Identity, Cloud Security, Data Security

Cloud migration: How to protect resources

Blue glowing mesh cloud icon, cloud technology concept

What does a full cloud migration truly entail? Cloud service options give organizations an opportunity to reduce operational costs — and close gaps between time, resources and employee availability.

Migrating your identity and access management (IAM) systems to the cloud will save your organization time and money. But there is a risk that you could lose some assets and resources during the migration. Here's how to make sure that doesn't happen.

Inventory your assets and plan ahead

The first steps in a successful cloud migration are to take a full inventory of your assets and to plan ahead.

You need to survey your organization to learn exactly what kind of assets, data and software dependencies you have. It's possible, especially in a long-standing organization, that there will be legacy assets of which you're not even aware.

Once you have a comprehensive list of everything you've got, then you need to decide what can or should go to the cloud, and what needs to stay on-premise. There may be some resources that will remain on-premise for reasons of security, compliance or incompatibility. 

"For larger organizations, this is a big project. They need a process and a migration path and plan," said Yev Koup, senior product marketing manager at Ping Identity. "Applications need to be reconfigured to be connected to the cloud rather than to the on-prem infrastructure."

After inventory is complete, it’s time to plan ahead. Good planning strategies for cloud migration include researching cloud providers, cloud models and their associated costs. A few questions to consider during planning for cloud migration:

  • Do you want to go with one of the Big Three public cloud service providers (CSPs), Amazon Web Services (AWS), Google Cloud or Microsoft Azure?
  • Would it make more sense, despite the additional expense, to use a "private" cloud that has your organization as the only tenant?
  • Or perhaps a "partner" cloud, in which your application service provider also provides the cloud, would be most useful?

"Public clouds are ideal for applications and resources that are less critical to business compliance and operations, such as email tools and online office, collaboration and HR apps," said Koup in a 2021 blog post, while private clouds may be better for "most critical resources and applications ... such as R&D, supply-chain management and ERP [enterprise resource planning]."

Creating a hybrid cloud environment

You can also mix-and-match these models. Many organizations use a hybrid cloud in which some data and systems stay on-premises while others are in the cloud. A large share of respondents in a recent survey of organizations conducted by CyberRisk Alliance said they used both AWS and Azure in a "multi-cloud" model that provides additional flexibility and avoids vendor lock-in.

One very important thing: Make sure you fully understand your shared-responsibility agreement with your cloud service provider. All parties should be aware of who will be tasked with remediation if/when things go wrong. Many respondents in the CyberRisk Alliance survey cited misunderstandings about the shared-responsibility agreement as a top cloud-security concern.

For example, you're likely planning to subscribe to either an infrastructure-as-a-service (IaaS) or a platform-as-a-service (PaaS) cloud plan. With IaaS, the cloud service provider is responsible for the server hardware, the storage, the network and any virtualization software being used, while the client (you) handles the operating system, the applications that run on the OS, and the data being used.

In a PaaS setup, the CSP handles the OS and any applicable middleware, but the client is responsible for applications and data. If there's a data breach or other security incident, it will become very important to determine whether the incident resulted from a problem with the OS, or with an application.

"Everything in the cloud is shared responsibility," said one respondent in the CRA survey. "We have to understand how the security works and what is our responsibility."

Configuration for cloud

There is no reason not to ask your cloud service provider for guidance during a cloud migration. Whether you are concerned with security issues, storage availability or the easiest and safest way to move your legacy data to the cloud servers, a good CSP provider will be there to support your organization (and IT staff) during the transition. 

"Work closely with your identity or cloud providers, relying on their knowledge to get a timeline and process in place," said Koup. "Phase in applications slowly and work with the vendor's professional services team. It costs more to do it this way, but it will be a smoother process."

Your IAM provider may have some sort of identity-orchestration solution to link all the various aspect of your identity systems after migration. Koup defines orchestration as "basically how to make integration between applications and general IT infrastructures a lot smoother."

Properly configuring your cloud instance is also important. Verizon's annual Data Breach Investigation Reports have listed cloud misconfiguration as one of the top causes of data breaches for several years, and we've seen several recent instances of cloud databases publicly exposed as a result of improper configuration.

In the CRA survey, 47% of AWS clients, 40% of Azure clients and 35% of Google Cloud clients cited misconfiguration as their top security concern, and many AWS users said their organization's IT teams didn't know how to set it up properly. Your CSP should be able to help you with cloud configuration — but make sure you ask.

"Quite often, novice administrators leave [AWS] default security settings in place, which are often too broad in their permissions," said one CRA survey respondent.

Meanwhile, some Google Cloud users worried that their organizations didn't understand the platform, resulting in potential misconfiguration issues. Regarding Azure, one user said that "PaaS solutions are deployed as public endpoints by default and are vulnerable if not addressed properly."

Another key tip is to go slowly with your migration. It is tempting to "lift and shift" everything at once, but software assets need to be tested to see how they will behave in the cloud environment. Configuration and administrative settings may need to be updated for best performance and security.

Moving one system at a time allows IT to perform A/B testing on the migrated instance and work out the kinks before making the permanent switch and taking the on-premises system offline. This takes time, and each asset should be vetted individually and sequentially.

"Moving to the cloud is rarely that simple," said Ping Identity's Jordan Griffith in a 2020 blog post. "Your cloud migration can't happen overnight, nor should it. More likely, you'll need to support a hybrid IT environment as new resources are onboarded and older resources are moved on a schedule that is approved by the business."

Test everything and keep monitoring

After you've completed the cloud migration and switched all appropriate systems over, you're not quite done. You will need to keep monitoring applications for potential errors to make sure they work at least as well as they did when they were on-premises.

After cloud transition has taken place, it may be necessary to make adjustments for maximal benefit. These adjustments may include reconfiguring or replacing some applications or changing the parameters of your cloud instance to add more memory, data throughput, processing power or storage as needed.

Another critical step for cloud migration security is the disposal of the old storage drives in your data center, which will still retain all your company's data from before the cloud migration. You could securely retain the drives for several months in case something goes wrong in the cloud, but after that the data will likely be too far out of date to be used as backups. The question then becomes — wipe the drives or destroy them?

There are plenty of firms that offer to securely wipe the old drives so that they can safely be sold on the secondhand market. However, many firms, especially those dealing with medical or financial data and subject to compliance regulations, may opt to physically destroy the drives instead. You don't want the data leaking after someone digs up old drives from a landfill, or a buyer of used drives uses a recovery program to restore the old data.

Regardless of the risks involved in a cloud migration, the end result should be a safer, smoother, more accessible and more scalable software environment for your organization.

"Security's generally a little bit higher when you're in the cloud, even though you are relying on a third-party vendor," said Koup. "The risks of being in the cloud are lower than if you have to manage the configuration on your own premises."

Paul Wagenseil

Paul Wagenseil is custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, and

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.