The U.S. Department of Defense (DoD) formally adopted a multi-cloud strategy with the statement made late last year that it had chosen Google, Oracle, Amazon and Microsoft as the recipients of the Joint Warfighting Cloud Capability (JWCC) contract. In an effort to make the DoD’s acquisition of cloud technology and services easier, the $9 billion contract will be shared across the four providers and is the successor to the Joint Enterprise Defense Infrastructure (JEDI) contract, which was awarded exclusively to Microsoft in 2019.
Behind the headlines, however, the significance of the JWCC goes beyond its impact on DoD technology procurement on a number of levels. First, it underlines the direction of travel in favor of multi-cloud investment and adoption across public and private sectors alike, and second, it has brought the growing role being played by zero-trust cybersecurity into even sharper focus.
So, what’s the attraction of multi-cloud? This is an approach in which organizations use multiple cloud computing services within a heterogeneous architecture. As well as the flexibility and scale it offers, multi-cloud strategies allow organizations to take advantage of the relative strengths of different providers while avoiding the downsides of vendor lock-in.
Given these—and other—increasingly compelling arguments, the market for multi-cloud is growing apace. According to industry estimates, the global multi-cloud management market is predicted to increase from just under $8 billion in 2022 to over $33 billion by 2028 at a CAGR of 27.6%.
In common with other mainstream approaches to technology infrastructure, the multicloud market is developing at a time when organizations everywhere remain under significant pressure from cybercriminals and nation-state adversaries. In the first few weeks of 2023 alone, for instance, almost 300 million records were exposed as a result of over 100 publicly disclosed security breaches worldwide. As the accompanying analysis by Luke Irwin points out, “That’s more breached records than we found in any calendar month last year, and it’s among the most incidents we’ve ever seen.”
Despite these significant risks, government and law enforcement are having some notable successes in meeting current challenges head-on. In January, for example, an international operation led by the FBI and German authorities, alongside the U.K.’s National Crime Agency, took down the multimillion-dollar HIVE ransomware service used by cybercriminals around the world since 2021.
This infrastructure was circulated on the dark web and allowed bad actors to initiate ransomware attacks, encrypt systems and demand payment. According to the NCA report linked above, “Since June 2021, the HIVE ransomware group has targeted more than 1,300 victims around the world and received more than $100 million in ransom payments.”
‘Never Trust, Always Verify’
Given these ubiquitous challenges, this is where the DoD’s multi-cloud security strategy has wider implications for other organizations. In particular, its emphasis on a zero-trust security model and how it could be used to protect systems and data across multiple cloud environments has the potential to further accelerate its adoption.
The zero-trust security model is predicated on the idea that no interaction with IT infrastructure, whether inside or outside of a network, is presumed to be trustworthy, by default. This is often summarized as a “never trust, always verify” approach to cybersecurity that has grown in importance as trust boundaries across networks and access points have increased in complexity and vulnerability.
In the context of the JWCC, recent media reports indicate that the DoD will test the security capabilities of the four multi-cloud contractors with “red team” attacks. In other words, systems will be put to the test by ethical security professionals who act as adversaries to test and attempt to defeat cybersecurity controls and protection.
According to Randy Resnick, chief of the DoD’s Zero Trust Portfolio Management Office, the object of the exercise is to “give us a way forward for recommending to the DoD whether or not we could do zero trust in the cloud.” And he went on to explain, “If … we come to the conclusion that in fact it can be done, it would be absolutely revolutionary.”
And following the publication of the Zero Trust Strategy by the DoD in November last year, this is potentially an important step in meeting the objectives set out in the 2021 Executive Order on Improving the Nation’s Cybersecurity and the need for significant improvement in protection. Success here will, no doubt, drive wider improvements elsewhere.
It will be fascinating to see how this evaluation process plays out, and success is arguably a question of “when,” rather than “if.” Indeed, for many organizations at various stages of cloud adoption, zero trust has already become their go-to strategy to ensure they can fully secure systems and data with maximum effectiveness.