Approaching Multicloud API Security Using “Metacloud.”
David S. Linthicum
dlinthicum@deloitte.com

NewBook

Why Are We Here?

Multicloud Interoperability is Crucial
36%
56%
Fully
Interoperable
"Some Level" of
Interoperability
Respondents Report on their
Cloud Interoperability
Source: 2022 Enterprise Cloud Index, which is based on a survey of 1,700 IT decision makers globally.
87% Respondents agree multiclouds require simpler cross-platform tools,
dashboard and configuration approaches
What are the Top
Multicloud Challenges?
38%
38%
42%
43%
49%
49%
Capacity Planning Across
Infrastructures
Application Mobility
Performance Across
Network Overlays
Cost
Data Integration
Security

KeyDriversforaMulticloudEnvironment
An IDC study found that 86% of enterprises predict that they will need a Multicloud approach to support their solutions within the next two years
Multicloud Adoption Drivers Multicloud Environment Benefits
Reduce cloud spend through competitive negotiation
Increase business agility through greater access to
the latest technologies across multiple providers
Meet current and future requirements of governance,
security, privacy, risk management and compliance
regulations
Reduce vulnerability risk by
limiting blast radius with multiple
Cloud Service Providers
Reduce latency caused by
exploding data volume on single
cloud service provider platform
Reduce operating cost with more
competitive price
Offers true flexibility to implement
solutions that best fit each
business workload to optimize
performance
Adopt the latest technologies
from different leading service
providers
Improve geographic presence
and disaster recovery in
response to outages
Business Continuity Technology Innovation
Data Gravity Reduction
Service Flexibility
Cost Reduction
Vulnerability Mitigation
Gain autonomy by minimizing vendor lock-in
Improve resiliency and reliability by distributing
workloads across multiple cloud service providers
Optimize the best of breed of cloud computing
solutions across the various Cloud Service Providers

Business Innovation
Supported
Leveraging Best-Of-Breed
Technology Available
Business
Value Created
Need for Innovation
Innovationis the driver.
Business Innovation
Supported
Leveraging Best-Of-Breed
Technology Available
Business
Value Created
Need for Innovation

The General Issue

Thebasicideabehindmulticloudsecurity.
PROTECT DETECT RESPOND TRACK

Multicloud/cloudAPIsecurityrisks
Broken object-level authorization. BOLA
occurs when a request can access or modify
data the requestor shouldn't have access to,
such as being able to access another user's
account by tampering with an identifier in the
request.
Broken function-level authorization. This
arises when the principle of least privilege
(POLP) isn't implemented, often as a result of
overly complex access control policies. It
results in an attacker being able to execute
sensitive commands or access endpoints
intended for privileged accounts.
Broken user authentication. Like BOLA, if the
authentication process can be compromised,
an attacker can pose as another user on a one-
time or even permanent basis.
Excessive data exposure. API responses to a
request often return more data than is relevant
or necessary. Even though the data may not be
displayed to the user, it can be easily examined
and may lead to a potential exposure of
sensitive information.
Improper asset management. API
development and deployment is usually fast-
paced, and thorough documentation is often
omitted in the rush to release new or updated
APIs. This leads to exposed and ghost
endpoints, as well as a poor understanding of
how older APIs work and need to be
implemented.
Lack of resources and rate limiting. API
endpoints are usually open to the internet and,
if there are no restrictions on the number or
size of requests, are open to DoS and brute-
force attacks.
Injection flaws. If request data isn't parsed and
validated correctly, an attacker can potentially
launch a command or SQL injection attack to
access it or execute malicious commands
without authorization.
Mass assignment. Software development
frameworks often proved the functionality to
insert all the data received from an online form
into a database or object with just one line of
code -- known as mass assignment -- removing
the need to write repetitive lines of form-
mapping code. If this is done without
specifying what data is acceptable, it opens a
variety of attack vectors.
Source: https://www.techtarget.com/searchapparchitecture/tip/10-API-security-guidelines-and-best-practices

Data
Orchestration
Service/API
Management &
Development
Network
Management
Logical
Abstracted
Storage
and
Data
Resource
Management
Logical
Abstracted
Services
Management
Devices
Applications
Cloud-
Based
Databases
Consumer/Producer Pool
Partner Clouds
Virtual
Databases
(Abstraction)
OLTP Analytical Common
Storage
Services
Special
Purpose
Management/Monitoring/CloudOps/Complexity
Management
Security
and
Governance/SecOps&GovOps
Cloud
Service
Brokering
Data
Focused
Multicloud
Service
Focused
Multicloud
Applications
Abstracted
Compute
Orchestration
and
Process
Native APIs
Application Services/Microservices
Data Integration
Public Clouds Private Clouds
Legacy
Infrastructure
Management
Cost
Governance
Multicloud is not complex…oh wait.

Security Risk and Costs
Growth of Complexity
Three Clouds
Two Clouds
Start
N Clouds
Complexity = API Security Risk

Number of
Cloud-Based
Systems
Complexity
Number of
Traditional
Systems
Star
t
Tipping
Point
Hitting the “API Complexity Wall”

Cost
Complexity
Star
t
Negative
Value
Finding “Negative Value.”

Multicloud API security issues
Authentication and
Authorization
Data Protection
API Gateway Security
Compliance
Visibility and Monitoring

The Solution

Movingfromsingleclouddeployments
Cloud
A
Storage Database APIs
Database A
Database B
Compute Platform APIs
Platform A
Platform B
Misc. cloud
services APIs
AI
Development
Operations
Governance
Security

Data
Orchestration
Service/API
Management &
Development
Network
Management
Logical
Abstracted
Storage
and
Data
Resource
Management
Logical
Abstracted
Services
Management
Devices
Applications
Cloud-
Based
Databases
Consumer/Producer Pool
Partner Clouds
Virtual
Databases
(Abstraction)
OLTP Analytical Common
Storage
Services
Special
Purpose
Management/Monitoring/CloudOps/Complexity
Management
Security
and
Governance/SecOps&GovOps
Cloud
Service
Brokering
Data
Focused
Multicloud
Service
Focused
Multicloud
Applications
Abstracted
Compute
Orchestration
and
Process
Native APIs
Application Services/Microservices
Data Integration
Public Clouds Private Clouds
Legacy
Infrastructure
Management
Cost
Governance
Deployed multicloud – abstraction and automation is key
Abstract
to
remove
complexity

Why abstraction and automation?
• A reaction to the fact that cloud API
implementations are becoming more
complex.
• The increased API complexity is
causing some negative value for
cloud deployments.
• The movement to hybrid and
multicloud is only accelerating.

Solutions in a nutshell
Cross Cloud API Security
Automation/abstraction
API
Data Movement
API
Data Processing
API
Service Processing
Abstraction/automation
API
Data
API
Services
API
Platforms
API
Knowledge/AI
API
Security
API
Development
API
Etc.
Cloud A Cloud B Cloud C

Example: Service Abstraction
• Heterogenous
Services
Complex
Services and
Microservices
• Service
Virtualization
Abstract
Services
Applications
Humans

• The trick of building composable
services is building at the right level of
granularity
• Challenges
• Engraining business logic into code
• Decomposing legacy services that
are not fine-grained enough
• Method
• Top-down process decomposition, vs.
bottom-up service development
• Must be iterative
Challenge:ServiceGranularity

The Approach: Automation of Abstract Resources
Step 1
• Service/API
invocation 1
• Oracle Database
Step 2
• Service/API
invocation 2
• Windows NT
Step 3
• Service/API
invocation 3
• Linux system
Orchestration
Common Security

Cloud
A
Storage
Database A
Database B
Compute
Platform A
Platform B
AI
Development
Cloud
B
Storage
Database A
Database B
Compute
Platform A
Platform B
AI
Development
Cloud
C
Storage
Database A
Database B
Compute
Platform A
Platform B
AI
Development
API Secuirty
API Security
API Security
To multicloud deployments

Common
API
security
Cloud A
Storage
Database A
Database B
Compute
Platform A
Platform B
AI
Development
Cloud B
Storage
Database A
Database B
Compute
Platform A
Platform B
AI
Development
Cloud C
Storage
Database A
Database B
Compute
Platform A
Platform B
AI
Development
Complexity in
a domain
Job 1: Reduce Complexity

Cross-Cloud Services:
Operations, API Security, Governance, Development, Deployment, Service Management,
Services Brokerage, Integrated AI, Data Integration, Etc.
Cloud A
Storage
Database
A
Database
B
Compute
Platform
A
Platform
B
AI Dev
Cloud B
Storage
Database
A
Database
B
Compute
Platform
A
Platform
B
AI Dev
Cloud C
Storage
Database
A
Database
B
Compute
Platform
A
Platform
B
AI Dev
Rise of the ”Supercloud” or ”Metacloud”

Cloud
A
Security
Storage
Database A
Database B
Compute
Platform A
Platform B
AI
Developme
nt
Cloud
B
Security
Storage
Database A
Database B
Compute
Platform A
Platform B
AI
Developme
nt
Cloud
C
Security
Storage
Database A
Database B
Compute
Platform A
Platform B
AI
Developme
nt
Security
Orchestration,
Observability,
Access
Management,
Directory
Services,
API
Secuirty,
Etc.
Modern Cross-Cloud
Security Approaches

Observability
and Security
What's
happening?
What's
likely to
happen?
How will
it
happen?
How to
defend?
How can we
stop this from
happening in
the future?
Security Observability is Key

I'm going to
breach
cloud data.
I've found
an attack
vector.
Breach
attempt.
Attempt
detected
and
analyzed.
Learning
data
generated.
Defensive
posture
adjusted.
Repeat
Leveraging AI as a Security Weapon

Approaching the Problem

Key Considerations
Modernization
Migration
Security and Privacy
Monitoring
Complexity Management
Innovation
Use Cases
Deployments
DevOps & Agile
Financial Management
7. Migrate
Code Migration
Migration Verification
Operations Planning
5. Cloud Complexity Management (abstraction, automation, complexity mediation, complexity in domains)
6. Skills Gap Analysis and Augmentation Planning
1. Plan & Assessment
4. Common Services
3. Operations Planning
2. Target Solution Planning
Common Security Services (data protection, identity, access, MFA, monitoring, scanning, encryption, compliance, SecOps)
Common Governance Services (services, cost, compliance, resource, GovOps)
Common Cognitive Services (machine and deep Learning)
Common Management and Monitoring (AIOps, CloudOps)
Data Center
Special Systems
(e.g., factory robotics)
Colo/MSP
In Process / Net New
Multi-cloud
Public Clouds
Private Clouds
IoT/Edge
DevOps Chain Planning
Colo/MSP
Performance
Security
BC / DR
Governance
Cost Management
Abstraction
Automation
8. Operate
Data Migration
Resource Migration
Security Migration
Governance
Migration
DevOps Integration
SecOps
Monitoring and
Metrics Plan
Legacy/Cloud
Operations
GovOps
PerfOps
DevOps
Planning Migrate Operate
FrameworkforMulticloudExecution

RevisingtheOperatingModelinAnticipationofMulticloud
Roll out of cloud operating model can be iterative and continue to evolve over time. It can start
with establishing a Minimum Viable Operating Model leveraging 3-5 scenarios per LOB as pilots,
and evolve into a fully integrated set of cloud with business focus.
As part of the cloud transformation program, an organization needs to evolve its existing IT
Operating Model processes, workflows, roles, and governance to support the agile nature of
cloud, and transform how services are delivered in efficient manner.
Cloud
Operating
Model
Maturity
Time
360 Days
Cloud 0: Assess current state
of Operating model using the
diagnostic tool across the 8
key categories, current state
competency assessment
Cloud 1.0: Identify gaps, new roles /
capabilities, key procedures, tools, KPIs
and standards and policies across all 8
categories
Cloud 2.0: Design and formulate teams,
define processes, frameworks and test
plans to implement changes identified
in the assessment process
180 Days
90 Days
Today
Business inputs are
increasingly delivered
through ongoing iterations
of cloud services
Cloud 4.0: Achieve end state
maturity with optimized
model. Fully-integrated
capabilities aligned with
cloud organization;
Frictionless governance and
control policies in place; and
automated operations
Operating model
continues to evolve
and be refined
270 Days
Cloud 3.0: Enhance operating model,
incorporate feedback, iterate and
automate workflows and processes
Moving to multicloud increases an organization’s need to focus on maturing the operating model in response to cloud

Thank you