Multi-cloud

Multi-cloud refers to an IT strategy where an organization uses cloud services from more than one cloud provider concurrently – for example, running some workloads on Amazon Web Services (AWS), others on Microsoft Azure, and maybe others on Google Cloud Platform (GCP). Instead of relying on a single cloud, the company spreads its infrastructure or applications across multiple clouds, choosing the best features or cost structures from each. 

Multi-cloud can also include private clouds or on-premises in the mix, but the term usually implies multiple public cloud providers. The reasons for multi-cloud vary: avoiding vendor lock-in, leveraging specific strengths of each platform (maybe Google’s AI services and AWS’s IoT suite), or improving resiliency by not having “all eggs in one basket.” 

From an architecture perspective, multi-cloud means more complexity – you have different environments with their own consoles, APIs, and identity management systems. It’s not the same as hybrid cloud (which is about mixing on-prem with cloud); multi-cloud is specifically multiple different cloud ecosystems. 

For example, a company’s e-commerce app might run in AWS, but their analytics and machine learning pipeline might run in GCP. Multi-cloud requires a strategy to manage these disparate platforms in a coherent way.

How does it affect identity security?

Multi-cloud environments introduce significant identity security challenges. Each cloud provider has its own IAM framework (AWS IAM, Azure AD, GCP IAM, etc.), and ensuring that identities (users, service accounts, roles) are managed consistently across all of them is non-trivial. Without a strong strategy, it’s easy for an account that was offboarded in one cloud to remain active in another, or to have vastly different permission sets in each cloud (creating an oversight gap). 

Attackers can take advantage of the weakest link: for instance, if your Azure environment has a misconfigured identity with a weak password or no MFA, that could be the entry point even if your AWS is locked down. 

Therefore, identity security in multi-cloud means centralizing visibility and control. Many organizations adopt a federated identity approach – using a primary identity provider (like an enterprise SSO/IDP) that is linked to each cloud, so that creation and deletion of accounts happen in one place. It’s also important to enforce uniform policies, such as MFA for all cloud admin logins and proper role definitions, across every cloud. 

From a governance perspective, multi-cloud identity security often uses Cloud Infrastructure Entitlement Management (CIEM) tools to discover and right-size permissions across clouds. The importance is underscored by breach statistics: a large percentage of companies report that managing security in multi-cloud is a top concern, and many have experienced cloud security incidents due to lack of uniform controls. 

In summary, if you go multi-cloud, you must ensure your identity security extends to all those clouds – which means extra work to unify policies, monitor identities in multiple places, and close any platform-specific gaps that could be exploited.

Case study

A well-known multi-cloud related breach was Capital One (2019), which, while it occurred in AWS, prompted many banks to scrutinize their cloud setups across providers.

Another is the 2017 Accenture incident, where they inadvertently exposed sensitive data in unsecured AWS S3 buckets​.

‍