It’s not just users who benefit from cloud services. Service providers benefit as well. Done right, software-as-a-service (SaaS) has all the multitenancy functionality that makes managing and maintaining a customer base a snap. Just as importantly, it makes you — as a channel partner — more competitive in this cloud-first world. Cloud services are typically low-touch and low-cost — eliminating trips to customer locations and even remote troubleshooting, providing cost savings that can be passed on to the customer.
As with any solution, the cloud expands the potential attack surface. But because of its dynamic elasticity and scalability, and the fact that each cloud environment runs differently, cloud — and especially multicloud — deployment introduces a new level of complexity into securing an organization. Part of the issue is that a multicloud strategy is rarely ever planned. It’s usually something that happens organically, to address an emergent need. And worse, the IT team usually only comes in after the fact to retrofit a security strategy.
It all starts innocently enough with an employee using an Office 365 document, someone else subscribing to Dropbox, another employee uploading a document onto Google Drive to share and someone else creating a website using the public cloud.
All of a sudden, your customers are consuming services from four different cloud providers. And that’s just the tip of the iceberg. Because of the ease of creating a cloud network — basically, anyone with a credit card can set one up — lines of business may even have their own cloud infrastructures in place to develop or run applications or to offload compute requirements. Often, this is the result of an implicit approval to leverage the cloud to meet digital transformation requirements. Industries that rely heavily on technology, such as manufacturing, high-tech and telecom, are being led by executive management to become 100% cloud, including infrastructure and applications.
And, exposure to risk increases with each cloud app an employee logs onto. If a breach of one of those apps occurs, the security team now faces the risk of information not being controlled by corporate IT becoming publicly available. It’s the nature of distributed information to lessen visibility, leading inevitably to a situation where the security risk level is unknown or, worse, nonexistent.