How to Build Your Cloud Migration Security Strategy
Moving to the cloud is becoming a business imperative. Cloud technologies are flexible and scalable, and less expensive to maintain than on-premises solutions, allowing organizations to easily adapt to changing business needs. The only real obstacle to the move is cloud migration security concerns.
Cloud services do not work the same way as on-premises services. Many companies believe they can move their infrastructure to the cloud without having to fundamentally change their security protocols. However, moving from on-premises infrastructure to the cloud is not a trivial move, and the security risks of cloud migration come with the many benefits. A 2020 report found that cloud misconfigurations led to the disclosure of nearly 33.4 billion records in 2018 and 2019 alone, with the number of security breaches increasing by 42% from 2018 to 2019.
Understanding how cloud services work, what data needs to go to the cloud for certain services to work, and how services can be designed to keep that data safe is an essential part of any secure cloud migration.
What Makes a Successful Cloud Migration?
Making a secure cloud migration successful requires detailed planning. There are two common approaches to application migration: rehosting (or “lift and shift”) and rearchitecting and refactoring applications for the cloud. While the lift-and-shift route can be quicker, it’s often a recipe for disaster and doesn’t take full advantage of cloud services.
With any cloud migration, remember that you are moving workloads from on-premises infrastructure to the cloud, which has its own security considerations and requirements. Taking the time to learn if an application can be refactored and considering the full range of features and efficiencies that the cloud offers can lead to a more successful cloud presence over the long term without sacrificing data security.
Think about how software is developed: you don’t start by writing code. Before you start programming an application, you need to figure out what you want it to do. With that idea in mind, you can then plan how to implement the required functionality in a safe and functional way. Only when this roadmap is complete can you start actually programming your application.
Planning a cloud migration works the same way. Just as you don’t start application development with lines of code, you don’t start your cloud deployment by signing contracts and moving data. You start with a goal. Then plan how to achieve that goal in a safe and functional way. Anyone who asks the right questions from the start prepares for long-term success.
Five questions to ask as part of your cloud migration security strategy
As you plan your move, be sure to ask yourself the following questions to prepare for the security challenges of cloud migration:
1. How well is your organization’s security policy designed for moving to the cloud?
The regular review and revision of security guidelines should already be part of your business processes. As new technologies and new threats emerge, your security policies need to accommodate them. You must also provide helpful hints on how to protect your business from threats.
The case of cloud adoption makes this clear. After all, if your policies were written just to take on-premises infrastructure into account, how enforceable are they when you try to apply them to operations in the cloud? They’re probably not well suited to the unique challenges of a cloud environment.
Before moving to the cloud, prepare your security policies and review your security controls. Conversations with all stakeholders will help you consider what policies are needed to meet cloud migration goals while still meeting security and compliance requirements. Once you have gathered and considered this input, you will be in a better position to design policies that meet your goals.
2. What data can go to the cloud?
Data classification is at the core of many security initiatives. That was true in the on-premises days and is true in the world of cloud computing as well. If you don’t know what types of data you maintain, what types of data are required for specific operations or transactions, and who needs access to that data under a least privilege model, you are unable to protect that data .
This need for data classification applies to all types and sizes of business. Whether you’re a global financial institution, a small local business, or anything in between, you have sensitive data that belongs to customers and employees. It is your responsibility to protect this data and you risk sacrificing time, money and reputation if you are unable to do so.
Data classification concerns apply to any type of cloud service usage. Whether your company plans to use Google Docs for a few things or offload most of your IT to a large-scale AWS deployment, you need to consider what data that cloud platform will see and whether your company will be able to access that data this platform can effectively secure.
3. What are your data residency requirements?
Many industries must address data residency issues. That’s always a question, but it takes on a new urgency when moving to the cloud.
With an on-premises infrastructure, your organization controls exactly where sensitive data is kept. However, this can be different with a cloud platform. Even if master copies of data are kept in one country, backups can be kept in another country. Depending on the applicable data residency requirements, doing so may put you in conflict with data protection laws, either in your own country or in the countries where the data may be stored or moved.
This is a question you need to ask yourself before moving to the cloud to determine where data can reside while remaining compliant. It requires ongoing thought and discussion with cloud service providers when considering which services to adopt, as different cloud providers offer different data residency options.
4. What skills and responsibilities does a cloud provider have?
Different cloud providers have different implementations of the shared responsibility model, as well as different options for data residency and security. The implementations of the shared responsibility model and the requirements of what customers must do to take responsibility for data differ among the major cloud providers (Amazon, Google Cloud and Microsoft). Differences in policies and responsibilities also exist between platforms and services in the cloud.
Before locking your business into a specific service or plan, you need to make sure a provider’s privacy options meet your needs. This is a crucial phase of due diligence. And once you’ve selected a provider and started the migration, your plan should include actionable steps to approve, document, and secure instances of cloud services. This way, you can make it as easy as possible for security and IT teams to implement the policies and prevent issues like unauthorized cloud usage or data exposure from misconfigured buckets.
5. What questions have other companies asked?
While every cloud migration is different, every successful cloud migration thoroughly covers the basics. It’s important to learn what other companies, particularly others in your industry, are considering before migrating to the cloud. In addition to talking to trusted peers and leaders, information security industry organizations can also provide trusted guidance. Specifically, the Cloud Security Alliance publishes guidelines to help organizations build and maintain a strong foundation for operating in the cloud.
The importance of communication when moving to the cloud
You are best able to solve security challenges during your cloud migration when there is open and consistent communication between the different parts of your organization. This includes security and IT, but that’s not all. You will need input from the legal department as there are questions about terms, contracts and liability. Again, the finance team is helpful here, as trying to become more cost-effective is often a key driver of a cloud migration. HR will also want to get involved, as cloud migrations often result in the need to hire people with cloud expertise. Consultation with all stakeholders helps ensure that all cloud migration business goals are met.
In addition to internal stakeholders, there is much to be gained by working with an external partner who has experience with cloud migrations. A partner can help you achieve a successful cloud migration by bringing a wide range of cloud migration experiences, including first-hand insights into what works and what doesn’t. However, it is also important to choose the best partner and to ask the right questions about their experience and approach. You will need technical experience and the ability to understand your business, break down the silos between business groups and help you create a stronger cloud migration plan.
Learn more about the success of cloud migration security
Migrating to the cloud and expanding operations in the cloud is a great move for most businesses. The flexibility and cost savings are a competitive advantage that you cannot do without. However, to avoid the time, money, and reputation costs of a data breach, and to save time and money throughout the migration process, you must plan carefully and ask the right security questions for cloud migration.
Kroll is an industry leader in cloud security services. In addition to our years of experience in cloud technologies, our collaborative and communicative approach means we work with you to understand your business, break down the silos between departments and design cloud security that helps you achieve your goals.