Shut the backdoor: how to achieve secure cloud migration

By Richard Latham, principal consultant at KCOM.

  • Wednesday, 26th September 2018 Posted 6 years ago in by Phil Alsop
Cloud is now essential to modern business. According to research by the Cloud Industry Forum, adoption in the UK is now at 88 per cent, and over two thirds (67 per cent) are planning to increase their cloud usage this year. In just about every industry imaginable, companies are either embedded into the cloud or on their way there. As workloads are migrated across, there’s a keen sense of the benefits on offer – flexibility, scale, cost savings – but it’s matched by security concerns that cause too many companies to hesitate before moving.
 
The fact is, as commonplace as cloud adoption has become, many companies go into it without a clear strategy to guide them through the process in a secure manner. If you don’t plan your security precautions in advance, you risk putting everything from data and applications to servers and networks in harm’s way. That lack of preparation can also lead some to believe that cloud is inherently less secure than on-premises servers – when in reality it’s all down to the way the migration is conducted.
 
It is time to review your current security strategy and architecture to check that it is fit for purpose with the adoption of new cloud services.  Once you have your security strategy in place, it will form the basis of your secuity requirements for implementation in the cloud.
 
A comprehensive, preplanned security strategy is central to any cloud migration. It protects the company from both external and internal attack, and will help encourage the buy-in needed from company leadership.
 
Thorough preparation is key
 
The cloud offers secure systems, applications and data at a fraction of the cost of installing them on-premise. It delivers encryption, advanced identity and access management, the reduction of human error as well as automated resource logging and inspection. It is no wonder that only one per cent of UK organisations have suffered a security breach in the cloud.
 
Yet, when a high-profile data breach occurs it is often the cloud platform of the business that receives the lion’s share of the blame. More often than not, the real problem lies in the company’s failure to prepare adequately for the cloud, whether technically, culturally or procedurally.
 
Many organisations take a surprisingly devil-may-care approach to cloud adoption. Their security strategies are not fit for purpose, and they move onto the cloud in the hope that they can iron out any difficulties as they appear. Instead, organisations should ensure systems are cloud-ready before shifting their data, services and applications across.
 
The cloud is not a panacea for existing security weaknesses – it requires a security architecture and strong internal security policies to achieve its potential of a more secure processing environment. Implementers should first plan out the full cloud infrastructure, which will tell them what is needed from a security perspective. They will have to decide where their data is stored, where their applications are run and what is needed to protect them. A complete security design is needed from the very beginning. 
 
Before the migration begins, you must ensure all cloud accounts and user permissions are in place. The public cloud can be accessed by anyone with an internet connection or VPN, so the correct authorisations should be set up to prevent your crucial data being compromised or your services disrupted by any bad actors.
 
Remember also that you cannot simply migrate your existing anti-virus or firewall to the cloud. They are unlikely to have been designed for the cloud or their licenses will not be cloud-friendly. Updating or replacing them will require product and device selection, but it is essential to maintaining a strong perimeter. However, you may also choose to boost your response to security incidents and events by going down the increasingly popular route of outsourcing your security incident and event management to (SIEM) providers 
 
Cloud: not pie in the sky
 
Most cloud migrations will require some level of challenging the status quo. Readying the business for the cloud may cause existing spending plans to change. Yet, when done properly, the process is never confrontational.
 
Not every challenge will be technical – in fact, the hard, technology aspects of migration are often the easy ones. Instead, the challenges are often cultural and perceptions.  Situations that people do not understand are often viewed as threats and generate opposition.  Change its self often creates opposition you may find opposition from the company’s business and financial decision-makers as well as the incumbent security team. Most stakeholders will not have undertaken a cloud migration before, and we all fear the unknown. Ultimately, it is down to cloud advocates to defuse conflicts by acting as educators and guiding the rest of the business through the implementation.
 
The process of migration should be measured, gradual and always iterative. Many organisations set themselves up for failure by lacking the capabilities to properly test their applications in the cloud. Testing is an invaluable way of uncovering issues before they can harm you in deployment. The pressure will be on to migrate as quickly as possible, but implementers should always take the time to test before deployment.  
 
Proper training is also an important part of preparation. As many as 28 per cent of data breaches are down to employee negligence or the actions of a malicious insider. In a public or private cloud environment this danger still remains. Security awareness must be a top priority, and all employees should be trained on your updated policies and the consequences of exposing the company to a data breach.
 
You get out of cloud migrations what you put into them. You can’t expect to benefit from the scale and availability of cloud if you don’t also put in the work to ensure it’s secure first. The best time to do that is during the migration phase. If you’re in charge of implementation, put security at the heart of the matter. It could be the difference between success and dangerous failure.