COMMENTARY: On the face of it, the potential of multi-cloud strategy looks very promising. Organizations get the best-of-breed providers for different services; they experience improved resilience through redundancy, and there is no vendor lock-in. What’s more, they have it all at optimized cost. The reality, however, belies the promise. While 92% of organizations deploy a multi-cloud environment, 73% feel that this has added complexity — and 70% of CIOs say they have lesser control.Welcome to the paradox of multi-cloud migration. What starts out as a promise of velocity and flexibility ends as a maze of complexity and opacity. Infrastructure costs surge, cross-cloud latency increases application response times, security incidents multiply due to security gaps and discordant policies, and IT teams spend time and effort to manage this complexity without realizing value. The security debt equation is starkly demanding. Traditional perimeter security just does not cut it in distributed, ephemeral cloud workloads. What is needed is an efficient integration of security practices and protocols. Industry research reveals that fixing a vulnerability in production becomes 640X higher than in the coding stage. [SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]DevSecOps integration provides the vital solution to the security challenge.
Related reading:
Care should be exercised to evaluate cloud-native vs. unified platforms, and not to blindly mix agent-based and agentless tools. Integration priorities must also be attentively considered — such as SAST/DAST into CI/CD, and CSPM with SIEM/SOAR.
The security nightmare of multi-cloud environments
Managing security across multiple cloud platforms comes with obvious challenges, and primarily with three major hidden security gaps.- The configuration drift across the cloud environment increases the attack surface. While cloud service providers provide individual management consoles and monitoring tools, they do not enable a comprehensive view of the multi-cloud environments. This obfuscates detection of threats, with the real alerts getting buried in the noise of false positives and duplicates.
- Multiple cloud means multiple entry points for attacks too — each with its individual set of vulnerabilities, especially at the points of connections with APIs. And with no singular security policy to cover multiple clouds, the risk is ready to become a disaster
- Compliance in a multi-cloud context becomes fragmented, especially as clouds store data in diverse geographical locations, each with their own data protection mandates.
Four critical touchpoints in DevSecOps integration
It’s time to move beyond a "shift-left" approach and focus on the following critical aspects:- Transferring security monitoring of cloud resources to the infrastructure code layer. A cloud-agnostic DevSecOps best practice, Infrastructure-as-Code (IaC) can identify misconfigurations and security issues across multiple cloud environments. Additionally, AI-powered IaC can leverage ML algorithms to proactively analyze patterns, predict failures, and optimize configurations.
- Enabling runtime security in multi-cloud to secure highly dynamic, scalable, and short-lived workloads. Providing live protection and visibility in production environments, runtime security simultaneously ensures cloud, container, application, and serverless security. Cloud-native application protection platforms (CNAPP) provide a single-pane view across all clouds, while eBPF (extended berkeley packet filter) provides depth of visibility into system calls and kernel events. A shared responsibility model may also be looked at where cloud-hosted security guards the infrastructure, and firewalls, encryption, and multi-factor authentication to manage access, data, and applications.
- Protection of credentials (certificates, keys, passwords and tokens) for nonhuman users with effective secrets management. A core component of DevSecOps, it allows single-pane management of enterprise-grade secrets. Delivering centralized vault architecture across clouds, secrets management provides automated credential rotation and zero-trust access. SPIFFE (Secure Production Identity Framework for Everyone) and SPIRE (SPIFFE Runtime Environment) are open-source and platform-agnostic identity systems for software workloads such as containers and services in dynamic environments.
- Embedding software supply chain validation into engineering workflows. This is critical for building a compliance-first culture. SBOMs (software bills of materials) and provenance logs should be core components of the development ecosystem. Systems must be incorporated to ensure non-repudiation, thorough auditability and traceability — extending to tracking of third-party vulnerabilities.
A strategy-to-implementation framework of integrated security
Key elements of an effective framework of integrated security for multi-cloud security environments include:A comprehensive governance layer
- Policy-as-code frameworks to codify security policies for automated and consistent enforcement — such as OPA, Sentinel, AWS Config, SCPs, AWS CloudFormation, Azure Policy, ARM templates
- Unified and automated compliance to cybersecurity principles such as the Center for Internet Security (CIS), the National Institute of Standards and Technology (NIST), and the National Cyber Security Centre (NCSC). Tools such as Cloud Native Application Protection Platforms (CNAPP) offer a centralized dashboard across all cloud environments to ensure compliance to standards such as SOC2, ISO27001, GDPR, etc.
- Cloud Security Posture Management (CSPM) with unified dashboards




