Building a business case for zero-trust, multicloud security

Bottom Line: Building a business case for securing multicloud configurations needs to surpass the costs and benefits, while recognizing that public clouds lack advanced zero-trust features and unified reporting.

The pace enterprises want to move at when it comes to digital transformation goals often surpasses their infrastructures’ security. It’s especially the case when they’re relying on multicloud configurations. For example, each public cloud provider has its version of Identity Access Management (IAM), Privileged Access Management (PAM), Policy Management, configuring admin & user access controls  and more. 

The typical enterprise needs domain experts for each public cloud they integrate with. That’s why choosing to invest heavily in training needs to be one of the costs enterprises get right when creating a business case for multicloud security. Another reason for prioritizing training is that data integration in multicloud configurations often increases the data complexity of the data itself, making data consumption, security  and compliance more complex. The greater the data complexity, the more the risk of misconfiguration breaches. 

Invest in people first 

Cyberattacks on multicloud configurations succeed more due to human error than other factors. For instance, 82% of data breaches involve mistakes configuring databases and administrator options and accidentally exposing entire networks to cybercriminals. 

What makes multicloud so challenging to get right from a security standpoint is its dependence on training people and keeping them current on new integration and security techniques. In addition, the more manual the hybrid cloud integration process, the easier it is to make an error and expose applications, network segments, storage  and applications.

Multicloud security business cases need to start with intensive cloud security training, including offering to pay for security certifications for members of the IT and security teams. A core part of any business case for multicloud security needs to budget enough time and funding to turn training and configuration knowledge into a strength. 

Defining multicloud security’s benefits 

Building a business case for multicloud security needs to start by auditing all cloud configurations. Making auditing the first step helps immediately identify configuration gaps. It’s a good idea to build the business case of multicloud security on core zero-trust principles and the data obtained from auditing multicloud configurations first. The Shared Responsibility Model is a commonly used framework to explain which areas of mulitcloud security are owned by the cloud provider versus the enterprise customer. It’s a useful framework for communicating to senior management why zero trust needs to anchor multicloud integrations. 

The following are the benefits that need to be included in creating a business case for investing in multicloud security:

• Reducing gaps in Identity Access Management (IAM) and Privileged Access Management (PAM) across cloud platforms reduces the risks of recurring breaches. Like all public cloud platforms, AWS delivers a free baseline IAM module that organizations can use to get started. In addition, Microsoft Azure, Google Cloud Platform (GCP)  and others offer similar IAM and PAM modules tailored for their specific platforms. They don’t cross-integrate to provide enterprise-wide IAM and PAM security, however. 

Enterprises need to consider if the risk of running dedicated IAM and PAM modules in each public cloud instance without securing the integration points are worth the risk. The majority decide to secure the entire cloud infrastructure as part of their zero-trust initiative. They’re opting for cloud-based IAM and PAM platforms that can protect an entire multicloud configuration at the infrastructure level. By 2025, 70% of new access management, governance, administration  and privileged access deployments will be on converged identity and access management platforms, according to Gartner. 

• Reduce the complexity, cost  and need for emergency security projects to fix weak multicloud configuration points. Solving complex cloud configuration, security misconfigurations and hacked connections burn millions of dollars a year and thousands of hours in lost productivity. Defining a business case budget for securing each integration point and removing any implicit-based trust across multicloud integration points are key. Assuming that the 4,000 hours security teams spend on emergency cloud integration security problems could be reduced, organizations could save approximately $400,000 a year.

• Reducing the risk of data exfiltration while having better visibility into why multicloud costs were so high saved one organization over $300,000 a year – and averted a malware attack. Taking an audit-based approach to identifying the gaps in multicloud configurations helped one company identify how to fine-tune each public cloud configuration and improve the performance of their multicloud networking software. Not only did their AWS and Azure bill go down, but they also discovered their configuration changes helped thwart a malware attack that would have easily promoted fileless payloads to users and critical systems if they hadn’t done the audit.

• Discovered how much budget was wasted maintaining the first cloud integrations to legacy systems. One IT department found that the first cloud integrations they had done over a decade ago were for systems that only delivered a few data elements on a report that hardly anyone was using. The multicloud security audit found the legacy integration was over two years overdue for an upgrade,  and the data elements weren’t as important to the business unit that had requested them years before. So, IT pulled the plug on the integration and re-allocated the budget to the zero-trust intuitive. Cost savings amounted to approximately $25,000 a year. 

• Closing multicloud integration gaps reduce compliance costs and the risk of regulatory fines. The more regulated the business, the more audits look at how well data is secured, especially in multicloud configurations. The Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR)  and the Payment Card Industry Data Security Standard (PCI DSS) all require ongoing audits, for example. Providing the reporting and audit histories, these and other regulatory agencies require specific to how data is stored more efficient if multicloud integration is in place. The time and cost savings of automating audits by organizations vary significantly. It’s a reasonable assumption to budget at least a $75,000 savings per year in audit preparation costs alone. 

Evaluating multicloud security costs 

The following are the most significant multicloud security costs that need to be included in the business case: 

• Annual, often multi-year licensing costs for IAM are minimal, with PAM also offered as part of a suite on large enterprise deals. IAM providers vary significantly in their pricing models, costs  and fees and can range in price significantly, depending on the size of the organization and the number of devices. Vendors have been known to bundle in PAM modules for no charge on large-scale enterprise deals. TrustRadius finds that vendors sell tiers of functionality with enterprise-level pricing. As IAM is a cornerstone of zero trust, it’s a good idea to begin early on in an organization’s zero-trust roadmap.  AWS offers its IAM for free, which is why so many enterprises stick with it despite its lack of multicloud security coverage.

• Evaluate if multicloud network software (MCNA) is a good fit for your organization, as it’s proving valuable for addressing network weaknesses in organizations today. Enterprises often select MCNA software to compensate for the lack of advanced features and consistent management of multi-cloud configurations. Organizations rely on MCNA deployments to achieve a consistent network operations model across all public cloud deployments. Consider using consumption-based pricing for either a one to a three-year contract, and renegotiate based on results. As an example, Arrcus Multi-Cloud Networking (MCN) is available on the AWS Marketplace and is $400,000 a year running on a t2.medium EC2 instance. 

• Double down on education and change management costs. Change management, implementation  and integration costs increase with the complexity of multicloud security integration. Expect to pay at least $6 for every dollar spent on software for education, implementation, integration  and change management costs. For example, if total software costs are $100,000, expect to pay at least an additional $60,000 for all aspects of training, implementation, integration  and change management. 

Creating a compelling business case for multicloud security 

The best multicloud security business cases provide a 360-degree view of costs, benefits  and why acting now is needed. 

Knowing the initial software and services costs to acquire and integrate multiple clouds across your organization, training and change management costs  and ongoing support costs are essential. Many include the following equation to provide an ROI estimate in their business cases. The Return on Investment (ROI) for an endpoint security initiative is calculated as follows:

ROI on Endpoint Security (ES) = (ES Initiative Benefits – ES Initiative Costs)/ES Initiative Costs x 100. 

A financial services company recently calculated the annual benefits of multicloud integration at $800,000  and the costs, $421,840, will yield a net return of $8.90 for every $1 invested. 

Additional factors to keep in mind when building a business case for endpoint security:

• Multicloud ROI estimates fluctuate  and it’s best to get started with a pilot to capture live data with budgets available at the end of a quarter. Typically, organizations will allocate the remaining amounts of IT security budgets at the end of a quarter to multicloud initiatives. 

• Succinctly define the benefits and costs and gain C-level support to streamline the funding process. It’s often the CISOs who are driven to achieve greater multicloud security the quickest they can. Today, with every business having their entire workforce virtual, there’s added urgency to accomplish multicloud security.  

• Define and measure multicloud initiatives’ progress using a digitally enabled dashboard that can be shared across any device, anytime. Enabling everyone supporting and involved in multicloud security initiatives must know what success looks like. A digitally enabled dashboard that clearly shows each goal or objective and the company’s progress toward them is critical to success.

Zero trust needs to be designed in 

Multicloud security needs to be included in any zero-trust framework and roadmap, focusing on quick wins in the areas of IAM, PAM  and secured identity access for humans and machines across the network infrastructure. In addition, IT and security teams creating the zero-trust roadmap must target those multicloud integration points that rely on implicit trust. They’re everywhere in legacy system integration points. Going after those first will help remove a major risk to the network and future zero-trust progress. 

Originally appeared on: TheSpuzz