Boards & Governance
Wendy Luscombe Image
Wendy Luscombe
Independent board member specializing in risk management, climate issues and information/cybersecurity

What directors should know and ask about their company's multi-cloud strategy

April 2, 2024
0 min read
Female CISO presenting in the boardroom

Cloud computing has rapidly grown in the last decades, and it is estimated that 94% of U.S. enterprises use cloud services, 67% of enterprise infrastructure is now cloud-based, and 92% of businesses have a multi-cloud strategy in place or in the works.

It is almost unimaginable that a company does not use some form of cloud or hybrid cloud technology. Consequently, boards need to understand how their companies employ it and the vulnerabilities involved in their review of overall IT policy and information security.

The 4 main types of cloud services

Software as a service (SaaS) – Providers offer use of their software on applications running on a cloud infrastructure that can be widely accessed to end users. Examples are human resource and data management software such as Salesforce, Zoom, Adobe and Diligent Boards.

Platform as a service (PaaS) – Users have more control than with SaaS because they gain access to an operating framework and can develop, run and build their applications, libraries, data and services. Yet the network and operating systems are still controlled by the provider. Examples of PaaS services are Oracle Cloud Platform, Dropbox and the Diligent One Platform.

Infrastructure as a service (IaaS) – Users can architect an entire environment including networks, storage and computing using virtual machines and virtual storage, but with limited access to the provider’s firewalls. The provider can offer other services such as load balancing, monitoring and security. Examples of IaaS services are AWS EC2 and Microsoft Azure.

Anything as a service (XaaS) – This is a service model that does not fit into the other three categories and offers a more restricted service such as disaster recovery plans and monitoring as a service.

These are the main types of cloud services, but there are many others such as analytics as a service (AaaS) and desktop as a service (DaaS).

What is a multi-cloud strategy?

A multi-cloud strategy permits a company to use multiple cloud computing services offered by different service providers. This allows them to benefit from specialized business and technical services, pricing differentials and flexibility. It also reduces the exposures of being dependent on one vendor.

If a company operates a multi-cloud environment for these reasons, it is dealing with several cloud providers. It needs to coordinate them and provide safeguards and consider factors such as data governance, encryption, universal compliance support and centralized accessibility. Workload balancing between the various cloud providers can also be another factor.

This coordination and infrastructure of cloud service providers is known as cloud architecture. The mix of cloud technology creates a fragmented architecture that is fundamentally different from traditional networks. In addition, some organizations use a hybrid cloud structure which is a combination of an on-premises infrastructure and/or private or public clouds.

Where are the weaknesses, and what questions should boards ask?

A board should be aware of the security vulnerabilities possible with the multi cloud model. Here are some of the main challenges:

1. Data loss and leakage

Data vulnerabilities are the chief concern amongst cybersecurity professionals. This includes privacy and breaches of confidentiality.

Healthcare organizations are particularly sensitive to this concern because of HIPAA laws and special requirements. Each cloud provider has its own data policies, and access to the appropriate users and applications between each cloud can be a challenge to cloud security. The board should ensure that a single unified security system is in place across all its cloud providers and reinforce this for data going into the cloud with Zero Trust Architecture. (See note below.)

The board should ask, Does the company have the resources to do this either internally or externally, and are there any special laws and regulations, like HIPAA, that the company is subject to? Another question to ask is, Where are the physical locations the various cloud providers have their data centers and servers? For obvious reasons they should not be in the locality of any of the company’s main operations or in a politically sensitive country.

2. Setup misconfigurations

These can be a concern with different cloud architectures and with migrating workloads between clouds. Testing and review of the inter-cloud configurations should be undertaken regularly to minimize misconfigurations. Directors should ask, Does the company have a team or provider who can test and implement a very technical process? What are the testing protocols? For instance, is the configuration always tested after a new cloud provider is established or services between existing ones are changed?

3. Access authorization

A unified cloud security system will manage access and other security problems between clouds, but access to the data going into the cloud can also be controlled using Zero Trust Architecture. There are unified cloud protection platforms offered by vendors such as CrowdStrike and Microsoft Defender that will manage access between clouds. These protection platforms integrate cloud security, workload management and access management.

4. Shadow cloud

With multiple cloud providers and different protocols and services, users may set up unauthorized shortcuts for some of the services, or they may, without authorization, duplicate services in one cloud provider that are already being available from an authorized provider. Examples of shadow cloud use include sharing work files on a personal cloud storage account, holding meetings through an unauthorized video conferencing platform or creating an unofficial group chat without IT approval. Regular testing and employee training will help mitigate this. The board should ask, When was the last time the company did a thorough review of its cloud services and looked at duplications and shortcuts? When did it last conduct an employee training session on cloud protocols?

5. Costs

Although not technically a weakness, multiple cloud structures have multiple fees, cost structures and billing cycles. Then there is the cost of the unified cloud protection program if this is done externally. The board should check if there has been an audit of cloud fees and services to avoid duplicate services but still maintain service quality.

Cloud usage by corporations is growing both in the number and range of services. It is anticipated that the global cloud computing market is set to expand by a compound annual growth rate of 17.8% between 2023 to 2032*. It is definitely a subject that boards should be familiar enough with that they can understand as part of their company’s information technology strategy.

Note: Zero Trust Architecture — This architecture assumes that all users are untrustworthy and nullified until they can show authorized access. This is in stark contrast to traditional security models, which presume that bad actors are always on the untrusted side of the network.

*Acumen Research and Consulting – October 12, 2023


Your Data Matters

At our core, transparency is key. We prioritize your privacy by providing clear information about your rights and facilitating their exercise. You're in control, with the option to manage your preferences and the extent of information shared with us and our partners.

© 2024 Diligent Corporation. All rights reserved.