Multicloud: what risks and challenges


The accelerated multi-cloud strategy - which has characterized the past two years - has enabled organizations to leverage the best technical features of each cloud platform. However, as often happens, the concern of managing the system remains on the part of many organizations vendor lock-in1, also confirmed by a recent one Survey carried out by the Cloud Security Alliance. This concern is not the only reason that slows multicloud implementation, as organizations are faced with the different challenges that arise from interoperable and diverse environments, such as:

• need for experienced personnel in the management of multi-cloud environments;

• Extended attack surface, as a result of integrating multiple cloud vendors into the environment, making management and security more difficult;

• difficult supervision of all resources;

• Difficult oversight and risk governance across a wide variety of assets across multiple platforms cloud e on premise2;

• difficulty in integrating multiple platforms, even with the help of APIs3, as cloud providers use different technologies to gain a competitive advantage;

• Complexity of managing security checks between a wide variety of services and products on different service providers cloud;

• Latencies4 due to data transfers between different platforms, with consequent performance and reliability problems, considering that availability is a key element of security and operation.

But we proceed with order.

What is multicloud

If we refer to IBM, we find that for multicloud means the use of services cloud from more than one service provider cloud. This could be using Software as a Service (SaaS) from different vendors or, as is often the case in large companies, it could be running applications on Platform as a Service (PaaS) or up Infrastructure as a Service (IaaS) of different service providers cloud5,6,7,8.

Always IBM specifies that a multicloud solution is a solution of cloud computing which turns out to be portable through different infrastructure providers cloud. A solution multicloud it is typically achieved through the use of technologies cloud-native (such as, for example, Kubernetes9) which are generally supported by all Providers public services cloud.

How to avoid the lock-in

The IT segment is characterized by many players in close competition with each other to propose attractive solutions. It follows that the lock-in phenomenon is complex and articulated, given that i Cloud Service Providers they tend to use a variety of "elements" and techniques to disfavour the passage of customers to the competition.

However, the transparent comparison between the different operators allows (not without difficulty) to directly verify the presence of possible strategies lock-in and, if necessary, evaluate any exit costs.

Associations and leading companies are striving to keep business logic as far as possible from lock-in, especially in terms of data. Therefore, in choosing the cloud it will be essential to prevent the emergence of new silos10 and work together to avoid (or try to limit) large cloud operators from imposing regulations that potentially, or practically, limit the degree of market freedom.

Furthermore, in such a changing, innovative and extremely competitive market, iI lock-in it is a constraint that is difficult for organizations to accept since they aspire to be completely free to develop their own business strategies by combining the solutions offered by the various providers and integrating the various services with those already implemented internally in their own structures.

As a result, discerning customers should expect to be able to build, migrate and deploy their applications across multiple environments, both in cloud is on-premise, thus avoiding any lock-in with a view to faster innovation, in all environments.

I Cloud Service Providers, for their part, will have to guarantee these characteristics if they do not want to undermine the enormous potential for value creation offered by the paradigms of Cloud.

Therefore, we should move towards open code and standards, which allow to strengthen interoperability and create value for organizations that need to be able to migrate workloads to the infrastructures and localizations that best suit their business needs.

How to choose service providers for multicloud

There are Cloud Service Providers, such as Microsoft Azure, which already offer an open platform that allows anyone to use what they want and to integrate with any other service, whether in the cloud or not. All of the above, although theoretically logical, is not easy to obtain for various reasons.

First, organizations will have to know themselves to understand in whole your needs and vulnerabilities, addressing and trying to prevent / solve the lock-in problem is extremely important.

It follows that, before choosing a Cloud Service provider, it will be necessary to:

  • Carry out "due diligence"11 and careful comparison of offers - Check if the offers meet your needs; examine different pricing models to determine short, medium and long term cost savings; understand service level agreements (SLAs); consider the processes and costs of data transfer; keep in mind other similar companies they have worked with.

  • Plan the way out of the contract - Include an exit plan and potential costs in the implementation strategy, ie a sort of “pre-equity agreement” that can better protect the company and quantify the costs in a preventive way. In addition, it is vital to make sure that you understand all of the cloud contract termination clauses, as well as the costs of migrating data out of the cloud. Still, to simplify data access and transition to another cloud, it may be necessary to implement a backup strategy that keeps a second copy of the data outside of the cloud.

  • Create your own applications in order to make the migration as flexible as possible - Make sure that cloud application components can be freely linked to application components that interact with them.

  • Carefully consider cloud native architecture - It's about weighing the organization's risks and priorities to determine whether to adopt a cloud-native architecture or consider a reduced dependency.

  • Maximize data portability - Data is one of the biggest pain points in cloud migrations as different formats and models can cause portability problems. Therefore, it would be best to avoid proprietary formatting and describe the data models as clearly as possible, using the applicable schema standards to create detailed documentation that is readable by both the computer and the user. Additionally, you should make sure that the Cloud Service Provider offers a way to extract data easily and inexpensively to facilitate the transition of data from one provider to another.

  • Implement DevOps tools and processes12 - They are needed to maximize code portability. In particular, container technology helps isolate software from its environment and abstract dependencies on the cloud provider, and since most Cloud Service Providers support standard container formats, it should be easy to port an application to a server if needed. new supplier.

  • Consider privacy regulations right away - the use of Cloud services provided by countries other than ours must be carefully investigated, as well as the country of reference for the settlement of judicial disputes.

  • Use the Security by design policy - the right level of security must be designed from the beginning, together with the choice of Cloud providers.

Before selecting a cloud service provider, it is necessary to know the technical, service, security, data governance and service management requirements you need, allowing you to compare the various cloud service providers based on your checklist. .

Also, remember that when migrating applications and workloads to the cloud, the specific environments you choose and the services offered by the cloud service provider will determine the configurations you need, the work to do, and the help you can get from the provider.

It being understood that the requirements and evaluation criteria vary from organization to organization, some common criteria can be considered - grouped into 8 main sections - to refer to during the evaluation phase of the service provider, in order to select the cloud service most suitable provider for your organization. And precisely:

  • Certifications and standards

  • Technologies and service roadmap

  • Data security, data governance and company policies

  • Dependencies and service partnerships

  • Contracts, advertising and SLAs

  • Reliability and performance

  • Support for migration, vendor lockout and release planning

  • Financial strength and supplier profile

Therefore, in order not to slow down the implementation of the Cloud, organizations should consider not only performance, reliability and cost, as elements to be placed on the scale, but also carefully check what may be the contractual or technological constraints that a given provider dictates to the customer. We are not just talking about hardware / software / cloud platforms or SLAs, but also about the contractual and management mechanisms that can generate a real “lock-in” for those who buy a service.

Multi-cloud management strategy

Organizations, in designing a system capable of exploiting multiple clouds at the same time, must face several problems / challenges that imply the need for a multi-cloud management strategy. In fact, there are different types of multi-cloud management applications on the market capable of:

  • Automate and orchestrate - effectively and efficiently - the movement and migration of different application workloads between public, private and hybrid cloud environments, according to the technical and business requirements established from time to time.

  • Provide security management, policy governance and compliance control functions.

  • Ensuring, through resource optimization and cost estimation, both the monitoring of infrastructure and application performance and the cost-effective management of the multi-cloud environment.

Many medium-large organizations, thanks to these multi-cloud management applications, use management dashboards that facilitate - regardless of the infrastructures and services used - both the activities of moving workloads and provisioning as well as measurements. , considerably reducing the complexity and, at the same time, allowing to verify: the contractual SLAs, the evaluation of the consumption of the services according to the associated costs; the optimization of the use of resources, moving workloads between different clouds and on-premise infrastructures.

Security and offer

To guarantee security in the Cloud it is necessary to have a deep knowledge of one's organization and the reliability of the Cloud Service Provider in order to make effective, efficient and structured choices based on company objectives, especially in terms of: data protection; safety; sharing of regulations and standards that can be applied, used and understood by all.

In fact, in the phase of choosing the Cloud provider, it is necessary:

  • Check the cloud provider's continuity plans and insert continuity clauses in contracts, as well as requesting confirmation of compliance also by sub-suppliers. This is probably the most complex aspect as it involves having access to information that is not always easy to interpret.

    • Verify connectivity services and power in data centers in case of disaster / disruption.

    • Check hardware failure management and how to contractually insert their resolution methods.

    • Check how the data is replicated and where they are kept for the purposes of the GDPR.

  • Check the data center specifications used by the cloud provider.

  • Check for cases of downtimeà occurred in the past 18 months.

  • Check the frequency of testing recovery, emergency and availability of the latest report.

Equally important is making sure there is a solid security setup in the cloud through a set of widely established strategies and tools, such as:

  • Identity and Access Management through the adoption of an Identity and Access Management (IAM) system.

  • Physical Security as a combination of measures to prevent direct access and disruption of the hardware housed in the cloud provider's datacenter.

  • Information on Threats, Monitoring and Prevention through the adoption of Threat Intelligence, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS).

  • Cryptography to protect data and information resources, encoding and encrypting them when they are at rest and in transit according to the required levels.

  • Cloud Vulnerability and Penetration Test to identify any weaknesses or opportunities for exploitation.

  • Micro-segmentation, dividing the cloud implementation into distinct security segments, down to the individual workload level.

  • Next Generation Firewall that protect workloads, using traditional firewall capabilities and the latest advanced features.

Therefore, it is very necessary, before adopting a Cloud system, to carefully evaluate the risk / benefit ratio and try, as repeatedly stressed, to minimize the former through a careful check of the reliability of the service provider to which it is intended. mandate and implement a strategy that combines tools, processes, policies and best practices.

Another important element is understanding shared responsibility and compliance.

Portability of workloads

Using a multi-cloud environment requires structured planning to ensure a continuous flow of data and information through these environments, thus raising concerns about the portability of workloads.

The portability of the multi-cloud workload means, in effect, that you can move a workload from one cloud (or an on-premise data center) to another. Unfortunately, it is very difficult to write an App, once, for one cloud and still be able to run that same App on other clouds, without any code changes. Different vendors have different APIs, semantics, capabilities, syntax, and other nuances that make workload portability, in fact, one of the most challenging forms of multicloud portability.

Also, in terms of workload placement, in multi-cloud environments, you need to choose a hosting solution that offers the right mix of performance and cost-effectiveness. Infrastructure options are varied and numerous, including on-premise data centers with private hosted clouds and vendor-based public clouds providing SaaS, IaaS, and PaaS services.

To make the best decision, it's about understanding the various types of workloads, their attributes, the applications that enable them, and the business goals they help achieve. That is, organizations - depending on industry, platform availability and versatility, and application performance - can choose whether to locate their workload on a public cloud or on-premise. Considerations influencing this decision include cost savings, operational agility, centralization and security. Once again, it is a question of having knowledge of the context in order to become aware of the necessary requirements and to be able to compare the offers of the various Cloud Service Providers.

Resilience in the cloud

The adaptability and resilience - to which companies today are called to respond in order to remain competitive - require simpler and faster cloud management, able to guarantee scalability and speed, as well as the reduction of time-to- market and costs, as fundamental requirements for the modernization of companies. It follows that Cloud Service Providers, to remain competitive, must ensure the resilience of the organization's daily operations. That is, to implement a continuous path of optimization of services, assuming that the resilience of the cloud begins with the strategic alignment with the main business stakeholders, planning and execution with an architecture that supports true resilience and a program of enhanced disaster recovery.

Cloud experiences

There are numerous organizations, groups, task forces and associations that offer resources and standards on cloud security, just think of NIST, ISO, Cloud Security Alliance, ETSI, OGF, OASIS,

With so many standards, regulations, frameworks, and other practical documents, IT professionals often find it difficult to select the most relevant option for their organization. I believe a good approach is to conduct research on the various technical cloud working groups and committees and review the standards used by leading Cloud Service Providers, such as AWS and Microsoft Azure and, importantly, include security compliance as part of the assessment process. .

In the future, necessarily, there will be a further evolution of the standards to guarantee more and more compliance with the various regulations in force in order to be better able to manage the challenges that the implementation of a cloud implies.

Furthermore, let's not forget that, to date, organizations continue to have difficulties in implementing the cloud due to a lack of knowledge of the hardware / software and app assets and processes and the involvement of all stakeholders.

Still, another problem is represented by the difficulty of finding qualified personnel, able to: manage the implementation of a cloud / multi-cloud strategy; evaluate services offered by the various Cloud Service Providers; understand which offer best meets the needs of the organization, paying particular attention to three fundamental elements, ie the people involved, the processes implemented and the technologies used.


Organizations must be able to manage the migration from legacy systems to the cloud, therefore, it is important to invest in terms of strategy, using expert cloud architects and IT consultants to design the ideal IT infrastructure configuration to support their workloads. 'company, both under current conditions and in anticipation of business growth, the dynamics of which are not yet known a priori.

It is believed that there will be a further growth of the multi-cloud which will involve more and more organizations building zero-trust approach strategies; artificial intelligence or machine learning and serverless computing.

In fact, the multi-cloud allows you to: keep the costs of the cloud structure under control; build resilience (allowing data to be moved when needed); evaluate - if and which - components are correctly sized (in order to carry out a continuous "orchestration" aimed at optimizing performance and costs); avoid lock-in by a single Cloud Service Provider by accessing a broader portfolio of IT resources.

Therefore, organizations that choose multi-cloud will have to make a prudent and strategic choice, and - in order not to make mistakes - evaluate and plan, before moving on to implementation, considering the aspects concerning both technology and processes.

Only a deep knowledge of all cloud environments can guarantee a satisfactory outcome in terms of performance and flexibility of the important investments to be made. Regardless of whether it is a public or private cloud to distribute a particular service, the choice should always be functional to satisfy detailed IT needs, deriving in turn from a strategic framework perfectly consistent with the objectives of the entire company business.

Federica Maria Rita Levelli, Alessandro Rugolo

Thanks to all members of the SICYNT group for their comments / suggestions

1 Effect whereby a company that buys a certain technology from a vendor is unable to change vendor or is forced to acquire products from the same vendor, wanting to change vendor would in fact be too expensive.

2 It means having the servers at your company headquarters.

3 It is a type of software that serves as an interface between two different software.

4 Latency indicates the delay in data transfer.

5 SaaS, PaaS and IaaS are forms of leasing that involve software, IT infrastructure or platforms.

7 To learn more about IaaS: What is IaaS? | Oracle .

9 To know more : Kubernetes .

10 Silos, in the world of cloud computing, are instances in which business processes and data are confined. To know more: The danger of cloud silos | info world

11 Due diligence is a process that allows you to analyze the value and health of a company in order to determine the desirability of an investment, merger, acquisition or any business relationship. To know more: What is Due Diligence, what is it for, examples and duration - DOGMA

rheinmetal defense