* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Points of View](https://www2.paloaltonetworks.com/blog/category/points-of-view/)
* How to Stay Secure in a M...

# How to Stay Secure in a Multi-Cloud Environment

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2019%2F03%2Fstay-secure-multi-cloud-environment%2F)  
[](https://twitter.com/share?text=How+to+Stay+Secure+in+a+Multi-Cloud+Environment&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2019%2F03%2Fstay-secure-multi-cloud-environment%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2019%2F03%2Fstay-secure-multi-cloud-environment%2F&title=How+to+Stay+Secure+in+a+Multi-Cloud+Environment&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2019/03/stay-secure-multi-cloud-environment/&ts=markdown)  
\[\](mailto:?subject=How to Stay Secure in a Multi-Cloud Environment)  
Link copied  
By [Matthew Chiodi](https://www.paloaltonetworks.com/blog/author/matthew-chiodi/?ts=markdown "Posts by Matthew Chiodi")  
Mar 14, 2019  
4 minutes  
[Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[Cloud Security](https://www.paloaltonetworks.com/blog/tag/cloud-security/?ts=markdown)

*"Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products. The trick is to reduce your risk of exposure regardless of the products or patches."*

*-- Bruce Schneier*

[Bruce Schneier](https://en.wikipedia.org/wiki/Bruce_Schneier) penned these [insightful words](https://www.schneier.com/essays/archives/2000/04/the_process_of_secur.html) in April of 2000. Scroll forward 19 years and we now find ourselves in a world where disruption and innovation are a daily occurrence due to the low barriers to entry created by public cloud. How do security leaders design a strategy that effectively addresses the processes and tools required to manage the new risks and threats cloud presents?

First, let's start with a definition of what we mean by multi-cloud. When we say "multi-cloud" we simply mean the parallel usage of two or more cloud service provider (CSP) platforms. And "cloud" generally describes a computing platform that falls into three categories: IaaS, PaaS \& SaaS. While each of these represent their own unique security challenges, we'll stay laser focused on IaaS \& PaaS where there are currently three ruling titans: Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform.

**Challenges of a Multi-Cloud Environment**

In our conversations with clients there is almost always one universal thread no matter where they are in their cloud journey: *how do we enable the business to operate with freedom in the cloud but also put the proper guardrails in place to prevent them from taking unnecessary risks?*

We believe a fundamental understanding of the [shared responsibility model](https://cdn2.hubspot.net/hubfs/2254955/WebsiteResources/RL_SolutionBrief_Web.pdf) is key as this is the main differentiator when compared to legacy on-prem environments. Once this model is understood and clearly documented and agreed to in an organizational [RACI](https://www.cio.com/article/2395825/project-management/project-management-how-to-design-a-successful-raci-project-plan.html), we recommend customers conduct a risk assessment informed by a thorough understanding of [security in the cloud](https://csrc.nist.gov/publications/detail/sp/800-144/final).

Critical to the cloud risk assessment is understanding your *current* security processes and how the tools you've already invested in help manage risks *today* . Unfortunately, we see a lot of clients skip this step and move directly to design and build phases, which is a fatal mistake. Why? Because it inevitably leads to security teams rebuilding their on-prem security model in the cloud and completely misses the opportunity to transform their security program and "[shift left](https://www.securityroundtable.org/to-improve-devops-and-security-the-time-has-come-to-shift-left/)" their security, aka [DevSecOps](http://www.devsecops.org/blog/2015/2/15/what-is-devsecops).

When companies are planning an all-in approach to cloud, they typically focus on one of the three major players: Google, AWS or Azure. Each of these providers offer rock solid services with every major security and compliance certification to boot.

Invariably several months into the cloud migration process a business unit will pop up (or security teams will discover) a new cloud requirement: "Provider X just launched a new feature which directly addresses our business requirement--can we get access this week?" The IT and security teams then scramble and try to figure out how anything they've purpose built for their primary cloud can be utilized with the new provider.

For security teams who are relying on legacy tools or only native security features of their primary cloud platform, this is a major challenge. How does AWS GuardDuty or AWS Config help you to secure Google or Azure clouds? Simple answer? They don't. So how should a security team proactively address the multi-cloud security challenge while not getting caught up in the morass of ever-changing individual cloud provider offerings?

**Standards are the Precursor to Automation**

Staying secure in a multi-cloud environment can be challenging given the radically divergent APIs between cloud providers. The best place to start is with a trusted security standard. Rather than trying to design a standard from scratch, we highly recommend starting with the [Center for Internet Security's Benchmarks](https://www.cisecurity.org/cis-benchmarks/). The AWS benchmark has been around for several years and both benchmarks for Azure and Google Cloud were released in 2018. While standards may not be the most exciting part of security they do have the added benefit of being the precursor to automation. Put simply, you cannot automate what you have not standardized upon. Once you've agreed upon a standard you can then begin to measure yourself against it over time and work to automate as your cloud security program matures.

**Moving from Theory to Execution**

Security leaders can design a strategy that effectively addresses new risks and threats presented by public cloud. This can only be done with a deep understanding of the shared responsibility model and a sharp focus on dissecting the process by which development and business teams are utilizing public cloud. In my next post we'll dig deeper into how this can be done as well as how simplicity is key to your multi-cloud security strategy.

*** ** * ** ***

## Related Blogs

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### 8 AWS Security Best Practices to Mitigate Risk](https://www2.paloaltonetworks.com/blog/2019/02/8-aws-security-best-practices-mitigate-risk/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### The Hole in Your Container Security Strategy](https://www2.paloaltonetworks.com/blog/2019/02/the-hole-in-your-container-security-strategy/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Cloud Security, Yes -- But Is AI Ready for Its Cybersecurity Spotlight?](https://www2.paloaltonetworks.com/blog/2018/10/cloud-security-yes-ai-ready-cybersecurity-spotlight/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Achieving Comprehensive Cloud Security: The Power of Consolidation](https://www2.paloaltonetworks.com/blog/cloud-security/cloud-security-consolidation/)

### [CIEM](https://www.paloaltonetworks.com/blog/cloud-security/category/ciem/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown), [IAM](https://www.paloaltonetworks.com/blog/cloud-security/category/iam/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Why Are Net-Effective Permissions Critical for Cloud IAM?](https://www2.paloaltonetworks.com/blog/cloud-security/net-effective-permissions-iam/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### Palo Alto Networks Conformance to the NCSC Cloud Security Principles](https://www2.paloaltonetworks.com/blog/2023/01/conformance-to-the-ncsc-cloud-security-principles/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language