Managing data security in a multi-cloud environment: control & compliance
Managing data security in a multi-cloud environment: control & compliance

When you consider the benefits cloud computing offers in terms of agility, scalability and cost benefits, it's no surprise that the market for cloud services is forecast to grow 18 percent this year, from £160.3 billion in total worldwide revenue to £189.1 billion.


The cloud is increasingly becoming a destination for sensitive data that should and must be protected. Alongside this, largely due to the number of high profile breaches regularly hitting the headlines, customers are expressing some very real concerns about the protection of their sensitive data no matter where it is located.


When moving workloads to the cloud, enterprise organisations must consider the security of their data in much the same way as they have always done in traditional compute environments. Cloud services providers (CSPs) all advertise security offerings as part of their services and, while essential, these tend to be basic features such as firewalls and network protection, configured the same way for all users.


Most reported problems in cloud environments, however, will stem from more complex areas for security, specific to each customer, such as a compromised credential, insider threats or misconfiguration at the enterprise level, rather than with the CSP.


To further complicate this situation, many organisations faced with deciding where best to run their applications and store their data are now debating whether to work with a single CSP or to spread their workloads across multiple clouds. It's not uncommon, for example, for medium and large enterprises to run SaaS, PaaS, and IaaS with different providers, in parallel with their own on-premise systems.


As a result, IDC estimates that nearly 80 percent of IT organisations are currently deploying, or are planning to implement, multi-cloud environments.


Issues arising from multiple cloud use

Various management issues can arise as an organisation's workloads begin to spread across multiple cloud providers especially as it pertains to protecting sensitive data across heterogeneous cloud environments


Organisations have reached a level of maturity when devising an enterprise-wide encryption strategy for protecting data while it is at rest, but as workloads move to the cloud, organisations are faced with ensuring data security, control, and trust, across on-premise systems, private clouds and public clouds.  Managing those security challenges using native cloud services becomes quite challenging as the IT organisations leverage different and proprietary security systems from each cloud vendor. Committing to the various data protection schemes of multiple public cloud providers, will require vendor-specific training for each solution, while managing data protection across different providers will require multiple management and administration interfaces.


And with cloud  providers deploying encryption as a way of protecting their customers' data it means that, if that data is encrypted using one vendor's encryption key, then moving that data to another vendor's cloud environment will require it to be decrypted, moved in the clear, and then re-encrypted; a real headache for any organisation.


What's more, securing data as it flows between multi-cloud services can be especially problematic for those organisations looking to remain compliant with data privacy regulations, such as the impending EU GDPR. It's important for them to be able to prove that they're able to control their data by following best practices and meet new, more stringent compliance regulations.


At the root of trust in an organisation's entire system, the security of any cloud service depends on the level of protection given to the cryptographic keys used to protect sensitive data. If these keys are lost, the organisation's data is lost along with them. If the keys are stolen, the organisation's secrets might not remain secret for long, and if the keys are compromised then assumptions around access control may no longer apply.


Organisations operating in a multi-cloud environment will derive the most benefit from a consistent, integrated solution that will offer comprehensive data security along with the ability to effectively manage encryption keys across a range of diverse environments.  Organisations with multi-cloud workloads are increasingly turning to solutions like Bring Your Own Key (BYOK) or Bring Your Own Encryptions (BYOE) to fully control and manage their security environment across a these disparate environments. 


Compliance and control

As organisations continue to embrace the benefits offered by diverse multi-cloud environments, it's essential that they're aware of how best to achieve both compliance and control. With security threats perceived as one of the biggest inhibitors to multi-cloud deployment, tackling them must be a top priority for organisations at any point of the transitional journey.


Whether an organisation is using one cloud provider or many, knowing how to secure the environment is undoubtedly one of the most important concerns. While determining which of its data and applications should be moved to the cloud, the organisation needs assurance that its information is not only secure, but easily accessible. Remaining in control of that data is key, with access unobstructed by the service provider.


No business wants to put its valuable assets at risk, so whether an organisation's needs are best suited to a single or a multi-cloud strategy, it is critical  that organisations take control and responsibility for their data security.


Contributed by Peter Galvin, VP of strategy, Thales eSecurity


*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.