Moving to the cloud is becoming a business necessity. It has been proven to be less expensive to maintain infrastructure in the cloud compared to owning and maintaining both devices and space for on-premises infrastructure. Cloud infrastructure increases mobility and productivity. It is more flexible and scalable than on-premises, since the cloud allows you to establish and change capacity on demand as business needs grow and change. Many cloud platforms also offer automated updates, making it easier to keep software current. Adopting cloud technologies can increase resilience and reliability of services, and make disaster recovery easier. And, from a financial standpoint, it often makes sense to move as much of IT as possible from a capital expense to an operating expense. Cloud makes all of these advantages possible.
However, cloud services do not work exactly the same as on-premises services do. Many companies think they can move their infrastructure to the cloud and then keep going without making fundamental changes to their security protocols. But moving from on-premises infrastructure to the cloud is not a trivial switch and cloud migration security risks accompany the many advantages. A recent report revealed that over just the years 2018 and 2019, cloud misconfigurations led to the exposure of nearly 33.4 billion data records, with the number of breaches rising 42% from 2018 to 2019.
Knowledge of how cloud services work, what data must go into the cloud in order for specific services to work, and how services can be designed in order to keep that data secure is an integral part of any plan for cloud migration.
Planning for a Successful Cloud Migration
To move successfully to the cloud and take advantage of its benefits, make sure that, from the beginning, your migration plan takes both your business needs and your security needs into account.
Think about how software is developed. You don’t start by writing code. Before starting to code an application, you have to figure out, first of all, what it is intended to do. Then, with that idea in place, you can design how to implement those features in a manner that is both secure and functional. Then, with that roadmap in place, you are ready to start coding your application.
Planning for a cloud migration works the same way. Just like you don’t start application development with lines of code, you don’t start cloud migration with signing contracts and moving data. You start with a goal, and then plan how to achieve that goal in a secure and functional manner. If you ask the right questions from the beginning, you set yourself up for long-term success in the cloud.
Migrating to the cloud does take detailed planning. There are two common approaches for application migration: rehosting (or, “lift-and-shift”), or actually rearchitecting and refactoring the applications for the cloud. Though the lift-and-shift route may be quicker at first, it is often a recipe for disaster, and does not take into account the full benefits of cloud services. Taking the time to learn whether an application can be refactored to take into account the full range of capabilities and efficiencies that the cloud offers can lead to a more successful cloud presence in the long term.
Asking the Right Cloud Migration Security Questions
To set yourself up to face cloud migration security challenges, make sure to ask yourself these questions as you plan your move.
How well are your company’s security policies built for moving to the cloud?
Regular consideration and revision of security policies should already be part of your business processes. As new technologies and new threats arise, your security policies need to take them into account. They must also provide useful guidance for how to secure your business against them.
The case of the cloud puts this into stark relief. After all, if your policies were written to take into account only on-premises infrastructure, how actionable will they be when trying to apply their principles to operation in the cloud? They probably will not be very useful.
Before moving to the cloud, prepare your security policies. Talking to all stakeholders will help you consider what policies are necessary to enable cloud migration goals while continuing to satisfy security and compliance requirements. Once you have gathered and considered that input, you will be in a better position to draft policies that meet your goals.
What data can go into the cloud?
Data classification lies at the core of many security initiatives. That was true in the on-premises days, and remains true even in this new world of cloud computing. If you do not know what types of data you maintain, and which types of data are required for particular operations or transactions, and who needs to have access to that data under a least privilege model, you cannot be in a position to protect that data.
This need for data classification applies to all kinds and sizes of companies. Whether you are a global financial institution, a small local business, or anything in between, you have sensitive data that belongs to customers and employees. It is your responsibility to safeguard that data, and you risk sacrificing time, money, or reputation if you are unable to do so. Concerns of data classification apply to any kind of cloud services usage. Whether your business is planning to use Google Docs for a few things or move most of your IT to a large-scale AWS deployment, you must consider what data that cloud platform will see, and whether your business can effectively secure that data in that platform.
What are your data residency requirements?
Many industries have to consider issues of data residency. This is always a question, but it takes on a new urgency when moving to the cloud.
With on-premises infrastructure, your business controls exactly where sensitive data is kept. But, in a cloud platform, that may differ. Even if main copies of data are kept in one country, backups may be kept in another country. Depending on the data residency requirements that apply, this may run you afoul of data privacy laws, either in your own country or in the countries where the data may be stored or moved.
This is a question that you must consider before moving to the cloud, to identify where data may reside while remaining compliant. It requires continued consideration and discussion with cloud service providers as you consider which services to adopt, since different cloud providers offer different data residency options.
What capabilities and responsibilities does a cloud provider have?
Different cloud providers have different implementations of the Shared Responsibility Model, as well as different options for data residency and security. Implementations of the Shared Responsibility Model, and demands on what customers must do to carry their side of the responsibility for data, differ across the major cloud providers (Amazon, Google Cloud, and Microsoft). Differences in policies and responsibilities also exist across platforms or services in the cloud.
Before locking your business into a particular service or plan, you must make sure that a provider’s security options suit your needs. That is a crucial phase of due diligence. And, once you select a provider and begin to migrate, your plan should include actionable steps toward approving, documenting, and securing instances of cloud services. This allows you to make it as easy as possible for security and IT teams to implement the policies, and therefore prevent issues such as unapproved cloud usage or data exposure through misconfigured buckets.
What questions have other companies asked?
Though every cloud migration is different, every successful cloud migration does the fundamentals well. It matters to learn what considerations other businesses, especially others in your industry, have made before migrating to the cloud. In addition to talking to trusted colleagues and leaders, information security industry organizations can also provide trusted guidance. Specifically, the Cloud Security Alliance releases guidelines to help businesses build and maintain a strong foundation for their work in the cloud.
The Importance of Communication
You will be in the best position to solve security challenges during cloud migration if there is open and consistent communication between the different parts of your business. This includes security and IT, but is also much broader than that. You will want input from legal, since there are questions of terms, conditions, contracts, and liability. The finance team will be a help as well, as attempting to become more cost-effective is so often one of the drivers in the first place. Human resources will also want to weigh in, as cloud migrations often lead to questions of hiring people with cloud expertise. Consulting with all stakeholders helps make sure all business goals of the cloud migration are being met.
In addition to internal stakeholders, there is much to be gained by working with an external partner who is experienced in cloud migrations. A partner can help you achieve cloud migration success by bringing a broad range of cloud migration experience to the table, including first-hand insight about what works and what doesn’t. However, choosing that partner and asking them the right questions about their experience and their approach also matters. They need both the right technical experience and the ability to learn your business, break down the silos between business groups, and help you build a stronger cloud migration plan.
Learn More About Cloud Migration Security Success
Like most businesses, you are either thinking about migrating to the cloud or increasing operations in the cloud. The flexibility and cost savings are a competitive advantage that you cannot pass up. However, in order to avoid the time, money, and reputation costs of a data breach, as well as to save time and money through the course of the migration, you need to plan carefully and ask the right cloud migration security questions.
Security Compass Advisory is an industry leader in cloud security. In addition to our years of experience with cloud technologies, our collaborative and communicative approach means we work with you to learn your business, help break down the silos between departments, and design cloud security that helps you reach your goals. If you are looking for a cloud security partner that puts your business needs front and center, talk to one of our expert advisors.