The cloud has become indispensable to business. Cloud adoption stands at 88 per cent in the UK, with 67 per cent intending to expand their usage in 2018. Most organisations are either actively using the cloud or migrating at least part of their workload onto it. Few doubt the broad range of benefits and savings it can provide. However, security and data concerns linger, causing some businesses to think twice before starting their migration.
While cloud adoption has become the norm, too many organisations start their journey without a clear strategy to steer their migration. The first casualty, inevitably, is security. Without the right precautions, data, applications, servers and networks are all vulnerable. However, it can also create the misconception that the cloud is less secure than the data centre when, in fact, the opposite is the case.
It is time to review your current security strategy and architecture to check that it is fit for purpose with the adoption of new cloud services. Once you have your security strategy in place, it will form the basis of your security requirements for implementation in the cloud.
A comprehensive, preplanned security strategy is central to any cloud migration. It protects the company from both external and internal attack and will help encourage the buy-in needed from company leadership.
Fail to prepare, prepare to fail
The cloud offers secure systems, applications and data at a fraction of the cost of installing them on-premise. It delivers encryption, advanced identity and access management, the reduction of human error as well as automated resource logging and inspection. It is no wonder that only one per cent of UK organisations has suffered a security breach in the cloud.
Yet, when a high-profile data breach occurs it is often the cloud platform of the business that receives the lion’s share of the blame. More often than not, the real problem lies in the company’s failure to prepare adequately for the cloud, whether technically, culturally or procedurally.
Many organisations take a surprisingly devil-may-care approach to cloud adoption. Their security strategies are not fit for purpose, and they move onto the cloud in the hope that they can iron out any difficulties as they appear. Instead, organisations should ensure systems are cloud-ready before shifting their data, services and applications across.
The cloud is not a panacea for existing security weaknesses – it requires a security architecture and strong internal security policies to achieve its potential for a more secure processing environment. Implementers should first plan out the full cloud infrastructure, which will tell them what is needed from a security perspective. They will have to decide where their data is stored, where their applications are run and what is needed to protect them. A complete security design is needed from the very beginning.
Before the migration begins, you must ensure all cloud accounts and user permissions are in place. The public cloud can be accessed by anyone with an internet connection or VPN, so the correct authorisations should be set up to prevent your crucial data being compromised or your services disrupted by any bad actors.
Remember also that you cannot simply migrate your existing anti-virus or firewall to the cloud. They are unlikely to have been designed for the cloud or their licenses will not be cloud-friendly. Updating or replacing them will require product and device selection, but it is essential to maintaining a strong perimeter. However, you may also choose to boost your response to security incidents and events by going down the increasingly popular route of outsourcing your security incident and event management to (SIEM) providers
Expectation meets reality
Most cloud migrations will require some level of challenging the status quo. Readying the business for the cloud may cause existing spending plans to change. Yet, when done properly, the process is never confrontational.
Not every challenge will be technical – in fact, the hard, technical aspects of migration are often the easy ones. Instead, the challenges are often cultural and perceptions. Situations that people do not understand are often viewed as threats and generate opposition. Change its self often creates opposition you may find opposition from the company’s business and financial decision-makers as well as the incumbent security team. Most stakeholders will not have undertaken a cloud migration before, and we all fear the unknown. Ultimately, it is down to cloud advocates to defuse conflicts by acting as educators and guiding the rest of the business through the implementation.
The process of migration should be measured, gradual and always iterative. Many organisations set themselves up for failure by lacking the capabilities to properly test their applications in the cloud. Testing is an invaluable way of uncovering issues before they can harm you in deployment. The pressure will be on to migrate as quickly as possible, but implementers should always take the time to test before deployment.
Proper training is also an important part of preparation. As many as 28 per cent of data breaches is down to employee negligence or the actions of a malicious insider. In a public or private cloud environment, this danger still remains. Security awareness must be a top priority, and all employees should be trained on your updated policies and the consequences of exposing the company to a data breach.
When migrating to the cloud, you reap what you sow. Your company cannot enjoy the benefits of the cloud without first ensuring that it is safe and secure. This is best done during the migration phase, but only if the business is willing. It is up to implementers to remind them that investment now will pay dividends later.
Written by Richard Latham, Principal Consultant at KCOM