WHAT IS MULTICLOUD SECURITY?
Multicloud deployments have become a necessity for many organizations. As these deployments scale, security teams need to adopt a security approach that combines in-depth visibility, automation, adaptability, and cloud-specific threat intelligence.
Introduction
“Multicloud” is a term that applies to any organization that relies on more than one cloud service provider (CSP) to conduct business or supply essential services. A multicloud deployment could involve a combination of major CSPs, such as Google, Amazon Web Services, Azure, or IBM, and other cloud providers that support various business functions and tools.
The multicloud approach has become a standard in most industries. One report found that 89% of surveyed organizations were deploying multicloud infrastructure in 2024. While this trend has benefitted the functionality, redundancy, and speed of many business operations, there is a concurrent challenge for security teams tasked with protecting these environments. SOCs must develop and implement a security strategy encompassing the entire multicloud environment and addressing the challenges and risks associated with these deployments.
What is multicloud security?
Multicloud security solutions involve monitoring endpoints, data, networks, cloud infrastructure, applications, and tools, as well as identity and privilege management, compliance guidelines, and other processes. CSPs provide significant security protections around the infrastructure they support. However, based on the shared responsibility model, cloud users must secure the data, tools, and processes they run within the cloud environments.
More than 80% of surveyed organizations use Azure and AWS cloud services. 55% use Google.
Most organizations report an increase in the number of buckets and storage containers they use in Azure (89%), AWS (84%), and Google (74%) clouds.
22.4% of surveyed organizations lack the requisite expertise for using AWS and Azure clouds securely.
30% of organizations are actively planning to decommission on-premises Active Directory as cloud legacy support improves.
49% of organizations have less than half their cloud accounts covered by cloud-native application protection (CNAPP) solutions.
However, multicloud security adds another dimension in the form of an overview of all cloud deployments, and how users move between them. Each CSP provides its own distinct set of security tools, all of which the SOC must understand and complement with a proactive, holistic strategy.
Given the rapidly changing nature of cloud deployments and persistent threats, multicloud security must extend beyond prevention, and will likely involve the use of several types of security tools. Organizations also need response plans that anticipate cloud defense breaches and expand their ability to monitor their environments, engage in threat hunts, and forensic investigations.
Multicloud security challenges
Multicloud deployments are complex, dynamic, and subject to rapid changes and expansion. This creates a variety of security risks and challenges that organizations’ security teams are struggling to manage, due to increased workflows, resource shortages, and a lack of analysts with cloud-specific skills. When constructing a multicloud security strategy, many SOCs will need to consider how the strategy addresses challenges such as:
Multicloud Security challenges | Context |
---|---|
Rapidly changing cloud environments and tools |
A primary benefit of cloud operations is the speed at which new instances and tools can be spun up or eliminated based on specific business needs. But keeping track of how organizations and their employees are using services and tools is difficult from a security perspective. With ephemerality being the norm rather than the exception, security teams often struggle to maintain oversight of one cloud environment, let alone multicloud deployments. |
Expanding attack surfaces |
As organizations extend their cloud footprint, many assume greater risk of security breaches related to insecure connections, unsecured assets, and code errors that provide attackers with exploit opportunities. A 2024 study found the average organization with multicloud deployments had 351 attack paths that attackers could exploit to reach valuable company assets. |
Lack of visibility |
Each cloud deployment is a hive of data in transit and in storage, running applications and APIs, access points, users, and connected devices. Keeping track of all these assets and processes is a difficult monitoring task; security teams must track and correlate logs from a variety of systems, which can easily create blind spots. |
Negotiating CSP security controls |
Each cloud provider works off its own version of the shared responsibility model. Moreover, the providers regularly offer new services and products, which are typically subject to updates and specific conditions. Staying current with each provider’s offerings and conditions places another tax on the time and energy of security teams tasked with monitoring cloud deployments. |
Data protection |
Data breaches are one of the most common, and costly, cyber breaches among organizations of all types. The multicloud environment can amplify the challenge of protecting data through a similar principle: more and varied cloud deployments creates greater potential for misconfigurations, insufficient access controls and security settings, and more complex networks in which data can be lost, captured, or ransomed by malicious actors from the outside or inside of the organization. |
Evolving cloud-specific security threats |
Attackers are well aware of the prevalence of multicloud operations and have shifted their tactics to exploit potential security weaknesses. They may target user credentials and CSP trust relationships to move from one cloud environment to others. They can exploit errors in security access controls, APIs, download malicious files or modules to cloud infrastructure systems, among other attack vectors. Increasingly, attackers have found methods of obscuring their attack patterns and escalations within normal cloud traffic, which is difficult to detect without the ability to analyze multiple sources of data.
What’s more, attackers also are developing methods for evading common security tools, such as endpoint detection and response (EDR) and cloud-native application protection platforms (CNAPP) with PowerShell scripts, windows management instrumentation (WMI) tools, cloud exploitation frameworks like Pacu and other techniques that make their intrusions blend in with normal cloud traffic and workflows. A recent CISA advisory about over-reliance on EDR tools emphasized this reality. |
How organizations can improve multicloud security
Multicloud security requires a multi-faceted approach that involves effective policies, documentation, unified management, effective network architecture, identity and access management, and preventative controls such as next generation firewalls, antivirus, and intrusion prevention systems. Security, however, is still bound by the fundamental reality: “You can’t protect what you can’t see.” One of the most critical aspects of multicloud security is visualizing the environment in such a way that does not leave SOCs buried in data or moving constantly between dashboards and tools.
To expand visibility into cloud environments, enrich monitoring and detection capabilities, and deepen cloud defenses, SOCs can pursue a number of interrelated objectives:
- Monitor more than cloud flow logs. While useful for determining the overall performance and status of cloud networks, flow logs are not, primarily, used for security monitoring, and are often too shallow for security teams who need to dig deeper into network behaviors. VPC flow logs for example can only detect known command and control (C2) server communications. SOCs must also review data from cloud control planes and other systems to quickly determine when and what hosts are communicating and investigate unusual activity. Additionally, CSP-offered tools, while useful, do not always analyze data beyond what VPC flow logs contain, which can lead to significant visibility gaps.
- Automate processes. Multicloud environments scale too quickly and broadly for security teams to monitor them without automating many tasks. As one example, correlating logs and other tasks that help deepen visibility into cloud environments is time-consuming and impractical for many SOCs without assistance from automation.
- Tool consolidation. A 2024 study found the average organization is using 16 cloud security tools and 14 security tool vendors; 98% wanted to reduce these numbers. Keeping up with complex and rapidly scaling multicloud environments requires a more comprehensive security approach, which can be enabled by investing in tools that consolidate capabilities and workflows and help SOC analysts to gain unified visibility of their clouds and the connection points between them.
- Accessing cloud-specific threat intelligence. Cloud-based attacks often rely on tactics, techniques, and procedures (TTPs) that are distinct from methods that target traditional IT deployments. Multicloud security depends on access to intelligence and evidence focused on cloud-based threats and the distinct challenges that come from protecting complex multicloud environments.
- Creating cloud-specific threat detections. Security teams must deploy detections and alerts that are regularly tuned to to focus on attacks common to multicloud deployments, such as data exfiltration, service enumeration, previously unknown C2 traffic and living off the land TTPs.
Network detection and response can improve multicloud security
Visualizing what happens at the network level is as critical to multicloud security as it is to traditional IT deployments. Cloud security solutions that help SOCs monitor traffic within each cloud deployment in real-time can provide a significant assist, especially when they can help reduce the complexity of the security stack and create a more holistic view of the threat landscape.
Network detection and response (NDR) has emerged as a viable component to native cloud solutions. While many NDR platforms pre-date the cloud’s exponential growth in the private and public sectors, vendors have built out capabilities that are applicable as well as specific to cloud use cases. Leading solutions are also designed to complement and integrate with cloud-specific security tools such as CWPP, CSPM, CNAPP, as well as identity and access management and privilege management solutions and data management tools.
Advanced NDR solutions can deliver the in-depth visibility into cloud networks, as well as the control and data planes, containers, serverless environments, and other aspects of dynamic, often ephemeral multicloud environments. Through use of packet mirroring, packet brokers, and traffic cloning, they can deliver comprehensive, enriched telemetry that creates a “ground truth” about how hosts and users are operating within cloud environments that goes much deeper than VPC flow logs.
NDR’s benefits to multicloud security can also include:
- Network detection and response can incorporate many monitoring, alerting, and reporting functions within a single framework, and reduce tool sprawl. As a pillar of the SOC Visibility Triad, it often complements EDR, system information and event management (SIEM) and data lakes, extended detection and response (XDR), and other solutions that are common in multicloud and hybrid cloud environments. Cloud-capable NDR will often integrate with CSPM, CWPP, and other cloud-native security solutions.
- NDR platforms can support a centralized monitoring and metadata extraction from multiple cloud deployments through strategic sensor placement and without over provisioning of cloud resources. Coupled with an ability to correlate data flows, these features provide NDR with an elastic, scalable design suitable to expanding multicloud deployments.
- In addition to helping with the documentation necessary to prove compliance around data usage and other regulatory requirements, NDR’s monitoring capabilities can reveal shadow IT and help SOCs determine if the organization is using cloud tools and services in ways that increase cyber-risk.
- Enriched network metadata generated and synthesized by NDR platforms can expedite the detection and disruption of cloud-specific threats and malicious tactics such as the use of command and control (C2) channels. It can also highlight behavioral anomalies that may require more investigation or provide a starting point for advanced threat hunting. By providing SOCs with more enriched evidence from cloud network logs, NDR can improve mean time to detect (MTTD) intrusions and increase the likelihood of faster incident resolution.
How Corelight’s Open NDR supports multicloud security
Corelight’s open network detection and response platform combines the most robust network evidence and analysis platform with cloud sensors and integrations that create a viable and powerful component to multicloud security. As a vendor-agnostic solution, Corelight complements most CWPP, CSPM, CNAPP, XDR, and SIEM platforms, and includes sensors for GCP, AWS, and Azure cloud infrastructure.
Our NDR capabilities can help SOCs improve multicloud security through core capabilities that include:
-
Corelight’s sensors parse north/south and east-west traffic and enable security teams to identify all services within their cloud environments. Consistent network telemetry coupled with host data enrichment enable comprehensive visibility integrated with cloud control planes. Corelight collects detailed network metadata (e.g., HTTP headers, DNS queries, SSL certificates and ciphersuites, bytes transferred) and tracks network sessions, bridging blind spots between container runtime events. Corelight also enriches cloud traffic observed with additional metadata through our Cloud Enrichment and cloud app ID packages:
- The Corelight NDR platform leverages the power of the open source community, MITRE ATT&CK mapping, and our own research to provide users with threat detections and intelligence that can detect and disrupt attacks TTPs that target cloud infrastructure, such as lateral movement, data exfiltration, C2 channels, attacks initiated with cloud exploitation frameworks and more. Corelight evidence can help security teams detect cloud hosts that reach out to or access multiple services, and other behavioral anomalies that may indicate stealthy attack patterns.
-
Corelight’s SaaS solution, Investigator, automates workflows and includes customizable dashboards that expedite and simplify alert triage, and make raw network data and packet capture (PCAP), accessible through simple steps. The platform also includes ML-based summaries, interactive visual timelines and triage history to make incident response more comprehensive, targeted, and efficient.
- Corelight’s enriched data helps investigators correlate suspicious or anomalous traffic with specific cloud actions, account movements, and container processes — leading to faster, more accurate threat detection and response.
To learn more, visit our Cloud Security Solutions page, learn about our Cloud Sensors, or schedule a demo today.
Book a demo
We’re proud to protect some of the most sensitive, mission-critical enterprises and government agencies in the world. Learn how Corelight’s Open NDR Platform can help your organization mitigate cybersecurity risk.
