With the increasing use of multi-cloud environments, security professionals face challenges in configuration, management, and integration due to uneven security capabilities and features among providers. As a result, a fragmented approach toward security has been observed, leading to new attack vectors and potential vulnerabilities. Other research has focused on single-cloud platforms or specific applications of multi-cloud environments. Therefore, there is a need for a holistic security and vulnerability assessment and defense strategy that applies to multi-cloud platforms. We perform a risk and vulnerability analysis to identify attack vectors from software, hardware, and the network, as well as interoperability security issues in multi-cloud environments. Applying the STRIDE and DREAD threat modeling methods, we present an analysis of the ecosystem across six attack vectors: cloud architecture, APIs, authentication, automation, management differences, and cybersecurity legislation. We quantitatively determine and rank the threats in multi-cloud environments and suggest mitigation strategies.

翻译：随着多云环境的日益普及，由于不同云服务提供商的安全能力与功能参差不齐，安全专业人员在配置、管理和集成方面面临挑战。这导致了一种碎片化的安全防护方法，从而催生了新的攻击向量和潜在漏洞。现有研究多集中于单一云平台或多云环境的特定应用场景。因此，亟需一种适用于多云平台的整体性安全与脆弱性评估及防御策略。我们对软件、硬件及网络层面的攻击向量以及多云环境中的互操作性安全问题进行了风险与脆弱性分析。通过应用STRIDE和DREAD威胁建模方法，我们围绕六个攻击向量（云架构、API、认证、自动化、管理差异及网络安全法规）对生态系统进行了分析。我们对多云环境中的威胁进行了量化排序，并提出了缓解策略。