How zero trust closes security gaps in multicloud tech stacks

Mergers, acquisitions and private equity roll-ups combine companies to create new businesses, leading to more multicloud tech stacks and increased urgency to get zero trust right. Acquisitions nearly always also lead to tech stacks being integrated and consolidated, especially in cybersecurity. As a result, nearly all CISOs have consolidation plans on their roadmaps, up from 61% in 2021.

Ninety-six percent of CISOs also plan to consolidate their security platforms, believing that consolidating their tech stacks will help them avoid missing threats (57%) and reduce the need to find qualified security specialists (56%) while streamlining the process of correlating and visualizing findings across their threat landscape (46%). 

Cybersecurity vendors, including CrowdStrike, are achieving revenue growth by providing customers with a clear path to consolidating their tech stacks.

Why enterprises choose multicloud 

Multicloud is the de facto standard for cloud infrastructure, with 89% of enterprises adopting multicloud configurations, according to Flexera’s 2022 State of the Cloud Report. 

The most common motivations for enterprises to take a multicloud approach include improved availability; best-of-market innovations; compliance requirements; bargaining parity on cloud provider negotiations; and avoiding vendor lock-in. Large-scale enterprises also look to gain greater geographical coverage of their global operations. 

CIOs tell VentureBeat that it’s necessary today to build a business case that shows how multicloud infrastructure spending will increase cloud adoption, improve cost savings and contribute to revenue gains. Boards of directors and C-level governance teams want to understand how spending on multicloud strategies will be secure, make economic sense and help improve the business’s resiliency and responsiveness.  

Defining multicloud 

Gartner’s definition says, “a multicloud strategy is the deliberate use of cloud services from multiple public cloud providers for the same general class of IT solutions or workloads — almost always IaaS and/or PaaS, not SaaS. Many organizations become ‘accidentally’ multicloud (through inadequate governance, M&A, or the like), rather than deliberately adopting a multicloud strategy.”  

Hyperscalers, including Amazon AWS, Microsoft Azure and Google Cloud Platform, offer full-stack support for Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS), as well as extensive developer support and future roadmaps reflecting AI and machine learning (ML) expertise. 

As a result, enterprises adopt and stay with multicloud infrastructure strategies in order to have access to innovations hyperscalers are working on today. Developing the core set of skills needed to manage each hyperscaler is a continual challenge for many IT departments, however, as are the increased costs of a multicloud strategy resulting from reduced discounts.

Getting started with zero trust for multicloud tech stacks 

CISOs tell VentureBeat that one of the best ways to assure the success of a zero-trust network access (ZTNA) framework is to first clarify it for senior management and the board of directors where the boundaries are to implementation. Defining which hyperscaler partner will have responsibility for which area of the tech stack is table stakes. 

One of the best ways to accomplish this is using the Shared Responsibility Model. Many organizations rely on Amazon because of its clear approach to defining identity and access management (IAM). To create a ZTNA framework, organizations need to find IAM, PAM, microsegmentation and multifactor authentication (MFA) that can traverse each hyperscaler’s cloud platform.

Zero trust must be baked in to deliver results  

“Zero Trust requires protection everywhere — ensuring that some of the biggest vulnerabilities like endpoints and cloud environments are automatically and always protected,” Kapil Raina, vice president of zero trust, identity and data security marketing at CrowdStrike, told VentureBeat during a recent interview. ”Since most threats will enter into an enterprise environment either via the endpoint or via a workload, protection must start there and then mature to protecting the rest of the IT stack.”

Raina’s comments reflect how organizations can best approach securing multicloud tech stacks as part of a  ZTNA framework. Initial steps include the following:

Define the core requirements for an Identity Access Management (IAM) and Privileged Access Management (PAM) system that can span multiple hyperscalers.

Don’t settle for the IAM and PAM each hyperscaler vendor provides, even if they promise it can close gaps in multicloud configurations. Cyberattackers innovate faster than enterprises and, in many cases, faster than cybersecurity vendors. Take advantage of the pressure CISOs are putting on vendors to consolidate IAM, PAM and other core apps on a common platform. The cloud has won the PAM market and is the fastest-growing platform for the IAM system. The majority, 70%, of new access management, governance, administration and privileged access deployments will be on converged IAM and PAM platforms by 2025. 

Reduce and eliminate emergency security projects to fix broken and inaccurate multicloud configurations.

Acquired IT teams often get pulled into fire drills because integrations of multicloud tech stacks rarely go smoothly. Security misconfigurations can expose thousands of endpoints and lead to intrusions and breaches. Recent announcements by CrowdStrike, Google Cloud’s recent integration with Lacework and other developments underscore why cloud native application protection platforms (CNAPP) are needed today.

Scott Fanning, senior director of product management, cloud security at CrowdStrike, told VentureBeat that the company’s approach to Cloud Infrastructure Entitlement Management (CIEM) enables enterprises to prevent identity-based threats from turning into breaches because of on improperly configured cloud entitlements across public cloud service providers. One of the key design goals is to enforce least privileged access to clouds and provide continuous detection and remediation of identity threats.   

Consider expanding beyond the logging and monitoring apps each hyperscale offers so you can get a 360-degree view of all network activity.

On AWS, there’s AWS CloudTrail and Amazon CloudWatch that monitor all API activity. On Microsoft Azure, there’s Azure security logging and auditing and Azure Monitor. Leaders in cloud monitoring tools include AppDynamics, Datadog, New Relic, Dynatrace, Sumo Logic, PagerDuty and several others. 

Identify how an efficient audit can be performed on the multicloud tech stack early in the ZTNA roadmap.

The more regulated the business, the more audits look at how well data is secured, especially in multicloud configurations. The Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS) all require ongoing audits, for example. Providing the reporting and audit histories required by these and other regulatory agencies needs to start with understanding how multicloud integration plans are defined. Engineering compliance in right at the start of a multicloud integration effort saves millions of dollars and thousands of hours of manual reporting effort by automating each regulatory agency’s unique reporting requirements.

Multicloud tech stacks that include AWS instances don’t need an entirely new identity infrastructure.

Quite the contrary. Creating duplicate identities increases cost, risk, overhead and the burden of needing additional licenses. Existing Active Directory infrastructures can be extended through various deployment options, each with its strengths and weaknesses. And while AWS provides key pairs for access to Amazon Elastic Compute Cloud (Amazon EC2) instances, its security best practices recommend Active Directory or LDAP should be used instead.

Multicloud tech stacks are ‘in’  

Multicloud tech stacks are becoming more commonplace as mergers, acquisitions and private equity roll-ups create new businesses by merging existing ones. 

New businesses resulting from mergers, acquisitions and private equity roll-ups must enable smooth and rapid communication between departments to keep revenue moving. That’s why integrating tech stacks becomes a high priority. Closing the gaps between tech stacks needs to start with a solid ZTNA framework that delivers least privileged access to resources, treats every identity as a new security perimeter, and stops intrusion attempts without slowing down the company’s ability to get work done.