Don’t Get Caught Unprepared: Three Steps to Manage the Risks of Multicloud

[ Music ]

Erica Toelle: Hello, and welcome to "Uncovering Hidden Risks," a new podcast from Microsoft where we explore how organizations can take a holistic approach to data protection and reduce their overall risk. I'm your host, Erica Toelle, Senior Product Marketing Manager on the Microsoft Purview team. And now, let's get into this week's episode. Welcome to another episode of the "Uncovering Hidden Risks" podcast. In today's episode, we will talk about hidden risks behind running a multicloud strategy and how customers can think about this as they accelerate their digital transformation strategy. Let's introduce today's guest host who will join us for the discussion. Daniel Hidalgo is a Product Marketing Manager on the Microsoft Purview marketing team. Daniel, would you like to share a little bit more about your background and experience?

Daniel Hidalgo: Sure. Thanks for having me on, Erica. I'm grateful and honored to be here. Multicloud is top of mind for decision makers all around the world and I'm grateful to be on this journey to help our listeners understand how to manage risks across multiple environments. In short, I focus on how we can help protect not just Microsoft, but non-Microsoft environments, too. Our goal is to assist customers in achieving a digital transformation that is tailored to their specific circumstances. And given that 90% of companies have more than one cloud provider, that is where we want to meet them.

Erica Toelle: Excellent. And also joining us today is our guest, Ashish Kumar. Ashish is a Principal Product Manager for our Customer Adoption team and has 25 years of experience in the field of compliance and risk management. Ashish is the author of the new book, Managing Risks in Digital Transformation. Ashish, thanks for joining us on the show, today. Would you like to introduce yourself to the podcast listeners?

Ashish Kumar: Sure. Thanks, Erica, and hello, Daniel. Thank you for having me here and providing me a platform for share the experiences around hidden risk which customers implement when they build multicloud applications. So I help lead our cloud foster management efforts, which is directly related to cloud and multicloud efforts. In some ways, where our customers implement the applications in complex environments. So that they're aware of these risks and we can have a safer digital world enabling every person, every organization on the planet to achieve more.

Erica Toelle: Well, sounds great. With that, let's just dive right in to the interview. So, Ashish, to set the context for our listeners, could you please tell us what is multicloud and why it's important?

Ashish Kumar: Sure. So I think it's a good opening question. Thanks for asking that, Erica. So today, organizations of all size, small or large, are moving to the cloud to meet their computing needs. Cloud, itself, is continuously changing. It's adding new capabilities like speech, AI. We often hear about ChatGPT as a new entrant there. So it is opening new ways of computing, enabling new innovation for companies. So today, it's not just IT. The cloud, specifically the SaaS services, are consumed by business users directly. Cloud platforms are also evolving to make use of cloud easier for both IT and non-IT users. Now such democratic use of cloud results in large number of solutions, applications created by business and IT to serve business need. This creates a challenge for IT to ensure their business applications and solutions are protected. They keep working, trusting customer data and their applications in this role of cyber incidents and cyberattacks. And when you build multicloud solutions using applications and data that reside in your organization network or on-premise, it's critical to have a view across whether it's on Cloud A or B. And that's what it becomes fairly important to go in multicloud and have a secure implementation of these applications.

Daniel Hidalgo: So I love what you said on democratizing these technologies at scale. One question that I had that maybe our listeners also have is is multicloud only referring to the concept of using multiple infrastructure clouds like AWS, Google, or Azure, or is it more than that, Ashish?

Ashish Kumar: Not really. It's much more than that, Daniel. A multicloud application can use infrastructure, what we call it as IS, from one window. It could use PaaS or a SaaS service from another window to offer the functionality. Example, you could use phone applications. So you could be using a phone application which does image processing or image filtering of the images that you take while the storage could be a Google storage, which is a separate cloud. And the actual processing of the images might be happening on a virtual machine out of Azure cloud. And it quite possible that the AI filters that you're applying on that image could be coming from another cloud, or your own captive data center, or a pirate cloud. And that's why it's much more than just the infrastructure part, Daniel.

Erica Toelle: Daniel, I'm curious. I think we all understand the benefits of a multicloud environment, right? We're trying to give our end users the tools that they need to get their work done in the best possible way. But what are some of the risks when you operate a multicloud environment? Is it more risky than using a purely on-premises infrastructure or is it more risky than using a single vendor? What do you think about that?

Daniel Hidalgo: Yeah, so in short, it is more risky because you are covering more ground. You have more identities to cover. You have more services to cover across multiple clouds. However, the average enterprise infrastructure is now mostly cloud-based and over 90% of companies already deploy some sort of multicloud architecture. So by embracing a multicloud strategy, organizations can be more resilient, improve their operational efficiency, and take advantage of the latest innovations that Ashish talked about like AI and speech. Now to effectively manage risks in a multicloud environment, there are really three key considerations. The first one is visibility. It is critical to have a view into what services you are consuming and from which cloud. And to do that, you need some sort of single pane of glass to view all resources regardless of your cloud provider so that you are effectively monitoring your overall risk exposure. The second one is really around automation. Because it's critical to have almost a real-time view into the application configuration and the alerts that dive right into your monitoring system when changes happen that can cause a security threat. And obviously changes, updates, unauthorized access, and upgrades are part of any cloud application lifecycle. And lastly, threat intelligence. Because threats in the digital world are continuously evolving. Managing a multicloud environment without an eye on the emerging threats is like flying an airplane without the knowledge of the weather conditions that you're going to encounter. So it is important to have information on the risks affecting your environment so that you can keep it running safely and compliant.

Erica Toelle: Yeah, I think that's an interesting point of view and certainly I can see the risks of having the larger attack surface or just a larger exposure with a multicloud environment. But, you know, I'd love to dig a little deeper into what you mentioned around real-time visibility. So, Ashish, I was wondering in your opinion, why is it important to have real-time view of your cloud configuration and associated threats?

Ashish Kumar: So you have the cloud, like I shared earlier, is today used by IT and non-IT users. They log in, they create services, and multiple services get created. So the challenge is you have so many users who consume in cloud both creating and servicing. You need a single pane of glass so that you can have a view into who's doing what and cloud comes with the characteristics that you can create fast and kind of delete fast. So it becomes very critical to have a view into what's going on. The second is any application in the lifecycle, there are changes that the IT team is making, the business folks are making. So you need to eliminate the blind spot with the changes that you're making. They create new risks. They could create new vulnerabilities based on the changes you've done. So you need a real-time view into the cloud controlled configuration and the misconfigurations that you would have done. Changes like I spoke which are getting done could result into a new risk or vulnerability across what you'll be seeing to cloud services. And this is what Daniel earlier spoke about having a visibility.

Erica Toelle: Ashish, I can totally see your point about having kind of this single pane of glass, if you will, to view your cloud environment. And I feel like that's something everybody knows that they want. But we're- it's like we're not quite there yet, right? We can't quite achieve this vision of seeing all the risks perfectly in our cloud environment. Is there anything that customers could be doing today to set themselves up for like that single plane of glass view in the future? And setting them up- themselves up for success in a world where we have large language model AI, assessing our risks for us and servicing it in a pretty dashboard?

Ashish Kumar: So, Erica, that's a good question, and I'll say cybersecurity is not a configuration that you switch on or off. It needs to be managed and it needs to be managed because the threats are evolving, the platform, like I said, the cloud is evolving. It's coming up with new controls. They're coming up with new innovation. So, as I said, it needs to be managed. Hence, there is no on and off button and it will be a continuous journey for the customer to look at what's changing in the environment and then managing their application in that new threat landscape. As well as leveraging the newer innovation for their business.

Erica Toelle: So if I could paraphrase, maybe setting up your foundational security and making sure that's running and maintained well in your cloud environments. And then, Daniel, what other advice would you have for listeners that are looking to get started with a multicloud strategy to set up that foundation for success?

Daniel Hidalgo: Yeah, so there's no one size fits all like you talked about earlier, but there are steps that you can proactively take for mitigating risks in this multicloud reality. And there are really five steps that our listeners can start thinking as they approach this. The first one is assessing your current infrastructure. Before you start planning your multicloud strategy, you should assess your current state and identify areas where multiple cloud providers could be beneficial. You should consider factors such as data sensitivity, application performance, capability, and security requirements. Once you've assessed your current state, then step number two is defining your objectives. And you need to have a clear set of KPIs for what you really want to achieve with this multicloud strategy. For example, like what is it that you really want to improve or change? Do you want to increase redundancy and availability? Do you want to improve performance and scalability? Do you want to reduce costs? Do you want to enable better data security? And that should help you really set forth to step number three, which is choosing those cloud providers based on your needs and objectives. Each cloud provider has its strengths and weaknesses. I'd love to say Azure is the answer for everything, but you should consider factors such as cost, performance, or whatever best meets your business needs. And then step number four would be to develop an integration plan. After choosing your providers, this plan can really outline how these clouds will work together. This should include a strategy for data management, for network connectivity, and for the application integration. And you should also consider how you will manage security and compliance across the clouds, hence that reference to the single pane of glass. And lastly, like Ashish mentioned before, it's about testing and optimizing. Once you've implemented your plan, you should optimize and monitor the performance regularly. It is important to review and make changes to ensure that the strategy continues to meet the ever-changing business needs.

Erica Toelle: So I don't think multicloud's going away, right? So, Ashish, I'm curious for leaders that are in either security, or in IT, or another multicloud type role, what are some of the areas that they should look into now to prepare themselves for the future? Or what things do you think that they'll be concerned about a year from now?

Ashish Kumar: So, Erica, the pace of innovation will keep on accelerating, and I'm fortunate to listen in to conversations of multiple CISOs, VPOs, and other key stakeholders who are involved in multicloud decisions. So what comes top of mind is, you know, protecting data at all the times as it moves or gets stored in different clouds. Second is while you do that, you've got to be very, very kind of laser sharp on the compliances and regulation that impact you and be compliant with them. I want to make the tools, look into them, be compliant with them. Third is most of these, I would say, incidents occur or start from identity and misuse of identities. So it's fairly critical as you go into multicloud environment to have the user roles, permission, and identities getting top, I would say, monitored. And then when we talk about monitoring, it's not just identities. When you're looking at multicloud, you've got to have an eye radar into sensors, into what's going on on the network. What's going on in the EPI layer when two applications are talking across cloud. So that's very, very critical. And then I would say what most stakeholders also look at is is the cloud provider, himself, meeting security requirement and doing enough from a shared responsibility model. So I think that would be the top one that I often listen from the key stakeholders.

Erica Toelle: So I keep hearing from customers a similar theme, which is, "We have a small team, a smaller team than we would like to do all of this, and it seems like there's so much to do." Have you, in your work with customers, Ashish, seen any methods, or focus areas, or strategies that a customer has taken to essentially do more with a smaller team?

Ashish Kumar: Oh, yeah, Erica, so it's the same sentiments across small or large customers. And if you look at small customers, they have maybe less number of people doing more. And if you look at the large customers, they have large teams, but there's such a large infrastructure to take care of. And this problem gets compounded because you have, as we discussed earlier on the show, a lot of innovation coming too fast. So and there are certain blueprints customer adopt, too. Automation got created because you wanted to do things in a way so that you have less human effort going there. What we see today, the current innovation around AI and ChatGPT is another pattern which is evolving and help us. Whether in triaging the incident like the recently released Copilot from a security perspective helps you save a lot of manpower, and people, and even the skill required. Because it's not just about having people. It's also about having the right skills. So the patterns would be surrounded with automation, would be surrounded with AI so that we can have, as you said, do more with less, so less number of people could be there. And resulting into, I would say, artificial humans which I've absolutely spoken in my book. It could be that these are AI kind of workers who are actually not physical workers but pretty much doing the same job what you would expect a human to do.

Erica Toelle: Yeah, and I like to think of it as do more with the same amount of people. Because there is so much to get done, I don't think anyone has to worry about there not being enough to do in security.

Ashish Kumar: I think it [inaudible] do more with people and virtual people, so whatever those virtual people will be called in future.

Erica Toelle: Love it. So, Ashish, or even Daniel, anything else that I didn't ask about the topic or any final words of advice for our listeners?

Ashish Kumar: I think as we enter this highly, highly digitized era, we obviously can expect more innovation. And it will come and change the way we work, communicate, socialize, to just explore more capabilities of what humans can do and all of us can do. However, along these, I would say, advancement, would come risks which are both visible and invisible that we need to be mindful of.

Erica Toelle: Daniel, anything you would add?

Daniel Hidalgo: I think Ashish covered pretty much everything. The only thing I'd say is I would reemphasize that there's just so much to do in the world of security, especially in this multicloud reality that customers face. That AI is really becoming that copilot that is going to free up time for the people in your organization to be focused on the most important things and be able to automate more of the manual processes.

Erica Toelle: Perfect. Well, thank you so much, Daniel and Ashish. That's about all the time we have for today. So to wrap up, we have a tradition on the podcast to ask what is your personal motto or what words do you live by?

Ashish Kumar: So, thanks, Erica. I think you asked it at a time I was just thinking about what to write about the next part. Let me say we're really, really fortunate and we should welcome the shift that the entire society is kind of going into the direction. And as we embark on this journey, let's explore the new connection that will get created between us and machines. Which could probably enhance our own existence, productivity, and promote the sustainability for our planet.

Daniel Hidalgo: And for me, it's be kind. For everyone you meet that's fighting a harder battle, we are all human at the end of the day and we are much more similar than we are different. And then the other quote that also sticks with me is from my favorite show, Ted Lasso. "Be a goldfish. You know why the goldfish is the happiest animal on Earth? It's because it has a five-second memory." And I always remind myself about that. Don't dwell on the past. We all make mistakes and, you know, it's all about having that five-second memory and being able to move forward.

Erica Toelle: Love it. Both great words of wisdom. So thank you, again, so much to Ashish and Daniel for joining us, today. Really appreciate having you on the podcast and thank you to our listeners for joining us.

Ashish Kumar: Thank you, Erica. Thank you, everyone. Thanks, Daniel.

Daniel Hidalgo: Thanks, Erica.

[ Music ]

Erica Toelle: We had a great time "Uncovering Hidden Risks" with you, today. Keep an eye out for our next episode and don't forget to tweet us @msftsecurity or e-mail us at uhr@microsoft.com. We want to know the topics you'd like to hear on a future episode. Be sure to subscribe to "Uncovering Hidden Risks" on your favorite podcast platform. And you can catch up on past episodes on our website, uncoveringhiddenrisks.com. Until then, remember that opportunity and risk come in pairs and it's up to you where to focus.

[ Music ]