The process of migrating your data and software assets to the cloud can pose a security risk. Data may be leaked, lost or stolen, while improperly configured controls may lead to unauthorized access. Here's what you need to do to make your organization's move to the cloud as safe and secure as possible.
Plan and prepare your cloud migration
After you have committed to the cloud and decided on a cloud service provider (CSP), the first thing to do is to analyze your organization's existing security policies and see how well they can be adapted to the cloud. Will your restrictions and safeguards make sense in the new environment?
"The challenge exists not in the security of the cloud itself, but in the policies and technologies for security and control of the technology," wrote Gartner's Kasey Panetta in a 2019 blog post. "In nearly all cases, it is the user, not the cloud provider, who fails to manage the controls used to protect an organization's data."
Then examine your security tools and other applications to see if they will work in the cloud. Perimeter-based policies and tools designed for an on-premises database won't necessarily adapt well to a distributed cloud environment.
Look into implementing a cloud access security broker, a web application firewall, an intrusion-detection or -prevention system, a cloud vulnerability-management system and other cloud-native security tools.
"Teams need to understand that security is not just the responsibility of architects and security partners, but app teams also need an understanding of how security works in the cloud and account for the same in their apps and framework," said one respondent in a recent survey of cloud-using security professionals conducted by CyberRisk Alliance (CRA).
Along the same lines, analyze your existing network topology and see how it meshes with your CSP's infrastructure. If you can "lift and shift" an entire system to the cloud without restructuring, good for you. But many organizations won't have that luxury and will have to remap their networks. Make sure your data flows won't be interrupted and that your network is properly segmented to wall off sensitive areas and limit the spread of potential intruders.
"Though the lift-and-shift route may be quicker [than other migration strategies], it is often a recipe for disaster, and it does not take into account the full benefits of cloud services," wrote Rob Deane and Alex Cowperthwaite of consulting firm Kroll in a September 2022 blog post.
"Taking the time to learn whether an application can be refactored and taking into account the full range of capabilities and efficiencies that the cloud offers can lead to a more successful cloud presence in the long term, without sacrificing any data security."
Go over your user base and purge inactive user accounts. You don't want former employees to get access to your new cloud environment. Nor do you want current users with standard privileges to suddenly gain administrative powers. Follow the principles of least privilege: Don't give a user any more access or power than they need.
"Companies often don't take the time to evaluate their user lists before migrating them over," wrote Atlassian's Gigi Grifiss in 2021 blog post. "Inactive users, users with too much access, and users with too little access all get lifted off of server and dropped into the cloud, often leaving openings for a breach."
Determine the order in which your organization's systems will be migrated to the cloud and share that list with everyone on your cloud-migration team. You may want to start with the least sensitive assets, then work your way up to more critical systems as your team gets a feel for the migration.
Understand the realities of the cloud
In a cloud environment, you will share responsibility with your CSP for data, software, infrastructure and assets, but the exact details differ according to the cloud service model and provider. Make sure you clearly understand the shared-responsibility model to know what your organization is responsible for maintaining and securing and what the CSP is obligated to handle and safeguard.
Misunderstanding the shared-responsibility model was one of the top concerns expressed by respondents in the CRA survey.
"Everything in the cloud is shared responsibility," said one security professional. "We have to understand how the security works and what is our responsibility."
You also need to understand the impact on compliance and regulations that your cloud migration may have. Ask your CSP where your data will be physically hosted, as many countries have data-residency requirements for their residents' personal data. Some privacy laws govern whether sensitive customer data can be in a shared cloud environment.
"Even if main copies of data are kept in one country, backups may be kept in another country," wrote Kroll's Deane and Cowperthwaite. "This may run you afoul of data privacy laws, either in your own country or in the countries where the data may be stored or moved."
Additionally, your company may have trade secrets, intellectual property or other highly sensitive material that might not be appropriate for hosting in a public cloud. You may want to consider keeping sensitive or regulated material on-site or, failing that, in a "private" cloud where your organization is the only client on a server. Some application service providers also provide a "partner" cloud that hosts their own software running your data.
"A business might host its most critical applications in an on-prem private cloud, host other applications that it doesn't want to maintain or that have compliance requirements in a partner cloud, then host the remainder in a public cloud," wrote Yev Koup, a senior product marketing manager at Ping Identity, in a 2021 blog post.
Acquire a cloud-migration partner to assist you with the migration. This can be an outside consulting team, or it can be a team from your CSP. In either case, they will likely have extensive experience with cloud migrations. Make sure to ask them about security tools that are appropriate for your planned cloud provider and service agreement.
"This is a big project," Koup told us. "It helps to get a partner involved. It's a different infrastructure. Applications need to be reconfigured to be connected to the cloud rather than to the on-prem infrastructure."
Overall, you should document all plans and procedures and log all activity pertaining to your cloud migration well before the migration starts. You'll get a clearer understanding of the processes going forward, and a useful trove of data for troubleshooting purposes in case anything goes wrong down the line.
[Cloud migration: How to protect resources]
Migrate your assets slowly but surely
As soon you're ready to begin the migration, back up all your systems if you haven't already. You will need a fallback in case data is lost or systems are corrupted during the migration.
You should also encrypt all data that is being migrated. Make sure to encrypt it both "at rest" — i.e., on storage media — and "in transit" while it is being sent over a network to the cloud data center.
"The encryption of data at rest and in transit is one of the most critical controls that you should implement," wrote consulting firm Booz Allen Hamilton in a blog post. "Native CSP tools and third parties offer several options for these controls."
Depending on the amount of data you have, its sensitivity and your CSP's own abilities, you may be migrating your data over the public internet, over a private network or perhaps even on storage media that is physically transported to a CSP facility. Whichever medium you use, your data needs to be encrypted on its way to the CSP.
Move your assets to the cloud one by one instead of all at once. Test each system after it has been migrated and before you switch over your userbase to that system's cloud instance. The slow-and-steady approach allows less room for errors made in haste.
"Phase in applications slowly," said Koup. "It costs more to do it this way, but it will be a smoother process."
To make sure your staff is fully prepared to work with a cloud environment, implement multi-factor authentication (MFA) for all users while you are switching over and limit the number of public IP addresses that can access your cloud assets.
As for the IT staff, don't extend on-premises administrative accounts to cover the cloud. Instead, set up new admin accounts for cloud instances. You don't want a single set of compromised credentials to undermine both environments, especially if you decide to use a hybrid model that combines cloud and on-prem assets.
You also need to make certain that your cloud instances are properly configured, especially regarding access controls. Countless data leaks can be traced back to improperly configured cloud databases, and the 2020, 2021 and 2022 Verizon Data Breach Investigation Reports listed cloud misconfiguration as one of the top causes of data breaches.
In the recent CRA survey of organizations that used cloud services, nearly half of respondents cited misconfiguration as their top security concern. Your CSP should be able to help you configure your instances, but don't assume that the procedures are the same across all hosting providers. You should automate as much of the configuration process as you can to minimize the possibility of human error.
Keep monitoring after the cloud migration is completed
Maintaining tight security after the move to the cloud is often a continuation of the security procedures put in place during the migration. Limit which users can access sensitive areas, purge inactive accounts, make sure that access and system controls are properly configured, and keep talking to your CSP.
There are also new realities that you may have to adjust to. Unless you are running a private cloud, you are not going to have as much visibility into the workings of your cloud infrastructure as you did when your systems were on-premises.
That's why it's essential to demand as much visibility as possible from your CSP, even into areas that the CSP may control. You want to be able to monitor as much as you can and to make sure that the monitoring is centralized and easy to understand. That way, if you see something going wrong, you can call the CSP's team immediately.
"We need a fool-proof way to check all configurations under one single pane of glass and have that information be clear and accurate," said one respondent in the CRA survey of cloud users.
Don't forget about all the old servers left in your data center. Before you dispose of them, make sure to wipe the hard drives clean — or have them destroyed. You don't want someone ending up with terabytes of your sensitive information at a used-equipment auction.
Finally, you should conduct risk and vulnerability assessments at least once a year, if not more often. The cloud environment is continually evolving, and so are the security risks, so your organization may need to as well.
"Regular access checks, process checks, and regulatory checks should be built into your schedules for the future," wrote Atlassian's Griffiss. "You don't want to be far along before you find that you have 100 inactive users with active accounts that waste money and leave openings for potential breaches."
