The multi-cloud reckoning: Simplify for cost, security and sanity

Cybersecurity poses the most significant potential threat

Having worked exclusively as a cybersecurity professional for over twenty years, I may be biased. However, it's clear that cybersecurity is a top concern for corporate executives.

With the race to develop and innovate using AI, corporations are being pressured to explore all cloud AI offerings, leading to multi-cloud complexity. The lack of mature IT and cybersecurity processes will be exacerbated as organizations transition from on-premises to cloud-based programs. Without a cloud strategy, CIOs may find themselves in a challenging situation as they try to mitigate risks with AI and cloud.

Here are areas to address as part of an overarching cloud governance and risk management practice.

• Expanded attack surface. With multi-cloud, centralized control points are no longer applicable, so ingress and egress chokepoints are no longer relevant. Cloud tenants, by nature, are accessible from anywhere on the Internet. Configurations also differ across clouds, requiring subject-matter expertise for each cloud – for example, AWS engineers are unlikely to be familiar with Google Cloud Platform and vice versa. This makes it nearly impossible to discover unsanctioned cloud use.
• Identity and access management (IAM) fragmentation. Identity is the network perimeter, encompassing disparate identities, access policies, roles and entitlements to manage. Lack of centralized provisioning and governance heightens insider threat and privilege escalation risks.
• Inconsistent security controls and support. Security tools are not compatible across all public clouds, leaving gaps in capabilities or requiring the deployment of multiple tools. This is inefficient and may increase vulnerabilities. Security baselines may differ across cloud providers. The lack of standardized encryption, logging, and policy enforcement requires more effort to properly tune security tools, such as a SIEM.
• Incident response complexity. Managing multiple platforms can decrease visibility, making cross-cloud forensics and log correlation more difficult. It is also challenging to contain threats when there are conflicting governance structures and inconsistent security responsibilities between the subscriber and cloud provider.
•  Regulatory pressure. Cloud provider downtime may result in fines being levied against your organization. Increased scrutiny of data residency, supply chain security, AI governance and operational resilience should also be considered. Multi-cloud makes compliance harder, not easier.

Why multi-clouds are unsustainable

In the past, a multi-cloud strategy helped protect against vendor lock-in and aided cost negotiations. This worked well when using cloud compute or storage. AI is transforming public clouds into highly specialized AI models and agents, using non-standardized AI tools such as the Model Context Protocol. This puts strain on your existing IT and cybersecurity teams as they seek to balance day-to-day operations with upskilling for every new cloud environment.

Each platform has specific skills required, creating skills gaps as the myriad of cloud platform tools continues to expand. Security and cloud engineers cannot maintain deep expertise across three or more platforms. Yet, organizations continue to spread expertise too thin to be effective. Even when trying to be effective, organizations often do the opposite – causing operational inefficiency. The mean-time-to-detect and the mean-time-to-respond both increase as the number of monitored outlets increases. As one issue is addressed, other problems can cascade as time is spent troubleshooting them one by one.

Existing tools do not provide support or feature parity across all cloud platforms, resulting in the need to manage multiple SIEMs, endpoints, data platforms and DevOps pipelines. Tool duplication can lead to high overhead and inconsistent efficacy.

Because cloud teams are constantly monitoring multiple platforms and addressing issues, burnout and turnover may rise due to a lack of work-life balance. Maintaining standards across different environments can be challenging. Cloud engineers are in high demand, with the U.S. Bureau of Labor Statistics reporting a 15% career growth rate through 2034, which is higher than the average. This creates the opportunity for burned-out employees to leave their organizations more easily.

Security through standardization

Simplifying does not necessarily mean moving to a single cloud. It's vital to define acceptable use within cloud providers. Your organization's goal should be "fewer patterns, not necessarily fewer clouds." You need to rationalize the architecture without eliminating choice.

Establish use-case patterns rather than simply choosing a cloud provider. For example, medical use cases can be deployed on cloud provider A because its security controls support HIPAA regulations. In contrast, operational efficiency use cases are set up in provider B because no personally identifiable information, payments or protected health information (PHI) are required. Defining these use cases will also simplify monitoring for misuse if PHI is detected in provider B.

Consolidate around your core platforms. For example, for commodity workloads such as storage, compute and VMs, look for fewer providers. Then choose specialized clouds if they deliver material differentiation similar to the example above.

When considering cybersecurity, centralize your IAM, which is vital. Move to a unified enterprise identity strategy to use single sign-on (SSO) and enforce other security measures such as multifactor authentication (MFA), zero trust, standardized encryption requirements and logging configurations.

When determining how to manage all clouds, create a "cloud control plane" and apply it to all existing platforms. This reduces the reliance on per-cloud consoles and custom integrations. This will help establish an integration layer for governance, observability and policy enforcement.

Cost as a secondary outcome

The cost of securing and operating multiple cloud platforms is often overlooked because it spans multiple organizational cost centers. As mentioned earlier, not all tools are compatible across cloud platforms, so it is necessary to purchase multiple products that provide similar functionality. Minimizing controls based on platform use-cases has the following cost benefits:

• Eliminating redundant services and tools.
• Lowering head count pressure by reducing platform variety.
• Enabling more accurate and actionable FinOps.
• Reducing complexity-driven incidents and downtime.

CIO's roadmap for cloud simplification

CIOs and CISOs must partner to build a cloud and AI simplification strategy for their organizations. Guardrails must be established based on business use cases rather than the 'anything goes' approach. Conversely, a defined strategy should enable organizations that have avoided using AI and instead take the "block it all" approach.

• Assess the current state. Establish the size of the multi-cloud problem. Discover and inventory clouds, workloads, data flows and tooling. Define sanctioned vs. unsanctioned cloud use and establish controls to sanction what is unsanctioned.
• Define simplification principles. Determine what is possible without additional investment. Determine which cybersecurity tools are operational in your cloud environments and standardize on cloud platforms that meet regulatory or business requirements. To reduce the attack surface, rationalize workloads that aren't adding business value.
• Consolidate services where differentiation is low. Lock in costs for commodity cloud services. Storage, compute, networking and databases, among others, should be deployed on the lowest cost platform
• Align security and cloud engineering teams. Establish cloud and AI centers of excellence with cloud platform teams to maximize efficiency and reduce burnout. Build reusable cloud architecture patterns rather than treating each workload as a "one-off" and consolidate IT and cybersecurity governance.
• Implement cross-cloud guardrails. For consistency, consolidate tools if possible. Deploy policy-as-code and automate platform delivery, which includes cybersecurity tools. Implement a cloud security posture management program to verify and continuously monitor controls, centralize and automate identity provisioning and identity management, and use role-based access control and SSO everywhere possible.
• Re-architect for resilience. To prevent future outages from affecting your organization, develop and document standardized, platform-agnostic reference architectures. Document and exercise failover, business resiliency and return-to-normal operations processes.
• Focus on business value. Communicate wins in terms that boards understand. Accelerate cloud and AI adoption through established platform use cases. Improve regulatory readiness by applying controls only to applicable platforms and prevent cybersecurity incidents by reducing the attack surface and optimizing tools. Be sure to communicate potential savings both in terms of required tools and head count.

John Doan is the senior director of cybersecurity advisory and cybersecurity domain architect for a world-renowned healthcare organization.