The process of migrating data and software assets to the cloud can introduce security risks. Data can be compromised, lost or stolen, and poorly configured controls can lead to unauthorized access. Here’s what you need to do to make your organization’s move to the cloud as safe and secure as possible.
Plan and prepare for your cloud migration
After you commit to the cloud and decide on a cloud service provider (CSP), the first thing to do is Analyze your organization’s existing security policies And see how well they fit the cloud. Do your restrictions and safeguards make sense in the new environment?
“The challenge is not the security of the cloud itself, but the policies and techniques used to secure and control the technology,” Gartner’s Kasey Panetta wrote in a 2019 blog post. “In almost all cases, the failure to manage the security used to protect It is the user, not the cloud provider, that organizes controls over data.”
Then Check your security tools and other apps See if they will work in the cloud. Boundary-based policies and tools designed for on-premises databases are not necessarily well suited to distributed cloud environments.
Research and implement cloud access security proxies, web application firewalls, intrusion detection or prevention systems, cloud vulnerability management systems, and other cloud-native security tools.
“Teams need to understand that security is not just the responsibility of architects and security partners, application teams also need to understand how security works in the cloud and consider the same in their applications and frameworks,” said one Respondents in a recent CyberRisk Alliance (CRA) survey of security professionals using the cloud.
Along the same lines, Analyze your existing network topology And see how it fits into your CSP’s infrastructure. It’s good for you if you can “lift and shift” the entire system to the cloud without retooling. But many organizations don’t have that luxury and will have to remap their networks.make sure your Data flow will not be interrupted yours The network is segmented correctly Isolate sensitive areas and limit the spread of potential intruders.
“While lifting and shifting routes may be faster [than other migration strategies]it’s often a source of disaster, and it doesn’t take into account the full benefits of cloud services,” wrote Rob Deane and Alex Cowperthwaite of consulting firm Kroll in a September 2022 blog post.
“Taking the time to understand whether applications can be refactored, taking into account the full capabilities and efficiencies the cloud offers, can lead to a more successful cloud presence in the long term without sacrificing any data security.”
Check your user base and Clear inactive user accounts. You don’t want former employees to access your new cloud environment. You also don’t want a current user with standard privileges to suddenly gain administrative privileges. Follow the principle of least privilege: Don’t give users any more access or power than they need.
“Companies typically don’t take the time to evaluate their user lists before migrating them,” Atlassian’s Gigi Grifiss wrote in a 2021 blog post. “Inactive users, users with too much access, and users with too little access. of users are taken off the server and dropped into the cloud, often leaving a hole.”
Determine the order in which your organization’s systems are migrated to the cloud And share that list with everyone on your cloud migration team. You may want to start with the least sensitive assets and then work your way up to more critical systems as your team feels about the migration.
Understanding the realities of the cloud
In a cloud environment, you will be jointly responsible for data, software, infrastructure and assets with the CSP, but the details vary by cloud service model and provider.make sure you are clear Understanding the Shared Responsibility Model Find out what your organization is responsible for maintaining and protecting and what CSPs are obligated to handle and protect.
Misunderstandings about the shared responsibility model were one of the top concerns for respondents to the CRA survey.
“Everything in the cloud is a shared responsibility,” said one security expert. “We have to understand how security works and what our responsibilities are.”
you also need Understand the impact on compliance and regulations Your cloud migration may have. Ask your CSP where your data will actually be hosted, as many countries have data residency requirements for the personal data of their residents. Some privacy laws regulate whether sensitive customer data can be in a shared cloud environment.
“Even if the primary copy of the data is kept in one country, backups may be kept in another,” Kroll’s Deane and Cowperthwaite wrote. “This could put you in breach of data privacy laws, both in your own country and in countries where data may be stored or moved.”
Additionally, your company may have trade secrets, intellectual property, or other highly sensitive material that is not suitable for hosting in the public cloud.you might want Consider keeping sensitive or regulated material on site Or, failing that, in a “private” cloud where your organization is the only client on the server. Some application service providers also offer “partner” clouds that host their own software that runs data.
“An enterprise may host its most critical applications in an on-premises private cloud, other applications it does not want to maintain or have compliance requirements in a partner cloud, and then host the rest in a public cloud,” Yev wrote. Koup, Senior Product Marketing Manager at Ping Identity, in a 2021 blog post.
Get a cloud migration partner Assist with your migration. This can be an external consulting team or your CSP’s team. In either case, they likely have extensive cloud migration experience. Make sure to ask them about the security tools that fit your planned cloud provider and service agreement.
“It’s a big project,” Koop told us. “It helps get partners on board. It’s a different infrastructure. Applications need to be reconfigured to connect to the cloud rather than on-premises infrastructure.”
In general, you should Document all plans and procedures and document all activities Relate to your cloud migration before it begins. You’ll have a clearer picture of future processes, as well as a treasure trove of useful data for troubleshooting, in case anything goes wrong.
[Cloud migration: How to protect resources]
Migrate your assets slowly but steadily
Once you’re ready to start migrating, Backup all systems If you haven’t already. In the event of data loss or system corruption during the migration process, you will need to fall back.
you should also Encrypt all data being migrated. Make sure that it is encrypted “at rest” (i.e. on storage media) and “in transit” as it is sent over the network to the cloud data center.
“Encryption of data at rest and in transit is one of the most critical controls you should implement,” wrote consulting firm Booz Allen Hamilton in a blog post. “Native CSP tools and third parties provide a variety of options for these controls.”
Depending on the amount of data you have, its sensitivity, and the capabilities of your CSP itself, you may be migrating data over the public Internet, a private network, or even on storage media that is physically transferred to the CSP facility. Regardless of the medium you use, your data needs to be encrypted in transit to the CSP.
Migrate your assets to the cloud one by one rather than all at once. Test each system after migration and before switching the user base to a cloud instance of that system. A slow and steady approach reduces the room for hasty error.
“Apply it slowly and in stages,” Koup said. “It’s more expensive to do this, but the process will be smoother.”
To ensure that your employees are fully prepared to use the cloud environment, Implement multi-factor authentication (MFA) for all users while you are switching and Limit the number of public IP addresses Can access your cloud assets.
For IT staff, don’t extend on-premises management accounts to cover the cloud. instead, Set up a new administrator account For cloud instances. You don’t want a single set of compromised credentials to compromise both environments, especially if you decide to use a hybrid model that combines cloud and on-premises assets.
you also need Make sure your cloud instance is configured correctly, especially regarding access control. Countless data breaches can be traced back to misconfigured cloud databases, and the 2020, 2021, and 2022 Verizon Data Breach Investigations report lists cloud misconfiguration as one of the leading causes of data breaches.
In a recent CRA survey of organizations using cloud services, nearly half of respondents ranked misconfiguration as their top security concern. Your CSP should be able to help you configure your instance, but don’t assume the procedures are the same for all hosting providers.you should Automate as much of the configuration process as possible to minimize the possibility of human error.
Continuous monitoring after cloud migration is complete
Maintaining strict security after migrating to the cloud is often a continuation of the security procedures implemented during the migration. Restrict which users can access sensitive areas, clear inactive accounts, ensure access and system controls are configured correctly, and continue the conversation with your CSP.
You may also need to adjust to some new realities. Unless you’re running a private cloud, you won’t know as much about how your cloud infrastructure works as you would if your systems were deployed on-premises.
Here’s why it’s essential Ask CSPs to provide as much visibility as possible, or even into areas that may be controlled by the CSP.you want to be able to Monitor as much as possible And make sure monitoring is centralized and easy to understand. That way, if you see a problem, you can call the CSP’s team right away.
“We need a foolproof way to check all configurations under a single pane of glass and make that information clear and accurate,” said one respondent to the CRA’s survey of cloud users.
Don’t forget all the old servers left in the data center.Before dealing with them, make sure clean the hard drive – or let them destroy. You don’t want someone to get terabytes of your sensitive information in a used equipment auction.
Finally, you should Conduct risk and vulnerability assessments At least once a year, if not more often. Cloud environments are evolving and so are security risks, so your organization may need to do the same.
“Regular access checks, process checks, and regulatory checks should be built into your future schedule,” writes Atlassian’s Griffiss. “When you find out that you have 100 inactive users on an active account, waste money and leave room for potential breaches. You don’t want to go too far before the vacancy.”