Organizations need to take a considered and gradual approach to cloud migration to ensure security and compliance
For businesses to succeed in 2021 and beyond, agility and responsiveness are critical. Data is the new currency, and businesses need to be able to access theirs instantly and securely to make the rapid-fire business decisions that will make or break their long-term strategies. One way IT can improve responsiveness and business agility is by moving business applications to the cloud.
When migrating applications to the cloud, the need for network security is often overlooked. When this happens, applications are deployed in the cloud without adequate security and compliance measures in place—or, conversely, the security team steps in and halts the migration process.
This puts the company at risk: Inadequate security makes it easier for hackers to access the network and mount an attack against the company, exposing the company to financial losses and legal repercussions. Moreover, if the business is unable to respond to market demands in a timely fashion, there are clear financial implications.
The Challenge of Security
Cloud migration comes with several benefits, but it also exposes a number of security risks. With every advantage comes a cost, and it is up to businesses to do whatever they can to mitigate that risk to leverage the cloud to its fullest potential.
An AlgoSec survey found that organizations reported a range of problems when migrating to public clouds, with 44% having difficulty managing security policies post-migration and nearly a third struggling to map application traffic flows at the start. Respondents also had concerns about applications in the cloud, with the greatest worry being cyberattacks (58%) and unauthorized access (53%) followed by application outages and misconfigured cloud security controls.
But this shouldn’t stop progress from happening. To demonstrate this, let’s take four of the biggest advantages of cloud migration and outline the security challenges that come with them.
- Security and Data Protection
When adopting the public cloud, data itself is much more accessible no matter where it is located, but this does not come without a cost. Data in the cloud is highly regulated and therefore subject to greater regulatory compliance—for example, under GDPR in the EU. Once the data is no longer kept on-premises, security must be tightened and additional security controls must be employed to demonstrate greater control over data storage and usage, in accordance with set guidelines. There are best practices to uphold, as well as financial penalties if organizations do not comply with them.
- Agility
Spinning up a server in the cloud takes mere minutes. Cloud computing requires no hardware and no locally installed software; all you need is a credit card and you can be up and running with your very own cloud-based infrastructure almost instantly. Some businesses are powered purely through SaaS and IaaS services, and it makes them incredibly nimble in rapidly changing times. But this agility also comes with risks. For security to be tight, businesses need complete visibility, and that is not always possible when working exclusively in the cloud. Therefore, stronger pre-fail measures and cloud firewalls are needed, as well as established baselines for allowed connectivity for each cloud server used.
- Cost-saving
The cloud offers zero maintenance and capital cost along with reduced IT support costs. You also have the added benefit of only paying for what you use, which means you don’t have to purchase expensive hardware that you would only need during peak times. However, there may be hidden costs depending on which provider you use, so you will want to monitor usage and cloud assets more generally, ensuring they’re optimized and working as efficiently as possible.
- Time to market
When the cloud is coupled with DevOps practices and tools, organizations can gain a flexible framework in which to build with zero capital investment. PaaS has revolutionized time-to-market for these organizations, but this too comes with risk. With so many teams collaborating on development and so many moving parts in the process, security is often sidelined and even forgotten, meaning it gets tacked on at the end of the process, leaving gaps that can be exploited.
What these organizations need is a security policy automation that supports the DevOps methodology, and more importantly the DevSecOps approach to building a security foundation. This solution needs to be able to automatically copy the firewall rules—and then make the necessary modifications to map rules to the new objects when the rules are applied to each new environment in the DevOps life cycle. With the right automation solution, security can be baked into the entire process.
Cloud migration is absolutely essential for businesses that want to stay market-fit and competitive. But too often security seems to fall down the list of priorities, causing damaging problems in the long run. So how should organizations approach their cloud migration projects to ensure that security and compliance are not compromised during or after the migration?
Visibility Is Key in Cloud Migration
Obtaining an inventory of applications is a key requirement when migrating to the cloud. Most businesses have two types of applications—enterprise and departmental—and it should be relatively easy to obtain the necessary connectivity information needed to migrate them to the cloud. The key here is to know that these applications exist.
Once the list of applications is in place, you can move onto the next stage in the process of closing the security gap as you migrate to the cloud: identifying and sealing any vulnerabilities in the server that could be exploited by a hacker and understanding network connectivity requirements and application attributes such as the number of servers and associated business processes. These elements help determine the complexity involved in migrating applications.
Several attributes can affect the complexity of migrating an application to the cloud, including its specific connectivity requirements and the firewall rules that allow/deny that connectivity. Mapping this connectivity provides a deeper understanding of network traffic, which then provides insight into the flows you will need to migrate and maintain with the application in the cloud. The more applications that utilize a server, the more difficult it is to migrate an application that depends on that server. It may be necessary to migrate the server itself or migrate multiple applications at the same time.
Mapping the firewall rules provides insight into the security measures you will need to put in place once the application has been migrated to the cloud. As a rule of thumb, the more firewall rules are required, the greater the complexity. This mapping allows you to identify and decommission firewall rules that are no longer necessary post-migration.
So how do you generate documentation of application connectivity? The obvious choice is to employ a solution that automatically maps the various network traffic flows, servers and firewall rules for each application. If you do not have access to such an automation solution, manually documenting—however tedious—will provide the necessary information.
Adopting a Migration Strategy
For most businesses, digital transformation is a gradual evolution that requires forethought and strategy to get it right. An organization might choose to only move a few of its applications onto the cloud to begin with and may even choose to use one or more cloud vendors for their needs. Either way, organizations still have a responsibility to manage and maintain security and compliance in the cloud, just as they did on-premises. This will need a deeper understanding of cloud security controls and how they connect to on-premises security devices, made possible by enhanced visibility and automated network management.
No matter which approach they take to cloud migration, organizations need to take a considered and gradual approach, understanding that the responsibility to manage the security and compliance of their services still lies firmly at their door.