8 tips for mastering multicloud security

by John Edwards

Multicloud environments offer many benefits. Strong inherent security isn’t one of them.

A growing number of enterprises are adopting multicloud strategies, enabling them to run workloads in the most appropriate locations without adding unnecessary complexity. But there’s a catch. Multicloud environments may also expose security weaknesses, which can quickly negate many of its benefits.

Ensuring multicloud security is challenging for any organization, regardless of its scope or size. Fortunately, a few relatively simple techniques and common-sense security practices will go a long way toward keeping attackers at bay, ensuring a more secure and resilient multicloud environment.

To get maximum value out of your multicloud environment without risking enterprise security, consider the following eight top tips.

1. Build a centralized security authority

Security is ultimately a shared responsibility, observes Trevor Young, chief product officer at security services firm Security Compass. “Nevertheless, oversight and strategic direction for multicloud security should ideally sit with a centralized security team or a dedicated individual within your organization.” 

Whether it’s a team or a dedicated individual, this party will be responsible for defining an overall security strategy, establishing consistent policies and standards, selecting and managing cross-cloud security tools, and ensuring compliance across all cloud environments. “They will act as the orchestrator, working closely with individual application teams and cloud owners,” Young says.

2. Create unified security governance

A unified security governance model should be established, spanning all cloud environments and supported by centralized identity management, visibility, automation, and policy enforcement, advises Nigel Gibbons, director and senior advisor at security services firm NCC Group.

This approach, Gibbons says, minimizes complexity and silos by creating consistent security controls across cloud providers. “It reduces blind spots, enforces least privilege through centralized identity, such as Microsoft Entra ID or Okta, enables real-time threat detection, and streamlines compliance by applying the same standards regardless of the cloud platform,” he says.

A centralized cloud security team or Cloud Center of Excellence (CCoE), led by a CISO or cloud security architect, should address every security aspect, Gibbons says. “They should coordinate with DevOps, platform, and compliance teams to enforce consistent policies and oversee risk across environments.”

3. Expand your scope

Single-cloud security typically focuses on the specific security tools and services offered by that one provider, Security Compass’ Young says. “Over time, you become deeply familiar with their ecosystem.”

Multicloud security adds the extra complexity of dealing with different providers, each with their own unique security models, services, and terminology, Young notes. “You can’t just rely on the native tools of one cloud and expect it to cover everything.” A multicloud environment requires a broader, more vendor-agnostic strategy.

Many organizations adopt the native security tools of each provider with no cohesive strategy, Young says. This approach can lead to inconsistent policies, gaps in coverage, and difficulty in correlating security events across clouds. “It’s like having different security guards who don’t talk to each other protecting different parts of the same building — vulnerabilities are bound to slip through,” he says.

4. Construct a unified trust boundary

Stop thinking in terms of clouds at all, suggests Steve Tcherchian, CISO at security software and services firm XYPRO. “Treat every environment — whether AWS, Azure, on-prem, or legacy mainframes — as part of a single, unified trust boundary,” he advises. Build controls around identities, data flows, and context — not platforms. “The minute you architect security per cloud, you’ve already fragmented your control and you’ll have a challenge catching up.”

A unified trust boundary anchors security to constants — the user, the data, and the intent, Tcherchian says. “Clouds are just plumbing,” he states. “CISOs and security teams who obsess over cloud-native tools often end up duct-taping solutions together after the fact.”

5. Share responsibility

“Multicloud security should be a shared responsibility between the CISO, cloud architects, DevOps, and security engineering teams,” says Ensar Seker, CISO at threat intelligence and security operations provider SOCRadar. “Yet ultimate accountability should lie with the CISO, who must ensure that security policies are technology-agnostic, consistently enforced, and aligned with business risk tolerance,” he advises.