A growing number of organizations are adopting cloud-based services driven by digital transformation, the desire to cut costs, and the need to support remote working. As a result, most organizations have ended up with a mixture of on-prem and cloud-based infrastructure because of the challenges in shifting all existing services to the cloud, with many adopting a phased approach.

The majority of IT environments, therefore, are now hybrid with legacy applications and some business-critical data remaining on-prem or in managed hosting solutions.

At the same time, organizations are typically using multiple cloud services with office productivity tools from one CSP (Cloud Service Provider), a CRM system from another CSP, and a test and development service from yet another one. The problem is further exacerbated by the fact that most organizations are also using multiple CSPs for infrastructure services (IaaS).

The result is that many organizations are currently running hybrid IT and multi-cloud environments. Multi-cloud environments mixed with private clouds and on-prem infrastructures (multi-hybrid) are the new normal. This creates significant challenges relating to the governance, management, security, and compliance.

Many organizations find themselves in the situation of trying to manage and secure a hybrid, multi-cloud environment where none of these things were given adequate consideration in the rush to meet the needs of the business as quickly as possible.

Ideally, there needs to be a consistent IT governance and management approach to enable trust in the CSP to be assured through a combination of internal processes, standards, and independent assessments.

The governance process must clearly define the organization’s business objectives of using cloud services, and the policies and constraints for their use. This ensures that cloud services are obtained to support defined business objectives and will conform to the organizational policy, risk appetite, and compliance requirements.

The procurement process should include an assessment of the risks related to the specific use of the cloud. This should produce as output a list of the mitigating controls that are required.

The cloud service customer must ensure that the controls for which it is responsible are implemented. However, since the delivery of the cloud service is outside the direct control of the customer, it must assure that the service is delivered securely to the agreed specification.

The hybrid IT and multi-cloud environment presents a complex management challenge particularly in the areas of security and compliance.  Therefore, it is vital that organizations consider the security, management, and compliance factors when selecting cloud services and that they implement a governance-based approach and tools they require to support it, including tools that enable entitlement management across hybrid cloud assets for security and compliance.

Ultimately, the aim should be to provide visibility over hybrid-cloud assets, provide governance over hybrid-cloud assets, and provide remediation over hybrid-cloud assets.

Identity and Access Management (IAM) is at the core of the digital transformation, at the core of cybersecurity, and at the core of regulatory compliance

— Mike Small, Senior Analyst, KuppingerCole.

Because we understand the importance of managing and securing hybrid IT and multi-cloud IT environments, and because we are committed to helping your business succeed, KuppingerCole has a great deal of content available in a variety of formats.

This includes live events such the 2022 KuppingerCole European Identity and Cloud (EIC) Conference taking place in Berlin and online from 10-13 May.

The EIC agenda features a keynote presentation entitled: Model, Measure, Manage - The Journey to Autonomous Security in a Hybrid Multi-Cloud World and a panel discussion on: Multi-Cloud Agility Must-Haves.

Other notable presentations include this one on Dealing with Multi-Cloud, Multi-Hybrid, Multi-Identity: Recommendations from the Field, this one on Demystifying CIEM for an Effective Multi-Cloud Security Enablement, and this one on Identity in Polyglot Cloud Environments.

For a discussion of the architectural considerations of MFA & passwordless authentication in hybrid cloud and multi-cloud environments and guidance on how to select and combine best-of-breed solutions to fits the needs of your enterprise, attend this Deep Dive session on MFA, (E-)SSO & Passwordless in Hybrid & Multi-Cloud, while for a wider discussion on practical approaches to security architecture, attend this session on: Cyber Security Architectures in a Hybrid World.

Topic Overview

A good place to start is with a step-by-step guide to mitigate risks and achieve strong security in this Insight entitled: Stairway to Cloud Security. This provides an overview of the objectives of cloud security, cloud service and deployment models, the shared responsibility model, the benefits of using cloud services, the risks, best practices, and how to find the right cloud security solution.


For short, incisive takes by our analysts on tackling the security, management, and compliance issues associated with hybrid multi-cloud cloud environments, have a look at this blog post on Managing the Hybrid Multi Cloud, this blog post on Managing Access and Entitlements in Multi-Cloud Multi-Hybrid IT, which introduces the KuppingerCole concept of Dynamic Resource Entitlement and Access Management (DREAM).

Have a look at this blogpost on Making DevSecOps a Reality and Going Beyond – Introducing SODAS (Secure Operations & Development of Agile Services), which integrates with the DREAM paradigm, and this blogpost on IT for the Digital Age: Introducing BASIS – Business-Driven Agile Secure IT as a Service, which also integrates with the DREAM paradigm.


If you would prefer to hear our analysts talk about the DREAM paradigm, listen to this Analyst Chat entitled: DREAM - Policies and Automation for All of Today's IT.

For a discussion on how to achieve automation of management and security across the entire multi-hybrid, multi-cloud IT infrastructure based on well-defined policies, listen to this Analyst Chat entitled: Policies and Automation to Secure Your Agile and Dynamic IT Environment.

For a more in-depth discussion of the DREAM paradigm, have a look at this presentation entitled: Mastering Complexity in Your Multi-Cloud & Multi-Hybrid IT.

Have a look at the following list of presentations from past KuppingerCole events that address various ways of dealing with security, management, and compliance in hybrid, multi-cloud. Choose the titles most relevant to your needs and interests.


Organizations now commonly use multiple cloud services as well as on-premises IT. This KuppingerCole Architecture Blueprint provides a set of building blocks needed to design, implement and integrate security for the Hybrid Cloud: Hybrid Cloud Security.

For an overview of the approach that enables an organization to securely and reliably use cloud services to achieve business objectives, have a look at his Advisory Note entitled:

Security Organization, Governance, and the Cloud.


The themes of security, governance, information protection, and access control in hybrid, multi-cloud environments have been explored in various webinars. Choose from the list below the ones that are most relevant to your organization or interests:


Our analysts have written a series of Whitepapers that discuss approaches to improving security and governance in hybrid, multi-cloud environments. Choose the ones most appropriate to your organization from the list below:

Tech Investment

Learn more about the technology market segments that support organizations’ need to improve security and governance of hybrid, multi-cloud environments by looking at these Leadership Compass reports on:

Organizations investing in technologies to manage and secure hybrid, multi-cloud IT environments, can have a look at some of the related technology solutions that we have evaluated: