{"id":3817,"date":"2025-07-03T07:00:00","date_gmt":"2025-07-03T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3817"},"modified":"2025-07-03T07:00:00","modified_gmt":"2025-07-03T07:00:00","slug":"5-multicloud-security-challenges-and-how-to-address-them","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3817","title":{"rendered":"5 multicloud security challenges \u2014 and how to address them"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A multicloud environment is now standard for midsize and large organizations, with tech leaders opting to use multiple cloud providers for the improved flexibility, resiliency, and additional advantages that operating in multiple clouds brings.<\/p>\n

But a multicloud approach also comes with challenges, particularly when it comes to security.<\/p>\n

In fact, CISOs listed managing multicloud and hybrid cloud as one of their organization\u2019s biggest cybersecurity challenges, according to the 2025 Cloud Security Report<\/a> from Check Point Software Technologies. It came in No. 3, after safeguarding high-value assets and intellectual property and enhancing threat visibility and detection.<\/p>\n

Securing a multicloud environment isn\u2019t a singular challenge, however; it\u2019s a whole host of them. Here is a look at the five most significant challenges CISOs and their teams face in this space.<\/p>\n

1. Achieving adequate visibility across all clouds<\/h2>\n

This challenge tops the list for many security leaders.<\/p>\n

Experienced CISOs acknowledge that getting an accurate and complete picture of the IT environment has long been a tough task \u2014 whether it\u2019s all on prem or all in the cloud. But they stress the job is more complicated and complex in an environment that sprawls across multiple cloud providers.<\/p>\n

That sprawl makes it harder for CISOs to \u201chave confidence that they\u2019re looking across the environment holistically, that they\u2019re looking for all the right things, and that there isn\u2019t some security piece that they\u2019ve overlooked,\u201d says Randy Armknecht<\/a>, who as a managing director at consultancy Protiviti leads its global infrastructure, cloud, and security engineering practice.<\/p>\n

CISOs, of course, have some visibility across all their cloud deployments. Indeed, they may even have great visibility into one of their cloud environments \u2014 typically the first cloud the organization adopted, because they had invested heavily in training their teams to use that provider\u2019s observability tools when they first made the move to that cloud.<\/p>\n

However, CISOs frequently lack the resources \u2014 time, skills, and tools \u2014 to extend that visibility into the other cloud setups as their organization expanded, Armknecht says.<\/p>\n

And even if CISOs and their teams are well versed in the observability tools provided by each cloud provider, they typically still struggle with managing information from those multiple tools, he adds.<\/p>\n

\u201cMost security practitioners feel more at home in one cloud than the others, and they may feel really good about one of them, but they do not have the same level of confidence about the others,\u201d Armknecht explains.<\/p>\n

Technology advances are helping CISOs overcome this challenge. Armknecht points to tools such as cloud-native application protection platforms (CNAPPs)<\/a> that offer multicloud observability.<\/p>\n

He sees the use of such tools as an imperative. \u201cI\u2019m a fan of getting full visibility as quickly as you\u2019re able. I would not want to be at the table being asked why we didn\u2019t know about a problem that led to a breach,\u201d he says.<\/p>\n

2. Balancing the ease of a uniform security program with the benefits of a provider-specific approach<\/h2>\n

Some CISOs opt to have a single security program for their entire cloud environment while others take a cloud-specific approach. Each strategy has pros and cons, says Wolfgang Goerlich<\/a>, IANS Research faculty and a public sector CISO.<\/p>\n

\u201cIf you\u2019re treating all clouds the same, if you have a unified security program, then that means you\u2019re not using the native security tools and you\u2019re not driving the value out of each cloud. And not all solutions will pull in data [from each cloud provider] with fidelity, and not all apps will be as granular as the native tools,\u201d he explains. \u201cBut if you go native, if you do a deep dive into each cloud, you add more tech and you probably won\u2019t have teams who can work across the different clouds, so you create more challenges with processes, staff, and technology.\u201d<\/p>\n

Goerlich doesn\u2019t list one option as better than the other but instead stresses the need to weigh the benefits and drawbacks of each one when devising an enterprise security plan.<\/p>\n

\u201cIt\u2019s all about the tradeoffs,\u201d he says. \u201cYou can organize your team by cloud to drive more value from native capabilities, or have your team know enough about each cloud to effect change, or take it to a high level and not use the native tools.\u201d<\/p>\n

3. Falling short on the breadth and depth of skills required to secure multiple clouds<\/h2>\n

Securing multicloud environments requires more skills than the skills needed to secure a homogenous environment \u2014 a requirement that adds more stress onto CISOs who are already struggling to keep up with all the skills now needed to protect a modern enterprise.<\/p>\n

Moreover, the skills the team does have tend to be unevenly distributed.<\/p>\n

\u201cMost companies lean into one cloud and their skills hone in on that one cloud provider, but that means they lack the skills for the others,\u201d says George Gerchow<\/a>, faculty at IANS Research and CSO at Bedrock Security.<\/p>\n

For example, a team skilled at collecting logs from AWS may not have the aptitude to confidently handle the same task in Azure and vice versa, he says. \u201cEven at a high level, the logs themselves are different from cloud provider to cloud provider. How you ingest all the right logs to do security investigations as well as how you find security vulnerabilities is different,\u201d Gerchow explains.<\/p>\n

Having a well-thought-out security strategy to balance the ease of a uniform security program with the benefits of a provider-specific approach (Challenge No. 2) can help identify the needed skills.<\/p>\n

Then CISOs need a solid training program to ensure staff members have the skills they need to successfully execute the strategy across the multicloud environment and with each cloud provider, Gerchow says. In other words, CISOs must invest enough in getting their people trained to work effectively in each cloud used by the organization.<\/p>\n

4. Getting configurations right<\/h2>\n

Getting configurations right in any environment is a difficult task, but security leaders say both the scale and the scope of a multicloud environment make that task exponentially more challenging, according to Gerchow. That\u2019s because each cloud provider has its own set of services, APIs, and management interfaces, as well as its own rules and systems for managing configurations.<\/p>\n

Taken all together, that puts more stress on security teams, who must not only learn and master all the cloud-specific tools and techniques but also keep track of which tools and techniques apply to which cloud provider to ensure they don\u2019t make a configuration mistake.<\/p>\n

Mistakes are common: The 2024 Cloud Security Report from Check Point<\/a> found that 23% of survey respondents who had experienced a public cloud security incident blamed misconfigurations. Common misconfigurations<\/a> include overly permissive access controls, exposed storage buckets, unencrypted data, and inadequate network segmentation \u2014 all of which can lead to data breaches and unauthorized access.<\/p>\n

5. Getting identity and access management right<\/h2>\n

CISOs face similar challenges with identity and access management (IAM)<\/a> in a multicloud environment, says Jeffrey Brown<\/a>, former CISO for the State of Connecticut and now a cybersecurity advisor for financial services and state government at Microsoft.<\/p>\n

To be clear, CISOs struggle with IAM in an on-prem and single-cloud environment, too. But they face more challenges in getting IAM right in a multicloud environment because they must work across the different cloud providers, each with their own IAM systems, operating models, policies, and procedures. And they must manage user identities, roles, and access control mechanisms for each cloud.<\/p>\n

All this gives CISOs exponentially more to track and manage.<\/p>\n

Moreover, multicloud environments also have more nonhuman entities<\/a> (such as APIs and services) that must be managed across multiple clouds, too, further adding to the complexity<\/a> and scale of IAM in a multicloud environment.<\/p>\n

And, of course, each identity has to be managed over its lifecycle \u2014 further compounding the size of the challenge. All this can \u2014 and often does \u2014 lead to inconsistent policies, as well as inconsistent monitoring and enforcing of access controls.<\/p>\n

The challenge is so significant that Brown lists identity and access management as the No. 1 challenge security teams face in a multicloud environment. However, it\u2019s not an insurmountable problem, he says.<\/p>\n

\u201cIf you don\u2019t have a formal program, then formalize it. You need a named executive in charge of the program, whether it\u2019s you as CISO or someone else. It can\u2019t be nobody,\u201d he says. Implement \u201cstrong authentication everywhere and a comprehensive, unified strategy.\u201d<\/p>\n

CISOs who struggle here should start small, he adds, focusing on privileged users who have higher-level access to systems and data within an organization than standard users and who, as a result of that higher-level access, are more frequently targeted by hackers.<\/p>\n

See also: <\/strong><\/p>\n

8 tips for mastering multicloud security<\/a><\/p>\n

Multicloud security automation is essential \u2014 but no silver bullet<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A multicloud environment is now standard for midsize and large organizations, with tech leaders opting to use multiple cloud providers for the improved flexibility, resiliency, and additional advantages that operating in multiple clouds brings. But a multicloud approach also comes with challenges, particularly when it comes to security. In fact, CISOs listed managing multicloud and […]<\/p>\n","protected":false},"author":0,"featured_media":3818,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3817","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3817"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3817"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3817\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3818"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3817"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3817"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3817"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}