Bottom Line: Building a business case for securing multicloud configurations needs to surpass the costs and benefits, while recognizing that public clouds lack advanced zero-trust features and unified reporting.

The pace enterprises want to move at when it comes to digital transformation goals often surpasses their infrastructures' security. It's especially the case when they're relying on multicloud configurations. For example, each public cloud provider has its version of Identity Access Management (IAM), Privileged Access Management (PAM), Policy Management, configuring admin & user access controls  and more. 

The typical enterprise needs domain experts for each public cloud they integrate with. That's why choosing to invest heavily in training needs to be one of the costs enterprises get right when creating a business case for multicloud security. Another reason for prioritizing training is that data integration in multicloud configurations often increases the data complexity of the data itself, making data consumption, security  and compliance more complex. The greater the data complexity, the more the risk of misconfiguration breaches. 

Invest in people first 

Cyberattacks on multicloud configurations succeed more due to human error than other factors. For instance, 82% of data breaches involve mistakes configuring databases and administrator options and accidentally exposing entire networks to cybercriminals. 

What makes multicloud so challenging to get right from a security standpoint is its dependence on training people and keeping them current on new integration and security techniques. In addition, the more manual the hybrid cloud integration process, the easier it is to make an error and expose applications, network segments, storage  and applications.

Multicloud security business cases need to start with intensive cloud security training, including offering to pay for security certifications for members of the IT and security teams. A core part of any business case for multicloud security needs to budget enough time and funding to turn training and configuration knowledge into a strength. 

Defining multicloud security's benefits 

Building a business case for multicloud security needs to start by auditing all cloud configurations. Making auditing the first step helps immediately identify configuration gaps. It's a good idea to build the business case of multicloud security on core zero-trust principles and the data obtained from auditing multicloud configurations first. The Shared Responsibility Model is a commonly used framework to explain which areas of mulitcloud security are owned by the cloud provider versus the enterprise customer. It's a useful framework for communicating to senior management why zero trust needs to anchor multicloud integrations. 

The AWS version of the Shared Responsibility Model illustrates how Amazon is defining what they're securing in customers' cloud instances versus what is the customers' responsibility. Amazon has defined securing the data itself, management of the platform, applications and how they're accessed, and various configurations as the customers' responsibility. Source: AWS Shared Responsibility Model.

The following are the benefits that need to be included in creating a business case for investing in multicloud security:

    Enterprises need to consider if the risk of running dedicated IAM and PAM modules in each public cloud instance without securing the integration points are worth the risk. The majority decide to secure the entire cloud infrastructure as part of their zero-trust initiative. They’re opting for cloud-based IAM and PAM platforms that can protect an entire multicloud configuration at the infrastructure level. By 2025, 70% of new access management, governance, administration  and privileged access deployments will be on converged identity and access management platforms, according to Gartner

            Evaluating multicloud security costs 

            The following are the most significant multicloud security costs that need to be included in the business case: 

                  Creating a compelling business case for multicloud security 

                  The best multicloud security business cases provide a 360-degree view of costs, benefits  and why acting now is needed. 

                  Knowing the initial software and services costs to acquire and integrate multiple clouds across your organization, training and change management costs  and ongoing support costs are essential. Many include the following equation to provide an ROI estimate in their business cases. The Return on Investment (ROI) for an endpoint security initiative is calculated as follows:

                  ROI on Endpoint Security (ES) = (ES Initiative Benefits – ES Initiative Costs)/ES Initiative Costs x 100. 

                  A financial services company recently calculated the annual benefits of multicloud integration at $800,000  and the costs, $421,840, will yield a net return of $8.90 for every $1 invested. 

                  Additional factors to keep in mind when building a business case for endpoint security:

                        Zero trust needs to be designed in 

                        Multicloud security needs to be included in any zero-trust framework and roadmap, focusing on quick wins in the areas of IAM, PAM  and secured identity access for humans and machines across the network infrastructure. In addition, IT and security teams creating the zero-trust roadmap must target those multicloud integration points that rely on implicit trust. They’re everywhere in legacy system integration points. Going after those first will help remove a major risk to the network and future zero-trust progress.