The Right Approach to Cloud Migration Security

Digital transformation has driven cloud adoption, the benefits are understood and most organisations can achieve a commercial gain, technological advantage or simply become more efficient by moving to the cloud.

Our business is often called upon to provide security governance to a cloud migration project. This is quite an interesting time to be introduced to a customer and often the first opportunity we have to gain a wider understanding of their security posture.

Rightly, the customer has decided that migrating existing systems to cloud-based systems is a potential security risk. Since these types of projects are a significant investment, resource heavy and disruptive to end users, our recommendation is always a belts and braces approach. The risk is just too big otherwise and thankfully most businesses agree.

At this stage of the engagement, we want to be reviewing existing policies and the current approach to security. There’s no point in re-inventing the wheel when it comes to policies, if they exist and are already embedded into an organisation, then it makes sense to start from that base (assuming they are fit for purpose). If a good policy set is in place, we’ll look for evidence of usage.

Additionally, this type of project will require some policy and procedure updates and very likely some end-user training. We’re starting to build a picture of what exists, what may need to be looked at, level of indoctrination and current attitude towards information security.

The main areas we’re exploring at the start of a project are:

1.    Existing policies and maturity of existing security posture

2.    Absolute clarity on Identity and Roles

3.    Understanding of data assets, what’s moving, what isn’t, master data etc

Experience (and previous battle scars) enables us to follow our highly tuned security noses at this point. The response to the three areas above helps us to collectively make informed security decisions about next actions and priorities. It’s important that if we’re taking on the governance role that we’re involved early on in the project and have the appropriate stakeholder relationships.

In addition to the three key areas above, we’ll also be touching on all of the points below. The maturity of a client’s security posture will determine the amount of time spent at each point and potentially the order is undertaken.

1.    Ensure project stakeholders understand why security is important

It sounds obvious, however, there is not always a clear statement of intent with regards to security. Ideally, there is a senior executive with responsibility for security, which drives the right culture, ensuring a greater degree of general security awareness and appropriate support if changes are to be made.

2.    Ensure current security policies are relevant to the cloud

One of the challenges of migrating your services to the cloud, or a hybrid version, is that in many cases it will be a new technology for your business and users. This means that any existing policies or user guides may be out of date. We recommend that the policy review and its relevance to the cloud happen as early as possible in the project. 

3.    Security Risk Assessment

A typical cloud migration project will likely include a Project Manager and be run against a methodology such as Prince 2, Agile or Waterfall (or a combination), consequently, the team will be thinking about project risks. We think that it is important to carry out a Security Risk Assessment and feed these into the main project risks document. This is also the time to be thinking about who in your business has the appropriate level of information security skills, or ideally experience in this field.

4.    Map all processes

 It’s difficult to understand how you can effectively complete a cloud migration project without mapping all processes. Since a project of this nature is going to impact existing policies and security, it is very likely that additional training and awareness is going to be required. Mapping everything out early will highlight the areas where additional work or input is required.

It’s also very good practice in case of changes to team members, communicating with suppliers and working with stakeholders.

5.    Document (and check and check again) all users

The cloud is an external network, where the controls will be positioned to establish the perimeter. That's why it's important to audit and redefine your user privileges in the cloud. It’s a great time to remove the excess of admin accounts you have or map out an updated set of user permissions and privileges. This includes permission levels for internal users, suppliers, and other third parties.

6.    Encrypt data

Yes, it’s table stakes but it’s so important that I’ve added it to this list. When using cloud services and applications, your data will likely travel between the private and public cloud, where the demonstrable use of encrypted channels is essential for most security frameworks.

Summary

In summary, security should be high on the agenda if you’re migrating systems to the cloud. There is no reason why it should slow down your project, in fact, the right approach to security early in the project will help to avoid challenges later, particularly around user permissions.

If you’ve been involved with a project like this, what were your big lessons/learn from a security perspective? What have I missed?

Photo by Samuel Zeller on Unsplash