Hybrid and multi-cloud environments are a reality for many companies. And they’re a real headache for CISOs when it comes to data security compliance, because heterogeneous environments harbour countless cybersecurity challenges.
Text: Andreas Heer, Image: Swisscom, Date: 1 March 2024 5 Min.
There are moments when even IT professionals feel that the cloud is nebulous. It can be intransparent and intangible, much like a real cloud in the sky. Such moments always occur when these professionals try to get a clear overall picture of (heterogeneous) cloud environments.
It goes without saying that a lack of transparency is an undesirable condition when it comes to cloud security. This is because the demands on data security have increased almost as exponentially as the volume of data itself has done in the context of ongoing digitisation. In a data-driven environment, data must be available and reliable for a business to run.
These factors have made data security more challenging in the cloud age. ‘In the past, when the data was exclusively located in companies’ own data centres, it was sufficient to divide it into different security zones,’ says Alex Obrist, Product Manager for Managed Cloud and Security Services at Swisscom. ‘Now, on the other hand, data is classified and categorised, and roles and identities are checked when accessing it. This is the real paradigm shift that has taken place with the cloud.’
The challenges of data security in hybrid and multi-cloud environments can be summarised with the three Cs: complexity, culture, compliance. More specifically, the situation is as follows:
Conveniently read this article and the subsequent article on best practices and solutions in PDF format.
Cybercrime has long been a business. Ransomware as a service, dividing the individual steps of an attack among specialised individuals and even call centres run by ransomware gangs for their ‘customers’ bear witness to this. Attacks are becoming more widespread and new security loopholes are exploited within days. Attacks often occur where there is an opportunity – and companies that haven’t patched their systems in time bear the brunt.
Source: Zscaler Cloud (In)Security Report 2022
Misconfigurations in the public cloud simplify the work of cybercriminals, especially when they are trying to gain initial access to a company’s infrastructure. A poorly protected test system over here, and webmail access without two-factor authentication over there, vulnerable due to login data acquired through phishing, are just a couple ingredients that attackers can mix into a poisonous cocktail.
Cybercriminals take advantage of the fact that hybrid and multi-cloud environments quickly become confusing. It is faster to set up test VM than it is to secure and document it. And soon enough, the security managers are poking about in the fog. The lack of visibility is a challenge for companies, as Alex Obrist says: ‘In the past, there was a concept for data storage. Today, there are countless tools to identify data in the cloud. Finding the right one and using it correctly is a challenge.’ A lack of clarity makes it difficult for companies to enforce uniform policies and meet compliance requirements.
It is not only the distribution of data and applications that makes the IT landscape confusing. Added to this are cloud providers’ different security approaches and systems. This means that, depending on the provider they are using, customers themselves need to adopt different approaches to achieve the same goal and secure the cloud environment as required. ‘If a company tries to implement its security requirements using the different tools, there is a risk of losing track,’ says Alex Obrist, describing the situation.
Such a heterogeneous tool landscape increases the likelihood of human error, especially when there is a lack of experts who are familiar with different cloud providers. And misconfiguration is one of the biggest security risks in hybrid and multi-cloud environments. According to a 2022 study by Zscaler, 98 per cent of respondents had critical gaps in their cloud environments due to configuration errors.
But unwanted data leakage and the accidental release of confidential business documents are also risks in cloud environments – whether intentional or not.
An additional layer of complexity is created by the subject of ‘data storage in Switzerland’. Has it been ensured that the security tools used are actually operated in Switzerland, and that the SMS service for customers, for example, does not take a detour via another country? Getting a clear overview of the services offered by providers is a real challenge – and a tedious one.
The nebulous moment mentioned at the at the beginning of this article often arises when compliance needs to be demonstrated. Without visibility and a clear overview of the entire IT environment, comprehensive monitoring is simply not feasible. However, this is a prerequisite for complying with data governance, regulations and legal requirements. ‘Companies need a data inventory to protect these assets. This requires visibility,’ says Alex Obrist. ‘For a company that doesn’t have the core competence to operate cloud environments, it’s difficult to keep track.’
The same requirements also necessitate safety certifications such as ISO 27001. They are based on compliance and standardised processes and require appropriate controlling instruments. Recovering visibility over the entire environment should therefore be the primary objective of a data security strategy.
Heterogeneous hybrid and multi-cloud environments require new approaches and tools to ensure and verify data security:
‘Companies need to be able to decide centrally how they want to protect this data – no matter where it is,’ says Alex Obrist. This means the fog can finally lift and give you an unobstructed view of the cloud landscape.
Read the following article to discover best practices and solutions that companies can use to ensure data security in hybrid and multi-cloud environments. Download both articles now.
Your personal download link for the document you require will be sent to you via e-mail.
You can find our privacy policy including the online data protection statement as well as the options for revoking permission to process data or unsubscribing from the newsletter here: Privacy policy(opens in new tab)