Cloud Cybersecurity: Post Cloud Data Migration
By: Igor Meltser – Vice President, Global Technology Solutions and Services, Sphere Partners
According to Gartner, more than 70% of companies have now migrated some or all of their workloads into the public cloud. COVID-19 and remote work has only accelerated this even further, so the onus is on companies to scale up their data management processes to match this need to migrate data to an accessible, yet secure repository.
Depending on whom you speak with, there are “3 Rs”, “4 Rs”, “5Rs”, “6 Rs” and even “7 Rs” in cloud migration strategies – all mostly variances of each philosophy. Undoubtedly, most who have migrated utilized at least one of the ‘Rs’ techniques in their journey:
- Rehost: a.k.a. “lift and shift” is simply redeploying your existing environment on the cloud provider as is.
- Refactor: a.k.a. “lift, tinker and shift” is when your core architecture and application remain as they are, and you tweak some ancillary components and services utilizing native cloud capabilities provided by the cloud provider.
- Revise: similar to Refactor, but more and more if the application is revised during migration to take full advantage of the cloud capabilities and turnkey functionality requiring some reengineering and code changes.
- Rebuild: pushing the Revise envelop further by refactoring existing code base with new code.
- Replace: a.k.a. “rip and replace” is a complete discard of the native application and code base, with a full replacement in a cloud environment, often moving to a managed services environment where only the data is migrated and preserved.
But now that your business is cloud-enabled, how do you identify cybersecurity misconfigurations? Sure, there are wizards available from most providers, prompting you with a couple of questions, then do their wizardly magic to secure your account; but is that enough?
In this blog post, we’ll go over some methods and means to implement cloud cybersecurity for you and your organization. Do not be fooled however; there is no such thing as 100% secure. It does not exist! But, what does exist is effective and proactive risk management; where we can significantly reduce the chances of a problem rising before it becomes a threat to your business.
Differences between Cloud Providers’ Cybersecurity
During a recent conversation with an up-and-coming mid-size organization, a seemingly simple question was raised: How do you pick the right cloud provider? With pages and pages of similarities and differences between top-tier providers, is security specifically the difference between them, and is it the responsibility of the provider or the client?
The fact of the matter is it’s a shared responsibility of both parties. Native security structures are mostly equal among top-tier cloud providers. It is more important to understand the key use cases and end-to-end process workflow of the solution, and then map it to each provider’s capabilities. Doing so objectively, you will start seeing some cloud providers ascend and descend in their individual rankings. Without this, choosing a provider is like shooting in the dark – you get a glimpse of the snapshot-in-time from the muzzle flare, but you will ultimately find out later if you hit your target.
Let’s take three top-tier providers for example: AWS, Azure and Google Cloud. Tripwire did an excellent, in-depth comparison between these three major competitors. They measure everything from basic infrastructure security (how often do they release security patches and updates) and even physical security (where in the world their physical assets are protected, and how well-protected these systems are).
But even then, there’s an important third factor that cloud providers have little control over: data and access security. This lies more on the end-users.
Cloud Cybersecurity through Proper Data Access Controls
So what are users responsible for to secure their data in your newly migrated cloud environment? We recommend to start by asking three important questions:
- Who has access to what? This is a documented snapshot of your current state environment, compiling an inventory of all access accounts, and what these accounts can access. This is not the time to make any changes; just collect and document your current identity management landscape.
- Who has access vs who needs access? Reviewing and questioning the need for access is something that must be done regularly. Access provisioning should not just flow in one direction. Even executives should be assessed for overprovisioning of access to systems and information based on their new or current role. It may sound strange to revoke access from someone as they grow through the ranks, but the question must be asked; is the access actually needed? For example, an IT Administrator who was tasked with creating and deleting system accounts likely does not need to maintain such access after they are promoted to a Director. Their responsibilities change, and so should their complete breadth of access.
- What internal policies govern corrective action? Now that you are ready to apply changes to your new environment, should you just open the user management section of the console and make your changes? NOT SO FAST! Ask yourself a few additional questions such as:
- What is our Change Management Policy?
- Does the policy take into account the fundamental access design changes for Cloud systems?
- What repercussions stem from making this change?
A Final Word to the Wise Data Manager
One common mistake made during cloud migration stems directly from the fundamental difference in security between on-prem and cloud environments. By design, cloud security access is set to deny by default, meaning anything that was permitted by default on-prem will be denied by default within your new cloud environment.
This fundamental difference may have far reaching consequences for your system, resulting in access workarounds, elevated permission provisioning and overall security misconfigurations within your cloud environment to accommodate this shift in security. This all contributes to your organization’s security risk posture and its threat landscape.
There is no magic bullet to fix cloud security misconfigurations. Security is a layered approach and must be balanced with zero assumptions and zero friction. To further enact security layers, a mindset of continuous authorization and authentication must be instilled. Cybersecurity is a project that never quite completes; it is an ongoing match of strategy, ingenuity and meticulous execution.
If you’re interested in setting up your own cloud cybersecurity, then we’re here to help! Contact us here, or feel free to reach out to me on LinkedIn directly. Indicate that you’re looking for cybersecurity help, and we can get started immediately to find a solution that fits your specific requirements.