Today’s development companies heavily rely on cloud and online infrastructure. That means using Azure, AWS, or Google Cloud for virtual environments, which provide the infrastructure and computing power for servers, web applications, and virtual computing. While most of these cloud platforms are relatively complete, in that you can use them for nearly any tooling or services you need, they haven’t always been. And, importantly, devs on teams don’t always know how to use them in their entirety. This, and refusal to rely on a single cloud environment, has resulted in a phenomenon known as “multi-cloud”.
Multicloud strategies consist of linking top virtual environments together, combining services from Azure, Google Cloud, etc. This can enable faster deployment, a “best of all worlds” approach, or simply allow developers to use the tooling they’re familiar with in the contexts they’re familiar with. But, adding more vendors into the supply chain, and in more ways, creates new and largely unexplored risks for many companies. Pentesting multicloud environments can help you to identify risks and stop them, but it’s also important to understand how these environments create risks as well.
Building the MultiCloud
As more businesses digitize, they are forced to move to the cloud, not just to offer cloud services and to benefit from as-a-service structures, but often to keep up and compete with other organizations. In an ideal world, this would mean assessing infrastructure, choosing a single solution, and building a new cloud architecture encompassing the entire network. Instead, businesses scramble to adapt to cloud technology and adopt as quickly as possible, while maintaining business and infrastructure. Teams adopt tooling from whatever is available, that can quickly be patched in. The result is often a patchwork of solutions, the unplanned “multi-cloud”. This also happens without any real oversight, as devs do so on their own to complete tight deadlines on projects. So, we sometimes start an assessment and discover we’re pentesting a multicloud environment.
Of course, multi-cloud strategies can be very much on purpose, with benefits and real business value. In April of 2020, Flexera’s State of the Cloud Report interviewed 750 organizations to determine that 98% use a multicloud approach. “Multi-cloud” approaches, which involve either accidentally or deliberately choosing solutions from multiple cloud environment vendors, can be adopted for multiple reasons:
- Convenience – Devs know how to work with tooling from different vendors
- Avoiding Lock-in – Most enterprises in Flexera’s study opted for multi-cloud to avoid reliance on a single vendor
- Quality/Availability of Tooling – For example, most companies use containers through Docker or Kubernetes, not AWS, Azure, or Google, despite those tools offering container-as-a-service.
Essentially, there are many reasons the multi-cloud strategy is adopted. All of them create more risk for the organization.
More Technology Vendors = More Risk
More technology means more tooling and more solutions. Even security teams source tooling from 8-10 vendors on average, connecting numerous software solutions into the same network. The result is a patchwork of technology, with no single point of control or monitoring. The associated security risks here are obvious to most, but often overlooked on an organization-wide scale.
This becomes more complex when integrated into the hybrid cloud strategies. Forrester Research shows that 85% of enterprises use a hybrid-cloud strategy with on-premise infrastructure. This links cloud resources, as-a-service resources, and on-premise systems together, treating them as one.
Yet, the end result is creating more vulnerabilities for the whole. 45% of cloud-related incidents in 2020 related to hackers finding the lowest point of resistance in a cloud environment, and then using that to access the full network.
The most recent, relevant example here is the Solar Winds attacks. Hackers took advantage of companies leaning on mixed technology vendors, finding weaknesses in the supply chain, and targeting entire networks through that. A single hack (Solar Winds) allowed hackers to infiltrate top organizations and companies through malicious code inserted into Solar Winds’ software. That gap in the supply chain led to some of the world’s most well-protected organizations being hacked.
Lack of Central Security Means Lost Data
- Multiple logins from different geo-regions or time zones are not tracked across different clouds
- No central access management
- No central password controls
- No central way to review and update security settings, patches, etc.
That’s important, considering many of our customers have no real idea they’re using multi-cloud solutions. Instead, developers adopt technology to bypass time constraints, which is sometimes necessary to complete projects without delays. Adopted environments are then sometimes populated with internal databases, but outside of strict company policy. So, GDPR sensitive or other classified data could be pushed to different environments, without oversight. Risks multiply as projects are completed, Devs move into new roles, etc., and the database stays live in the environment.
If you’re running a multi-cloud environment, you have more security risks and more potential vulnerabilities than running a single cloud environment. While there might be advantages known to you, multi-cloud also adds on costs, increases technical knowledge burdens for workers, and increases the configuration load on compliance and IT staff. For that reason, we would always recommend moving or migrating to a single cloud, or if you intend to keep multi-cloud, to ensure you have strong underlying infrastructure to maintain security and functionality. If you want to assess current security and access points, a pentest can help. Contact us, or check out how it works, to see how a multi-cloud pentest with PentestHero can help you harden your environment and increase security.