The 4 Hidden Risks Of Multi Region Cloud Architectures: How They Can Be Avoided

 

Whenever you sign for a hosting account or even open a subscription with AWS or Microsoft Azure, the excitement comes in when you see all the tools that you have at your disposal.  It can be confusing and daunting, but it is exciting for sure.  One of the areas that sort of “turns me on” (for lack of a better term) is when you get to choose the Datacenter in which you want stuff located at.

It can be anything, from where you want your website hosted at to where you want your dedicated server to stationed at.  While the allure of the Cloud is awesome, and its advantages are great, such as fixed pricing and the ability to scale up or down in just a matter of seconds, one thing you really need to ask, and you probably won’t get the answer to is:  “Where is my data exactly located at?”

Just because you chose to have a datacenter in the US, it does not technically mean that everything in your account will be located there.  For example, if your Internet Service Provider (ISP) has multiple Datacenters around the world, there is an extremely high chance that your digital assets could be scattered about as well.

A notable example of this is Microsoft Azure.  It has Datacenters in many countries, and if you set up a bunch of Virtual Machines, it could be scattered about as well.  This is known as “Multi Cloud Architectures”, and it can be technically defined as follows:

“Multicloud is the practice of using the services of multiple cloud providers to optimize workload performance, increase flexibility, and mitigate the risks of relying on any one vendor.”

(SOURCE:  https://azure.microsoft.com/en-us/resources/cloud-computing-dictionary/what-is-multi-cloud)

There are risks by taking  this approach, for example:

1)     Configuration Drift:

This happens when you create a virtualized IT and Network Infrastructure, for example in Microsoft Azure.  While the rules that you may have set up for your firewalls, network intrusion devices, routers, etc.  may appear to have been configured in a US based Datacenter, but the chances are that it could have “spilled” over to other Datacenters, so everything may not be completely equal in the end, with regards to this.  Even the policies that you have established could also vary a little.  The risk here?  Given these inconsistencies, this simply creates a backdoor for the Cyberattacker to penetrate into.  From here, there could very easily launch a Supply Chain attack, very much like we saw with the Solar Winds one a few years ago.

2)     IAM:

This is an acronym that stands for “Identity and Access Management”.  Essentially this is the area of Cybersecurity where you establish the polices and rules for assigning the rights, privileges, and permissions to your employees to access shared resources.  But if you set something up here in the US, there is no guarantee that it will follow the same kind of consistency in other globally based Datacenters.  The huge risk here is that of password compromise, especially when it comes to super user passwords, such as those assigned to Network Administrators, Database Administrators, members of the IT Security team, etc.

3)     Data:

Yes, Cloud is the best place to back up your data, and even for my tech writing business, I do this also.  I do not store anything On Premises.  Obviously, you will want to keep backups, and as far as possible, you will want to keep this in a US Datacenter.  But once again, there is no guarantee that this will happen either.  This means that if your data is stored in different datacenters around the world, they will be subject to that nation’s data privacy laws.  If the laws are lax and not proactively enforced, again, this is a huge place where the Cyberattacker can easily penetrate very covertly.  There is a lot they can do with your datasets, such as selling them on the Dark Web, launching Extortion Attacks, or even assuming the full and complete identities of the victims.

4)     The Laws:

Back to the above, if your datasets are stored in global Datacenters, you will also be subject to their Data Privacy laws.  For example, if anything is stored in a European based Datacenter, your ISP will be subject to the tenets and provisions of the GDPR.  Although any ramifications will not impact you directly, it is still important to be aware of this, and to ask your ISP questions how compliant they are with these laws.

My Thoughts On This:

In the end really, you do not have much control if any of your digital assets are being hosted and controlled in different Datacenters around the world.  All you can pretty much do is just be proactive on your end, and use all of the security tools that are available to your disposal (for example, Microsoft Azure has a ton of them you can use at no extra cost to you), and to keep an eye on any alerts that you may get from your ISP.

But for the ISP here are some of the steps that they can take to mitigate any kind of risk:

Ø  Maintaining a strong consistency with their digital footprint.

Ø  Encryption must always be used, no matter what!!!

Ø  Monitoring and logging on a real time basis is necessary, and they must make this available to you as well to keep an eye out for any abnormal or suspicious behavior.

Ø  Network security must be implemented on a global basis, with the same kind of consistency throughout.

Ø  They must also have failovers.  For example, if a datacenter fails in one location, it must “roll over” to a new one somewhere in the world, with hardly noticeable downtime to you.