How to Build Your Cloud Migration Security Strategy

Moving to the cloud is becoming a business necessity. Cloud technologies are flexible and scalable and less expensive to maintain than on-premises solutions, allowing companies to easily adapt as business needs change. The only real barrier to making the move is concerns about cloud migration security.

Cloud services do not work exactly the same as on-premises services do. Many companies think they can move their infrastructure to the cloud without making fundamental changes to their security protocols. But moving from on-premises infrastructure to the cloud is not a trivial switch to flip, and cloud migration security risks accompany the many advantages. A 2020 report revealed that, throughout 2018 and 2019 alone, cloud misconfigurations led to the exposure of nearly 33.4 billion data records, with the number of breaches rising 42% from 2018 to 2019.

Knowledge of how cloud services work, what data must go into the cloud for specific services to work, and how services can be designed to keep that data secure are integral to any secure cloud migration.

What Makes a Successful Cloud Migration?

Making a secure cloud migration successful takes detailed planning. There are two common approaches to application migration: Rehosting (or "lift-and-shift") and rearchitecting and refactoring applications for the cloud. Though the lift-and-shift route may be quicker, it is often a recipe for disaster, and it does not take into account the full benefits of cloud services. 

When approaching any cloud migration, remember that you are moving workloads off of on-premises infrastructure and into the cloud, which has its own security considerations and requirements. Taking the time to learn whether an application can be refactored and taking into account the full range of capabilities and efficiencies that the cloud offers can lead to a more successful cloud presence in the long term, without sacrificing any data security.

Think about how software is developed: You don't start by writing code. Before starting to code an application, you have to figure out what it is intended to do. Then, with that idea in place, you can plan how to implement  the necessary features in a manner that is both secure and functional. Only when that roadmap has been completed are you ready to start actually coding your application.

Planning for a cloud migration works the same way. Just like you don't start application development with lines of code, you don't start your cloud deployment with signing contracts and moving data. You start with a goal. Then you plan how to achieve that goal in a secure and functional manner. If you ask the right questions from the beginning, you set yourself up for long-term success.

Five Questions to Ask as Part of Your Cloud Migration Security Strategy

To set yourself up to face cloud migration security challenges, make sure to ask yourself these questions as you plan your move:

• How well are your company's security policies built for moving to the cloud?

Regular consideration and revision of security policies should already be part of your business processes. As new technologies and new threats arise, your security policies need to take them into account. They must also provide useful guidance for how to secure your business against threats.

The case of cloud adoption puts this into stark relief. After all, if your policies were written to take into account only on-premises infrastructure, how actionable will they be when you try to apply them to operations in the cloud? They probably will not be well suited for the unique challenges of a cloud environment.

Before moving to the cloud, prepare your security policies and review your security controls. Talking to all stakeholders will help you consider what policies are necessary to enable cloud migration goals while continuing to satisfy security and compliance requirements. Once you have gathered and considered that input, you will be in a better position to draft policies that meet your goals.

• What data can go into the cloud?

Data classification lies at the core of many security initiatives. That was true in the on-premises days, and it remains true in the world of cloud computing. If you do not know what types of data you maintain, which types of data are required for particular operations or transactions, and who needs to have access to that data under a least-privilege model, you are not in a position to protect that data.

This need for data classification applies to all kinds and sizes of companies. Whether you are a global financial institution, a small local business, or anything in between, you have sensitive data that belongs to customers and employees. It is your responsibility to safeguard that data, and you risk sacrificing time, money, and reputation if you are unable to do so. 

Concerns of data classification apply to any kind of cloud services usage. Whether your business is planning to use Google Docs for a few things or move most of your IT to a large-scale AWS deployment, you must consider what data that cloud platform will see and whether your business can effectively secure that data in that platform.

• What are your data residency requirements?

Many industries have to consider issues of data residency. This is always a question, but it takes on a new urgency when moving to the cloud.

With on-premises infrastructure, your business controls exactly where sensitive data is kept. But, in a cloud platform, that may differ. Even if main copies of data are kept in one country, backups may be kept in another country. Depending on the data residency requirements that apply, this may run you afoul of data privacy laws, either in your own country or in the countries where the data may be stored or moved.

This is a question that you must consider before moving to the cloud, to identify where data may reside while remaining compliant. It requires continued consideration and discussion with cloud service providers as you consider which services to adopt, since different cloud providers offer different data residency options.

• What capabilities and responsibilities does a cloud provider have?

Different cloud providers have different implementations of the Shared Responsibility Model, as well as different options for data residency and security. Implementations of the Shared Responsibility Model and demands on what customers must do to carry their side of the responsibility for data differ across the major cloud providers (Amazon, Google Cloud, and Microsoft). Differences in policies and responsibilities also exist across platforms and services in the cloud.

Before locking your business into a particular service or plan, you must make sure that a provider's data protection options suit your needs. This is a crucial phase of due diligence. And, once you select a provider and begin to migrate, your plan should include actionable steps toward approving, documenting, and securing instances of cloud services. This will allow you to make it as easy as possible for security and IT teams to implement the policies and prevent issues such as unapproved cloud usage or data exposure through misconfigured buckets.

• What questions have other companies asked?

Though every cloud migration is different, every successful cloud migration covers the fundamentals thoroughly. It's important to learn what considerations other businesses, especially others in your industry, have made before migrating to the cloud. In addition to talking to trusted colleagues and leaders, information security industry organizations can also provide trusted guidance. Specifically, the Cloud Security Alliance releases guidelines to help businesses build and maintain a strong foundation for their work in the cloud.

The Importance of Communication When Moving to the Cloud

You will be in the best position to solve security challenges during your cloud migration if there is open and consistent communication between the different parts of your business. This includes security and IT, but that's not all. You will want input from legal, since there are questions of terms, conditions, contracts, and liability. The finance team is helpful here as well, as attempting to become more cost-effective is often a core driver of a cloud migration. Human resources will also want to weigh in, as cloud migrations often lead to a need to hire people with cloud expertise. Consulting with all stakeholders helps make sure all business goals of the cloud migration are being met.

In addition to internal stakeholders, there is much to be gained by working with an external partner who is experienced in cloud migrations. A partner can help you achieve cloud migration success by bringing a broad range of cloud migration experience to the table, including first-hand insight about what works and what doesn't. However, choosing the best partner and asking the right questions about their experience and their approach also matters. They need technical experience and the ability to learn your business, break down the silos between business groups, and help you build a stronger cloud migration plan.

Learn More about Cloud Migration Security Success

Migrating to the cloud and increasing operations in the cloud is a great move for most businesses; the flexibility and cost savings are a competitive advantage that you cannot pass up. However, to avoid the time, money, and reputation costs of a data breach and save time and money through the course of the migration, you need to plan carefully and ask the right cloud migration security questions.

Kroll is an industry leader in cloud security services. In addition to our years of experience with cloud technologies, our collaborative and communicative approach means we work with you to learn your business, help break down the silos between departments, and design cloud security that helps you reach your goals.