Click to learn more about author Keith Neilson.
Multi-cloud is positioned to take over this year, as over 90% of enterprises worldwide are expected to depend on a blend of on-prem/dedicated private clouds, multiple public clouds, and legacy platforms by 2022. While countless organizations are racing to incorporate the cloud into their business model, this push is leaving many businesses unprepared for the significant task of incorporating a multi-cloud strategy into existing operations. As it’s not in the best interest of public cloud providers to suggest the use of multiple clouds, many of these companies are left without guidance for their migration. Consequently, many businesses lack direction and end up spending too much money, time, and resources on failing deployments, without any insight into why they are unsuccessful.
Below, I will discuss three mistakes that can ruin your multi-cloud project – and how to best avoid them.
Mistake #1: Prioritizing singular configurations rather than overall risk management
Businesses that attempt to make the move to multi-cloud will undoubtedly face an ever-evolving risk: complexity. Without making an effort to understand the differences between clouds, companies are setting themselves up for misconfiguration. In the event of a bad actor infiltrating the IT environment, any gap in security, such as failing to remove an old account, can result in a cyber criminal stealing your data. Many misconfigurations are all too common, such as:
- Lack of access restrictions such as an unsecured or passwordless AWS S3 storage bucket
- Absence of data protection, such as unencrypted personal information (PCI, social security numbers, and more)
- Allowing users broader access than they absolutely need to do their job
A multi-cloud strategy only augments the likelihood of experiencing one of these errors. The complexity of multiple clouds provides an extended attack surface for threat actors. An increased number of services means a higher chance of experiencing a misconfiguration or data leak. Centralized visibility and management are necessary to combat risk and ensure protection and compliance across multi-cloud environments.
Proper governance requires a full view of the cloud, complete with resource consumption, how new services are accessed, and systems in place for risk mitigation, including data and privacy policies and processes. Rather than a cyclically executed process, risk management must be continuous and contain various coordinated actions and tasks in order to oversee and manage risks. An ecosystem-wide framework going beyond traditional IT is necessary for proper risk management.
Enterprises must therefore prioritize training and awareness within their organization, teaching team members how to securely use multiple cloud services. In order for governance to be effective, security must be a vital part of company culture. Ideally, alongside this culture change and education, businesses can enable appropriate and purposeful tooling that takes away the efforts to manage, monitor, and regulate risk.
Mistake #2: Migrating without a comprehensive view of all infrastructure and applications within the IT landscape
As enterprises look to modernize and migrate applications to the cloud, many wish to take advantage of multi-cloud’s scalability, flexibility, and services from multiple cloud providers. However, updating complex applications and legacy architecture can make creating an accurate migration roadmap difficult to achieve.
Factors such as deciding which applications should move to the cloud, their placement in each environment, and the cost of migration and management are a few significant challenges in migration planning. Success in this area is often hindered by:
- Complexity, particularly with legacy technologies
- Absence of internal and external knowledge of application dependencies
- Overlooked costs and inaccurate TCO analysis
- Various toolsets with disparate data sources lacking the information to provide actionable insight
- Security and compliance issues from shadow IT sources and dependencies
- Technical debt from lift and shift or inaccurate application refactoring
While it is the whole IT team’s duty to protect the enterprise and its data, training personnel to comprehend the nuances of multiple cloud providers can be especially taxing. Reaching the ideal level of understanding requires time and investment, including creating a security plan, educating employees, and establishing an environment of secure infrastructure and processes. In cloud adoption, staff duties should translate to the new environments accordingly to ensure security is still encompassing all bases. Although Data Governance is usually handled by database administrators, these responsibilities should still be documented with step-by-step checklists. Additionally, businesses should consider cross-training additional staff as soon as it makes sense in order to further secure the environment.
Successfully migrating to the cloud requires a clear vision of the entire IT estate spanning the infrastructure, applications, and how those workloads are connected. To avoid migrating prematurely, enterprises should leverage a cloud governance platform providing a holistic end-to-end view of the entire application landscape.
Mistake #3: Allowing self-service cloud access without identity and access guardrails in place
According to Gartner, 90% of organizations that cannot control public cloud use will inappropriately share sensitive data by 2025. The shared security model is an inherent part of leveraging public cloud infrastructure. While power users at cloud-centric companies need self-service access to the cloud in order to remain agile, allowing that access can augment risk. Without security guardrails in place, businesses are constantly putting themselves at risk of a misconfiguration with disastrous security and compliance consequences.
Many organizations overlook identity and access governance when assessing public cloud controls. Enforcing a least-privilege security model can be especially difficult when dealing with hurdles like access sprawl and inconsistent policy frameworks spanning both on-premises and cloud environments. To reduce these risks, companies should leverage identity and access management guardrails in the cloud to keep track of user access and visualize access paths to gain insight into user policies and permissions.
Making Migration a Success
As multi-cloud continues to grow in popularity, it is still an evolving science. Although complex, it has been heralded as the way of the future, with Gartner expecting multi-cloud strategies to reduce vendor dependency for two-thirds of organizations by 2024. Its benefits are obvious: the ability to avoid vendor lock-in, optimize cost performance, and increase reliability by distributing resources in the event of an IT disaster. These appeals have many organizations believing that multi-cloud is the answer to their infrastructure needs.
However, a failed migration can cost companies significant time, money, and resources. Transitioning to multi-cloud requires in-depth planning and knowledge of each environment to guarantee a seamless move. A comprehensive governance and security plan is necessary to ensure sensitive data remains secure from hackers. Without planning ahead and educating staff on the unique capabilities and nuances of each cloud, any multi-cloud project can be doomed before it’s even begun. By taking heed of these three errors, enterprises can expect a smoother transition to multi-cloud and enjoy all it has to offer post-migration.