
protect from data leakage
▪ Solution
• Use built-in cloud services:
▪ Azure Information Protection
▪ Amazon Macie
▪ Google Cloud Data Loss Prevention
• Deploy Cloud Access Security Broker (CASB) solution, such as:
▪ ForcePoint
▪ Bitglass
▪ McAfee MVISION Cloud

19. Insufficient Due Diligence
▪ Challenge: Requirement to evaluate the security maturity
level and financial resiliency of multiple cloud providers
▪ Solution
• Vendor questionnaire
• Review SOC1 and SOC2 Type 2 audit reports
• Review ISO 27001 (Security Management Controls)
• Review ISO 27017 (Cloud Specific Controls)
• Review ISO 27018 (Personal Data Protection)

20. Abuse and Nefarious Use of Cloud Services
▪ Challenge: Requirement to protect cloud environments
from malicious activities such as denial of service, denial
of wallet (DoW), resource consumption, etc.
▪ Solution
• Enforce authentication and authorization mechanisms
• Deploy cost/budget management solution
• Enable logging and configure alerts on anomalies
• Publish legal acceptance and use for both internal and external
customers and partners

21. Denial of Service
▪ Challenge: Requirement to keep multiple environment up and
running and highly available over multiple cloud providers
▪ Solution
• Use built-in DDoD protection services
▪ Azure DDoS Protection
▪ AWS Shield
▪ Google Cloud Armor
• Deploy managed SaaS DDoS protection
▪ CloudFlare
▪ Incapsula

22. Multiple Entry Points
▪ Challenge: Requirement to allow multiple entry points
(from various locations and devices) into multiple cloud
environments in multiple cloud providers
▪ Solution
• Deploy Zero trust access solution, such as:
▪ Luminate
▪ BeyondCorp
▪ Akamai Zero Trust Security

23. Summary
▪ The challenges for working in multi-cloud environments can be
mitigated using the following:
• Creating a multi-cloud strategy, align with the business goals
• Employee training
• Cost management processes
• Central authentication & authorization mechanisms
• Central auditing and logging mechanisms
• Automated everything!
• Embed security inside operational processes

24. Thank You