Despite the benefits derived from using public cloud platforms, organizations are hesitant to push their workloads, data, and containers to the cloud, fearing the vulnerabilities occurring during the transition process. Here are some tips and insights from cybersecurity experts on how organizations can securely migrate from private to public cloud without putting their data at risk.
The shift to the public cloud from the private cloud has been swift and unstoppable for businesses in all sectors, be it in strictly regulated industries like finance or in unregulated areas like services and hospitality. Cost benefits, ease of use, and efficiency has made cloud adoption a no-brainer for today’s businesses who have, by migrating their data to public cloud platforms, also reduced errors, become more nimble, and enhanced customer experiences over the years.
The benefits of public cloud are numerous, explaining why it is the most popular deployment model. According to a report from O’Reilly, public cloud is used by two-thirds of respondents (67%) while a private cloud is used by 45%, and traditional on-premises infrastructure is used by 55%. The benefits of public cloud include 24/7 availability, the option to pay for what you need, scalability, and easier infrastructure management — which means setup is straightforward and on-premises equipment isn’t required.
In recent years, organizations have refurbished their IT strategy, migrating an overwhelming number of their apps and data to public-cloud infrastructure and platforms. However, migrating from private to public cloud violates established cybersecurity models that companies have been following for years. With the growing appetite for public cloud, firms must upscale their cybersecurity strategies to use cloud services securely while fully utilizing the speed and agility that these services offer.
Pre & Post Public Cloud Migration Risks
Moving apps to the public cloud today means moving to multiple clouds and also using cloud identities. This creates new challenges that didn’t exist five years ago. Multi-cloud means managing the many rather than the few.
For organizations that have not yet moved to the cloud, there are three key risks explained by Eric Olden, CEO of Strata Identity, which they need to address:
Outdated technology exposures: Most mature companies struggle with decades of technical debt that has piled up over time. When combined with technologies that haven’t evolved, it’s a recipe for risk.
- Outdated technology exposures: Most mature companies struggle with decades of technical debt that has piled up over time. When combined with technologies that haven’t evolved, it’s a recipe for risk.
- Slow migration: Meanwhile, many organizations can’t migrate to the cloud fast enough because they are forced to rewrite their apps to work in cloud environments. This can lead to apps getting ‘stuck’ on-premises putting cloud adoption at risk.
- Skills shortages: Lastly, it is tough for enterprises that rely on legacy systems to find the talent needed to run these outdated systems.
For organizations that have already moved to the cloud, there are different risks to consider:
- Fragmentation: Multi-cloud is inevitable for most organizations as they look to diversify their investments and hedge and leverage each cloud’s unique capabilities. With multi-cloud comes fragmentation across these clouds and stacks. Fragmentation makes it hard to see the inconsistencies, which can lead to the risk of unexpected access combinations across systems.
- Distributed Management: With distributed applications and architectures, you need to manage many things in many places outside the confines of the data center. Many organizations don’t have the tools to manage distributed environments since this is a new problem. The risk is more fragmentation paired with a lack of tooling to manage the cloud sprawl for identity and access management.
- Lock-in: Lastly, the risk of lock-in to cloud platforms because identity is tightly integrated directly with applications. Once an app is integrated with identity, it usually requires rewriting the app to change clouds or identity providers.
The solution to these pre- and post-cloud migration risks is to use standards and an abstraction layer to decouple apps from identity and break lock-in. “Also, use identity orchestration to enable consistent identity and access to your apps regardless of where they run and which identity systems you use,” Olden added.
Security Considerations While Moving from Private to Public Cloud
Effectively managing the security and compliance of public cloud deployments can be tricky for many organizations. This may primarily be due to a lack of common terminology for components of various public clouds. This is a useful chart:
Beyond the terminology, multiple factors contribute to the issues associated with deploying and maintaining highly secure public cloud environments. Let’s check out a few security considerations before making a move towards the public cloud model.
Adhere to Shared Responsibility Model
Cloud service providers follow a shared security responsibility regime. When organizations transfer apps, data, and workloads to the cloud, the security team retains some security duties. In contrast, the provider assumes some but not all of them. To reduce the danger of bringing risks into your public cloud setting, it’s critical to define the boundary between your duties and those of your providers.
Clint Harris, consultant at AT&T Cybersecurity, highlighted the need for a shared responsibility model. He said, “Unlike security and compliance controls in private cloud, the security of public cloud deployments is a shared responsibility between the cloud provider and customer. While a Software as a Service (SaaS) deployment minimizes the number of elements that a public cloud customer is responsible for, responsibilities increase when using a Platform as a Service (PaaS) and continues to expand with Infrastructure as a Service (IaaS) deployments.”
“Because of this, it’s key that organizations with public cloud deployments know which cloud components and associated security controls they’re responsible for so that they can implement appropriate controls and monitor them over time to provide for their on-going effectiveness,” he added. Organizations can ensure a safe environment with minimal operational overhead by collaborating with their respective cloud providers and splitting security duties.
Enhance Visibility & Teach Security
The move from private to public cloud concerning security considerations starts with understanding their differences, outlined ChaosSearch’s CTO and founder Thomas Hazel. “Public cloud providers such as Amazon’s AWS have built an extremely secure environment, probably more secure than on-prem (i.e., Private Cloud) an organization can construct,” he said. The resources major cloud providers can bring to bear around security is quite impressive. There have been public breaches over the years of company data; however, each instance has been attributed to user error.
“That is not to say AWS, Azure, or GCP don’t have holes, but they have highly skilled teams with controls and procedures to close them. And here lies the risk, transitioning from private to public requires individuals to be trained on how to securely build IT in the cloud. Many of the company breaches over the years were basic mistakes within an organization’s controls and procedures,” added Hazel.
It’s critical to understand that visibility into workloads/machines and all related resources along with a highly skilled team is a must. Furthermore, having access to the total public cloud account’s settings and security policies is critical. It’s hard to adequately defend public cloud deployments and ensure they remain protected over time without the comprehensive picture these give.
The next critical task to cater to is constructing, preserving, and implementing authorized configurations once organizations understand the aspects they’re liable for protecting and complete updated visibility into their cloud resources and related assets. Privately established compliance, security measures besides applicable industry standards should be included in such settings. It’s vital that the assets and related resources deployed inside public clouds are continuously inspected and their permitted configurations maintained after such approved configurations are developed and deployed.
Ermetic’s CEO Shai Morag thinks that to mitigate risks to cloud applications and data, businesses should perform a holistic assessment of their cloud environments to identify any misconfigurations or vulnerabilities that could be exploited in a breach. “The security silos that characterize on-premises data centers do not exist in cloud environments, which is a huge benefit. It enables security teams to assess risk across identities, data, network and workloads to rapidly understand and minimize the attack surface. Look for next-generation cloud-native security solutions that take this kind of integrated approach, rather than porting existing security tools to the cloud. This will eliminate the need to cobble together different data sources via a SIEM in order to detect and remediate risk.”
Audit Apps & Assess Workload Behaviour
Organizations should audit application and assess workload behaviors before a cloud migration project to ensure unwanted or over-privileged access permissions are not inherited by the cloud deployment, opined Sameer Malhotra, CEO of Truefort. “In addition, applications and workloads moved to the cloud should be hardened to using NIST standards and continuously monitored for compliance with these best practice guidelines, including configurations and file integrity controls.” Post-migration, all application activity should be monitored to ensure applications and workloads continue to exhibit expected behaviors. Meanwhile, new application requirements or changes should be captured and updated for monitoring in the cloud.
Despite the advantages of public-cloud platforms, companies have been hesitant to migrate their operations to the cloud due to cybersecurity concerns. To summarise, businesses must take a proactive, methodical strategy to adapt their cyber defenses to the public cloud. We think the following three strategies will help firms build a coherent, successful approach to public-cloud cybersecurity:
- Creating a cloud-centric cybersecurity model
- Overhauling set of cybersecurity controls considering public cloud
- Amalgamating DevOps with cybersecurity
While addressing the aforementioned typical cloud concerns might be difficult for some firms, cybersecurity experts can help with the security and management of public cloud deployments. Working with a professional consultant allows businesses to delegate the grunt work to the security experts since they will be able to completely handle these typical blunders on-demand, enabling organizations to focus on their core business.