Security and compliance are already hot-button issues for enterprise IT, but the rise of multi-cloud environments is making an already challenging problem all the more vexing.

In fact, exclusive IBM and IDG research shows that the majority of companies surveyed (77%) said multi-cloud makes them look at security differently. Thirteen percent of respondents believe multi-cloud adds another layer of complexity to the security equation, making it the top challenge related to managing multi-cloud environments. Given the risk of potential exposure, nearly half of organizations surveyed (42%) are turning to third-parties to help with risk management and security.

From a technology standpoint, securing multi-cloud is not that different than safeguarding data in a public or private cloud—encryption, key management, classification, identity and access management, and security monitoring and risk analytics remain critical capabilities across all deployment scenarios. Yet the specific challenge resides with securing workloads, and protecting data in a consistent fashion across private clouds and diverse public cloud providers, which may leverage the standard mix of technologies, but do so using different models and paradigms.

“Objective about securing workloads and protecting data remains the same as public or private cloud, but when it comes to multi-cloud environment it also outlines the focus needed around how to accomplish that consistently where you have different workloads in different clouds,” explains Nataraj Nagaratnam, distinguished engineer, CTO & director, with IBM’s cloud security.

“Each cloud provider provides security capabilities,” he continues. “Certain areas like identity management is standardized and interoperable because of standards like OpenIDConnect or SAML; at the same time when it comes to encryption and key management, there are no API standards and each provider will have a different way to accomplish the goal.”

Multi-Cloud Security Best Practices

With that in mind, here are four recommendations for ensuring consistency for multi-cloud security:

Institutionalize governance . The new decentralized multi-cloud model means one security chief is no longer calling the shots when it comes to risks. Codify security policies, processes, and governance models so they aren’t technology specific and have relevance across cloud providers and platforms. “Current policies that specify using a particular encryption technology or network security technology won’t fly,” Nagaratnam says. “Rather, policy should be about what the security levels and architecture is based on risk levels, while allowing the flexibility in implementation to meet those objectives.”

Embrace a shared responsibility model . Multi-cloud translates into multiple vendors and partners, which means the customer no longer has sole responsibility for security practices. Rather than simply offload security to third-party partners, however, Nagaratnam suggests shifting to a model where responsibilities are clearly outlined and distributed between parties.

Create a security culture . As the enterprise moves away from a centralized security model, it's critical that application and DevOps teams embrace security as part of their culture. "Security has to become part of the DNA," Nagaratnam says. "People can't just build something and throw it over the wall to the security guys—they have to realize that they not only build it, but they also run it and secure it. It's a fundamental shift in app development–shifting to secure DevOps."

Take a risk-based approach. It's no longer about perimeter-based security measures, but rather about securing the data in the best way appropriate. Creating a framework that considers risk and data sensitivity as one dimension and workload as another can help determine the best security approach as opposed to taking a one-sized-fits-all strategy. It's also important to invest in tools that can deliver a single pane of glass for managing data protection and encryption across multiple clouds as well as supporting a software-defined security strategy.

With all these pieces in place, organizations can consistently safeguard sensitive data regardless of where it resides or with what cloud provider.

