trendkey
  • info@trendkey.cy
  • 8, Konstantinou Palaiologou st
    Egkomi, 2406, Nicosia, Cyprus
    tel: +357 22 008374
Sign in
Action Items for Multicloud Security Best Practices

Action Items for Multicloud Security Best Practices

Guidance abounds about cloud security -- apparently with little effect judging by the current state of ransomware and other attacks -- but sometimes the best advice from experts straight from the front lines is best presented in easily digestible chunks.

That's what Greg Shulz, founder of independent IT analyst firm Server StorageIO, did in a recent online tech presentation put on by Virtualization & Cloud Review, titled "What's Attacking Your Multicloud Today (and Probably Tomorrow)," which was part of a three-session half-day summit titled "Year-End Multicloud Security Check: The Top Threats to Your Multicloud in 2025," now available for replay thanks to the sponsors, Keeper SecurityDruva and Fortinet.

 

The Shulz session is too long to present here, but it does serve to provide a boiled-down list of action items related to best practices for protecting multicloud implementations from cybersecurity exploits.

Let's look at some best practices action items pulled from the presentation that relate to topics ranging from Zero Trust to developers writing bug-free code.

Implement Zero Trust and strong security posture across multicloud environments
"Be suspicious," Shulz said. "The old way was, you know, trust yet verify. Now, today it is Zero Trust."

Zero Trust, like multi-factor authenticaion (MFA), is one of the go-to security approaches most often mentioned these days to fight ransomware and other exploits. It's basically s a security framework approach that assumes no user, system, or device is inherently trustworthy, even those inside the network perimeter. Rather than relying on traditional perimeter-based defenses, Zero Trust operates on the principle of "never trust, always verify." This means access to resources is strictly controlled and continuously validated based on factors like user identity, device health, and contextual data, such as location and behavior.

The core idea is to minimize risk by granting access on a need-to-know basis and continuously monitoring for potential threats, regardless of whether the user or system is inside or outside the network. This approach often involves MFA, strict access controls, and segmentation of resources to limit the potential spread of threats. Zero Trust is designed to address modern cybersecurity challenges, including cloud-based environments and remote work setups, where traditional boundaries are no longer effective.

Zero Trust, Shulz mentioned, is also instrumental in fighting AI-powered black hat exploits.

"So as I mentioned, the bad actors are using generative AI to up their game, which means that they're leveraging the technology," he said. "They are leveraging and exploiting the vulnerabilities, both those known but also those unknowns that we talked about, the advanced persistent threats. They're finding holes in, gaps in your security, your protection and your detection capabilities." He mentioned ways of probing and testing for denial-of-service attacks and other scenarios.

"How are you going to respond? Where are the weak spot? Are there vulnerabilities in your apps or in your browsers or in your APIs? Have you you have a lack of patch and remediation up and down the entire stack and across your different platforms, and are they tested?"

Leverage CSPM tools to identify and remediate security misconfigurations across multi-cloud infrastructure
Cloud Security Posture Management (CSPM) tools are solutions designed to automate the process of identifying and mitigating risks in cloud environments. CSPM tools help organizations ensure their cloud configurations comply with security best practices, regulatory standards, and organizational policies.

Shulz mentioned the use of these tools and fielded a question about how organizations can optimally use them to identify and remediate security misconfigurations across a multicloud infrastructure.

"Yeah, that's a good one, in that using different tools with different acronyms all come into play to gain that insight," Shulz said. "You know, whether it's CSPM, whether MDR, XDR, EDR, whether you go right on down that list, it's having those tools. It's one thing to have the tools. It's another thing to actually be using them and leveraging them to gain that insight. What tools are available directly via your different cloud providers, and can those tools look multicloud and go deep and gain information and feed information to others?

"Then there are other different third-party tools. Yeah, that can allow you to look at different layers at different points of elevations, whether it's the network or at the server, the storage, or whether it's up at the moving up from the infrastructure as a service, or moving up into the paths or the SaaS. What are the different tools at the different layers that allow you to gain that insight, that awareness, but that can also be leveraged by different groups within your organization as part of feeding into overall dashboards, information centers, response centers?"

Incentivize developers to prioritize bug-free, secure code over rapid feature releases
Shulz fielded another question about a company with a focus on IT, operations, DevOps and associated areas to find and fix things collectively. "What role should our app developers be doing?" read the question.

"That's a good one," Shulz replied. "It ties back to earlier that question about, are we being used more as beta testers? And debuggers and stuff like that. And so on the one hand, the developers, they're under pressure to kick out these apps as fast as they can. Nothing really new there -- that's been going on for a long, long time. But part of it is that the organization needs to reward the organization, i.e. a company or entity, whatever you happen to be, is for finding errors, finding omissions, finding bugs, putting bug bounties out there that incentivizes workers to get their project done, that they've got a product release, that they've hit their PR, they've hit that objective so they get their check marks, but that it's also the fact that it's bug free, that they aren't in that race to get a PR out, that they're not cutting corners that come back to bite.

"Part of that, it's very much a cultural, there's financial aspects to it, but it's also a culture of work harder, work smarter. And it's not just about how many lines of code you can crank out. It's how many lines of productive, usable, bug-free, error-free, omission-free code out there. So I think those are some things that can move things along quite a bit, quite a ways. It's really a collaborative got to break down these walls where developers throw it over support puts it back now. They got to work together hand in hand."

Review policies and leverage technology to enforce them, rather than the other way around
In response to yet another question that read: "Is the solution to use the newest technology versus worry about people and policies?" Shulz replied, "A little bit of both."

He continued: "Use the new technology as well as old technology and new ways. So in other words, review your policies, and rather than focusing on the technology, leverage your policies to apply to the technology that then your technology is implementing your policies and what you want done. Your work -- the technology should be working for you, not you working for the technology."

Note that most of these action items resulted from submitted questions, and the ability to ask bona-fined topic experts one-on-one questions is a primary benefit of attending such online tech events live (not mention winning a raffle prize).

With that in mind, here are some upcoming events being put on by Virtualization & Cloud Review through next month.

Also, the replay is well worth watching to benefit from Shulz's entire list of best practice insights into which he goes in to detail, including:

  • Cloud Security and Data Protection are a shared responsibility!
  • In general: Similar to your home or vehicle, check for unlocked and open doors, windows, and other entry points; also, who has keys or access? The same applies to clouds… who has access to data that can be used to get someone to provide something else or to go fishing, phishing, vishing, and other attacks to get credentials and info...
  • How strong is your cloud security and data protection posture?
  • How good is your cloud monitoring, logging, and remediation hygiene?
  • Do you have in case of emergency break glass access accounts?
  • Invest in and support your resources (people, HW, SW, tools, services)
    • Encourage workers to find and fix bugs, errors, and omissions
    • Educate and train workforce, invest in HW and SW tools
    • Leverage automation and smart management tools
    • Revisit, enhance, leverage your incident response center
  • Have an up to date recovery, restoration, and incident response plan
    • Workers are trained on what to do, and what not to do
    • Conduct continuing education and awareness, test the plans
    • Maintain your plan, enhance refine on an ongoing basis
  • Continually review and assess health and posture of your environment
    • Regular vulnerability scans, anomaly detection
    • Know what you have, where, how it is used and by whom
    • Good remediation hygiene from core to edge (HW, SW, FW, Devices)
    • Leverage red and blue team pen test across clouds, APIs, and gateways
  • Revisit your:
    • Network segmentation (logical, physical, virtual, micro, public, private)
    • End point protection (Gateways, Firewalls, Apps, APIs, Services, Nets)
    • OU's, Roles, Policies, IAM, RBAC for inter and intra cloud access
    • Default configuration settings along with service provider defaults
    • Accounts, subscriptions, tenants, groups, and resources you have
    • How are you using resources, are you paying for resources not in use?
    • Testing of recovery and incident plans, remediation, and pen-testing
    • Are you protecting and preserving your logs and data protection data?