How to ensure security in a cloud migration

For as long as organizations have been interested in moving resources to the cloud, they’ve been concerned about security. That interest is only getting stronger as cloud usage grows – making it a perfect topic for the latest #CIOTechTalk Twitter chat.

The chat brought together a host of security consultants and practitioners who weren’t shy about weighing in with their thoughts on a series of questions around the main topic: how to remain secure during cloud migrations.

It’s a timely topic given the rapid cloud migration currently underway. More than two-thirds of the 850 IT leaders who participated in a recent Foundry survey said they were accelerating their cloud migration. Yet, of the top 10 challenges they face, four relate to security:

• Data privacy and security challenges, cited by 35% of respondents
• Lack of cloud security skills/expertise: 34%
• Governance/compliance: 29%
• Securing and protecting cloud resources: 25%

To get the ball rolling, host Isaac Sacolick (@nyike) asked what main security challenges teams encounter when migrating to the public cloud. Among the responses (edited slightly for clarity; this was Twitter, after all):

– Lack of visibility/control over [network] activity

– Complex compliance requirements compounded by lack of internal compliance expertise

– Insider threats and malicious activity

– and the list goes on and on @willkelly

Easy to come up w/50 #cloud #infosec challenges. Significant is ensuring cloud code repositories are secured, especially for #GitHub. Many recent breaches, including #LastPass #Okta #Intel & #Samsung, where attackers got source code access.  @benrothke

Sacolick noted in the early days of cloud, he’d see cloud-certified architects’ drawings with no mention of security and wondered if things were better today.

Yes but it’s a tale of two cities. The “aware” are mature and focus on #DevOps and integrated ways to deploy secure capabilities (like programmatically deploying firewall rules in #cloud). [Between them and] those who are not is a HUGE gap – not a lot in the middle.  @DigitalSecArch

Imagine designing an office building without architectural plans. It’s called a disaster. @benrothke

When asked how security teams should protect data applications and who’s responsible for security, respondents were quick to answer with some variation of:

It is a shared responsibility between the cloud service provider and the customer. @ArsalanAKhan

But respondents disagreed on how clear those responsibilities are to customers:

Too often, without full understanding, shared responsibility = false sense of security. @BrendenBosch

Except it is not fine print. The #cloud service providers make it very clear. They post it on their web site. They share it in their portal. They send it to the customer. @benrothke

Wayne Anderson, a security and risk management leader at Microsoft, offered his “personal guide to cloud security shared responsibility”: 

If it’s in your interface (compute, network, FW, DB, identity etc.), you own it.

That’s EVERYTHING except the hyper-scale management plane. 

Your #cloud CSP won’t save you.  @DigitalSecArch

Next up was the question of how on-premises assets can securely link to cloud assets, which likewise generated some healthy back-and-forth.

Integrate on-premise data center to #cloud, consider using VPN, direct connect, or dedicated network. Implement identity and access management, and continuously monitor and update security posture. @CraigMilroy

VPN, Direct Connect, Secure Gateways, IAM, Encryption, Network Segmentation, etc. These measures help ensure that data is securely transmitted between the on-premise and cloud environments, and that access to sensitive data and applications is tightly controlled. @ArsalanAKhan

This is part of it, but just as much is assuming the connections are public internet, and then designing the application to deal with that reality – hostile network. #encryption, managed #latency, #identity inspection, and certificate validation, etc.  @DigitalSecArch

Assume that there are no boundaries and everything is on the open #internet. Secure from there. @CPetersen_CS

Next the #CIOTechTalk chat focused on which governance and compliance issues organizations need to take into account before migrating to public cloud, another of the top security issues cited in the Foundry survey.

Prior to #cloud migrations, orgs to consider governance & compliance issues such as #dataprivacy, regulations, industry standards, & internal policies. Assess end to end risk/#security, PIA, clearly define data ownership via #datagovernance. @CraigMilroy

Your team has same obligations in the #cloud as you have anywhere else in your business. For the love of all things – please stop trying to give your cloud provider’s SOC2 report to auditors. It doesn’t address your application practices or 3rd party or incidents. @DigitalSecArch

But on the other hand, @Ostendio notes the ability to manipulate SOC 2 scope has led to significant abuse … [making it] difficult to compare audits. Allows orgs to avoid auditing areas that are their weakest link. @benrothke

@benrothke makes a very good point. As a Deming fan, you can’t audit in security. It’s either there at design/build time, or it’s not. All the audits in the world can’t stop breaches that are out of scope or happen at the wrong time in the yearly cycle. @CPetersen_CS

The final chat question was on how working with a partner can enhance visibility and strengthen security posture. In general, Twitter panelists supported the idea, with some caveats.

Most people don’t do their own plumbing or electrical work. They use a trusted partner. So too with the #cloud. Find that trusted partner. But you must know what you need them to do if you want them to do it right. And vet them very, very well. @benrothke

Trying to be an expert at everything = knowledge of next to nothing. Find partners you trust. @nyike

Finally, Peterson had another interesting take on partnering, followed by the last word from Sacolick, the chat moderator:

It’s definitely a way to speed up an org’s “time to competence” in specific areas, but it must come with knowledge transfer commitments and either an acknowledgement that the arrangement is permanent or a time line for the customer to assume responsibility. @CPetersen_CS

Good partners execute. Great partners advise their clients. The best partners educate their client’s staff so that they make smarter decisions. @nyike

You can check out the full February 2, 2023, discussion at #CIOTechTalk. And learn more about effective cloud migration strategies, visit the NTT Communications website.