Jan 11, 2023
5 min read

How To Secure Multi-Cloud Environments With Zero-Trust Access

Written By

Josh Martin

Just as zero-trust gradually took over as the predominant approach in the security industry, the concept of multi-cloud is now gaining similar traction. More vendors are claiming to offer multi-cloud security, posture enhancements, orchestration, etc. However, many enterprises are still struggling to transition just a handful of applications to the cloud.

Let’s look at why multi-cloud security can be difficult, expensive, and hinder business agility – as well as how Cyolo can alleviate all these problems.  

What is Multi-Cloud?

RedHat defines multi-cloud as “a cloud approach made up of more than 1 cloud service, from more than 1 cloud vendor – public or private.” This may sound like a hybrid cloud deployment, but multi-cloud and hybrid cloud are two unique architectures.

To offer just one example, a multi-cloud deployment could be utilizing AWS for a custom-built application, and then using cloud-hosted SAP. These are two separate services across two different disconnected clouds.  

Hybrid cloud deployments, by contrast, are interconnected. Think of an on-premises data center talking to a Google Cloud private cloud instance over SD-WAN circuits or Virtual Private Networks (VPN) tunnels. This is the most common architecture used as organizations begin digital transformation projects. Keeping that on-premises data center up and running is in many cases still more cost effective than moving entire workloads to the cloud.  

What Risks Are Associated with Multi-Cloud? 

Configuration Errors 

Working within multiple cloud providers, each with their own style of completing the same task, elevates that chance even the most experienced engineers will make errors. Configuration errors, in turn, can lead to increased costs, more time to troubleshoot potential issues, and inappropriate access to resources.   

User Access Control 

Controlling who has access to what in cloud providers is extremely difficult, given that AWS, GCP, and Azure have over 20,000 combined privilege controls. Even large enterprises with well-staffed cloud teams struggle to provide the bare minimum permissions needed for their user base. The easiest solution is just to provide wider access, which then leads to a new set of challenges and risks.


With vast identity permissions and vendor-specific logging mechanisms, maintaining accurate and up-to-date audit logs becomes almost impossible. A central logging server like a Security Information and Event Management (SIEM) can help, but there remains a need to maintain that connectivity in multiple clouds. Plus, there are times when not everything can be logged. In addition, you may be handing over your sensitive logs to a cloud vendor in a shared security model, breaking the foundational principle of zero-trust.  

Connectivity and Cost

Public cloud providers utilize the most insecure network of them all for external connectivity – the internet. There is also a plethora of configuration options for internal networking, meaning how instances and services talk to each other. Vendor-supplied security and networking controls may not be enough, with many enterprises still having to use third-party virtual firewalls or posture scanning solutions to identify potential gaps. All public cloud vendors charge based on inbound/outbound traffic usage, and these costs can be monumental for large organizations with customer-facing applications.  

Securing and Connecting Multi-Cloud, the Cyolo Way

The Cyolo zero-trust access platform is based on identities, not networks. Our approach focuses on enabling secure, direct application access to the correct, authorized, and continuously authenticated users only. Traditional remote access and connectivity methods like VPNs grant broad network access and rely on other security tools to control granular access.  

Unlike many security vendors that require organizations to change their network architecture or applications to work with their products, Cyolo is purpose-built to fit any organization at any stage of their digital transformation. Whether it’s connecting risky third-party users to legacy, air gapped resources or connecting modern applications hosted in various cloud providers to a global workforce, Cyolo enables the fastest, easiest, and most secure experience.  

The Cyolo architecture consists of two components, an Identity Access Controller (IDAC) and the Cyolo Edge. The IDAC is a lightweight Docker container that is deployed wherever your applications are hosted – on-premises, private cloud, and/or public cloud – and connects to applications based on their native protocols (HTTP(S), FTP, SSH, RDP, VNC, telnet, and more). Each IDAC installed will establish an outbound-only TLS (Transport Layer Security) connection to the closest or pre-defined Cyolo Edge. The Cyolo Edge is only responsible for routing user requests for an application to the appropriate IDAC.  

In a multi-cloud environment, Cyolo enables organizations to deploy IDACs quickly and easily across all major cloud providers, including AWS, GCP, Azure, and any system that can run Docker. Within a VPC (Virtual Private Cloud) or public subnet, the Cyolo IDAC will establish connectivity to defined applications within those networks, while effectively hiding the applications from direct internet access.  

Aside from lightweight connectivity that does not rely on SD-WAN, VPNs, or vendor-specific transit tools – Cyolo provides identity modernization capabilities such as legacy & offline multifactor authentication and single sign-on. At the same time, Cyolo can take existing investments in these technology areas and extend their capabilities down to applications not currently covered by those solutions. Ideal for a traditionally vendor-locked market space.   

Beginning Your Zero-Trust Journey

The technology market is flooded with cloud security vendors advising customers to start their zero-trust journeys with configuration management, posture management, or vulnerability scanning. But if an organization is unable even to say who has access to implement one of those technologies, then critical audit trail pieces can be missed – ultimately impacting insurance coverage or regulatory compliance.  

Orchestrating your existing identity providers into a single digital identity, and then applying granular access policies based on that identity is a project that simply must be undertaken as a preliminary step in your journey to zero-trust. In a world where identity is the new perimeter and the most threatened exploit, it simply does not pay to start anywhere else.  

Josh Martin


Josh Martin is a security professional who told himself he'd never work in security. With close to 5 years in the tech industry across Support, Product Marketing, Sales Enablement, and Sales Engineering, Josh has a unique perspective into how technical challenges can impact larger business goals and how to craft unique solutions to solve real world problems. Josh joined Cyolo in 2021 and prior worked at Zscaler, Duo Security, and Cisco.

Outside of Cyolo, Josh spends his time outdoors - hiking, camping, kayaking, or whatever new hobby he's trying out for the week. Or, you can find him tirelessly automating things that do NOT need to be automated in his home at the expense of his partner. Josh lives in North Carolina, USA.

Subscribe to Our Newsletter