Multi-cloud security and compliance – challenges and best practices

[German]Companies are heading to the cloud. This often involves multiple cloud providers. Multi-cloud strategies further complicate cloud security and compliance, as controls and policies must be applied consistently across multiple cloud environments. IT security firm Orca Security looked at cloud security challenges and best practices.


Enterprises are increasingly moving their operations to not just one, but in many cases multiple public clouds. In HashiCorp's recent State of the Cloud Strategy Survey, 76 percent of respondents said they already have multi-cloud strategies in place. Another 47 percent of those respondents agreed that security is a major barrier to the cloud.

Multi-cloud strategies further complicate cloud security and compliance by requiring controls and policies to be applied consistently across multiple cloud environments. Orca Security says security teams can significantly minimize the complexity and effort required to secure a multi-cloud environment, allowing organizations to fully implement their cloud strategy. IT security firm Orca Security looks at cloud security and identifies challenges and best practices below.

What is a multi-cloud strategy?

A multi-cloud strategy is when enterprises use multiple providers of public IaaS cloud services – such as Amazon Web Services (AWS), Microsoft Azure and Google Cloud – to optimize their IT services and infrastructure. Because each cloud provider offers different services and pricing models, enterprises can get the best service at the best price by using multiple cloud providers.

The concept is best explained using an analogy from the supermarket. For example, when customers buy their favorite organic products at a health food store, they accept that the prices will be slightly higher. However, for most staple foods, they prefer to go to a regular store because the prices there are much lower. In short, they optimize their grocery shopping based on each store's individual offerings and prices, which is similar to a multi-cloud strategy.

What is the difference between cloud platforms?

Like supermarkets, all cloud providers have similar offerings, but each takes a slightly different approach. This is by no means a complete comparison, but the following brief summary shows how the leading cloud providers' platforms add value in different areas:


  • AWS offers the widest range of services, including compute, storage, database, analytics, networking, mobile, developer and management tools, IoT, security and enterprise applications.
  • Azure has the advantage of combining productivity and enterprise software (such as Office 365 and Teams) with flexible cloud computing resources for developers on one platform.
  • Google Cloud stands out for its technological advancements in open source technologies, particularly containers, and played a critical role in the development of Kubernetes, a container orchestration platform that has since become an industry standard.

What are the benefits of a multi-cloud strategy?

It's no surprise that most enterprises are using multiple cloud platforms, as this strategy allows organizations to:

  • Optimize access to services: As described above, some cloud providers are more specialized in providing certain services than others, so it makes sense to choose the best cloud provider for each service needed.
  • Spreading risk and resilience: it's always a good idea to avoid "putting all your eggs in one basket." For example, if an outage or other problem occurs with one cloud service provider, the other cloud platforms are unlikely to be affected.
  • Reduce costs and dependencies: By using multiple cloud providers, organizations can remain flexible and switch providers to optimize spending, rather than committing to one provider and incurring high operating costs to move services.

Security and compliance challenges of multi-cloud environments

While using multiple cloud providers makes great business sense, it can greatly complicate security and compliance efforts. For example, security controls and policies should be consistent across the board. Since most native cloud provider security tools only cover their own platform, and not all third-party solutions support multiple cloud providers, security and compliance can quickly become an operational nightmare for multi-cloud environments.

When security controls are not consolidated into one platform, this leads to the following problems:

  • Lack of central visibility: The use of different solutions for each cloud platform – and often even multiple solutions per platform, such as Cloud Security Posture Manager (CSPM) and Cloud Workload Protection Platforms (CWPP) – makes it almost impossible to get a central overview of risks. This means that responsible parties do not have a clear view of their overall cloud security posture and do not know which risks need to be addressed most urgently.
  • High operational costs: duplicating security policies across multiple cloud security and compliance tools can quickly become a burden on an already understaffed cloud security team. Cloud workload protection platforms (CWPPs) also require an agent to be installed on each cloud resource to be monitored. The larger and more diversified the cloud resources, the more time-consuming it is to install and maintain agents for each resource.
  • Lack of consistency: When organizations are forced to use multiple different cloud security tools, each with different configuration options, it is a complex task to ensure that the same security and compliance checks are performed across all cloud assets.
  • Increased susceptibility to errors: the more manual intervention and duplication of security policies required, the more room there is for human error and misconfigured security controls.

Best practices for multi-cloud security and compliance

To minimize the complexity and effort required to secure a multi-cloud environment, security managers should follow these five best practices:

1. Insist on multi-cloud support: Make sure your cloud security provider supports multiple cloud provider platforms.

2. Consolidate cloud security solutions: Use full-stack cloud security solutions (CWPP and CSPM in one – also called Cloud-native Application Protection Platform (CNAPP)) so you can reduce the number of standalone solutions and replace them with a single tool for all your cloud environments.

3. Go agentless: Eliminate resource-intensive agent deployments that limit responsiveness and hinder your ability to move applications to other cloud platforms as needed.

4. Platform-specific remediation: Use a cloud security solution with contextual intelligence that prioritizes critical risks and provides platform-specific mitigation instructions to help users work across multiple cloud platforms.

5. Identify cost-saving strategies: Keep the CISO happy by using a cloud security tool that can pull detailed information about each asset on each cloud platform, including frequency of use. This way, you can provide advice on further cost-saving strategies, such as moving certain applications to other cloud platforms and consolidating or removing redundant services.

In the multi-cloud era, security has become more complex and time-consuming than ever before. However, by using a holistic cloud security approach that can establish consistent security controls across multiple cloud environments, complexity and duplication of effort can be significantly reduced, according to Orca Security. This means security teams waste less time on operational tasks and can instead focus on securing cloud environments.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Cloud, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *