(More) Clarity in the Clouds – What’s Needed to Secure Multi-Cloud Environments


Every cloud provider has its own architecture, security model and service.

According to a recent report, most large enterprises across industries (92%) now use or intend to use multiple cloud providers, and government agencies are no exception. Multi-cloud environments enable agencies to choose the best cloud for each workload, control costs and avoid vendor lock-in. 

These are important attributes to help the federal government continue to migrate off unsecured and inefficient legacy systems. However, the downside is that every cloud provider has its own architecture, security model and service. That reality—coupled with legacy security approaches, including virtual private networks and firewalls—creates management and security challenges for agencies as they build a cohesive, efficient and secure multi-cloud environment. 

The three top challenges agencies experience include:

  1. Ensuring consistent visibility and control across varied cloud environments. Often, security tools are not integrated across on-premises and cloud environments, creating a management nightmare. Security teams must manually triage alerts across multiple environments, leading to alert fatigue and difficulty understanding real risk. In addition, increased use of agile development processes can mean that security teams lose visibility into the infrastructure. Continuous development, testing and deployment can lead to infrastructure misconfigurations, compliance violations and other risks that slip through the cracks.
  2. Connecting remote users and offices to cloud resources. Legacy approaches, such as VPNs, are designed to connect devices to networks rather than users to applications. Unfortunately, when applications move to the cloud, this network-based approach keeps security tethered to the data center and requires poking holes in firewalls and exposing applications. Making matters worse, VPNs provide a sluggish user experience, as they backhaul cloud traffic through the data center.
  3. Securing exposed attack surfaces and reducing lateral threat movement. With phishing attempts up 110% among government organizations in 2021, according to Zscaler’s 2022 ThreatLabz Phishing Report, agencies must reduce the attack surface and limit lateral movement. Network-centric security means that once users are granted access, they can go anywhere, which dramatically expands attack surfaces across the traditional corporate network and the public cloud. Lack of visibility into user movements on the network—VPNs provide none—further compounds the IT team’s security challenges. 

Looking to the leaders

Federal agency initiatives are working to improve multi-cloud security and visibility. Technology Modernization Fund awards, for example, will pay for security upgrades to the Department of Agriculture’s primary network, stand up a multi-cloud security operations center at the Federal Trade Commission, and modernize the Department of Homeland Security’s information sharing network. 

Federal Chief Information Officer Clare Martorana said the awards “aggressively invest in defenses and shift from outdated perimeter-based defenses to a zero trust approach that confronts our adversaries’ capabilities and intent.”

Improve visibility, improve security 

To improve visibility and security across multi-cloud environments, agencies can employ the following methods: 

  1. Embrace zero trust. A holistic zero trust strategy minimizes security risks while enabling access to agency resources, improving performance and reducing costs and complexity. It begins with validating user identity—combined with business-policy enforcement that is based on contextual data from a user, device, app, or content—to deliver authorized direct access to applications and resources. This means it makes private apps invisible to the internet while only allowing authorized users to access them. In addition, because there is no VPN, the corresponding complexity and poor user experience can be avoided entirely.
  2. Integrate security into DevOps. Strong collaboration among the IT, development and security teams is essential. A DevSecOps approach embeds security while the new software is being developed—not as an afterthought.
  3. Normalize remote and in-office user experiences. A direct-to-cloud and direct-to-internet architecture simplifies multi-cloud connectivity by eliminating backhauling and route distribution. It can enable fast, reliable connectivity from anywhere and on any device.
  4. Manage multiple cloud environments on a single platform. Cross-cloud visibility is enabled with an integrated platform that simplifies operations and troubleshooting. It should cover all services, configurations, workloads and data with a set of policies that is unified across providers and uses a single set of alerts—while allowing SecOps to visualize and analyze enormous amounts of security data across the entire cloud estate. 

With 20 years of cyber security experience, Danny Connelly is the chief information security officer for AMS Central and Public Sector at Zscaler. Previously, he was the associate CISO, operations branch chief, for the Centers for Disease Control and Prevention, where he was responsible for implementing operational capabilities to support incident response, forensics, cyber threat intel and insider threat functions.