Emergent (In)Security of Multi-Cloud Environments

TL;DR

This paper analyzes the security vulnerabilities in multi-cloud environments, highlighting key risk areas like authentication and architecture, and provides a risk-based prioritization framework to help organizations allocate cybersecurity resources effectively.

Contribution

It introduces a risk analysis methodology for multi-cloud environments using industry-standard tools to identify and prioritize security mitigations.

Findings

Authentication and architecture are the highest risk areas.

Prioritization enables better cybersecurity budgeting.

Risk analysis guides effective mitigation strategies.

Abstract

As organizations increasingly use cloud services to host their IT infrastructure, there is a need to share data among these cloud hosted services and systems. A majority of IT organizations have workloads spread across different cloud service providers, growing their multi-cloud environments. When an organization grows their multi-cloud environment, the threat vectors and vulnerabilities for their cloud systems and services grow as well. The increase in the number of attack vectors creates a challenge of how to prioritize mitigations and countermeasures to best defend a multi-cloud environment against attacks. Utilizing multiple industry standard risk analysis tools, we conducted an analysis of multi-cloud threat vectors enabling calculation and prioritization for the identified mitigations and countermeasures. The prioritizations from the analysis showed that authentication and architecture are the highest risk areas of threat vectors. Armed with this data, IT managers are able to more appropriately budget cybersecurity expenditure to implement the most impactful mitigations and countermeasures.