Cloud migration security: considerations and strategy

August 21st, 2023 Posted in Information Security

 

In the rapidly evolving landscape of modern business, organisations are increasingly turning to cloud migration to achieve enhanced operational efficiency and scalability. However, amidst the excitement of this transformative journey, there is one concern that demands attention: security. While the cloud offers a myriad of benefits, its efficiencies are matched by the responsibility to ensure the security of assets and data in the cloud environment.

In this article, we discuss security and the considerations that should be at the forefront of your cloud migration security strategy. To make this blog manageable we break this down further, into before, during and after stages of cloud migration. First, it is important to define what we mean by cloud migration.

What is cloud migration?

Cloud migration is the transfer of applications, data, and digital operations from local infrastructure to a virtualised environment, hosted on distributed physical infrastructure managed by a Cloud Service Provider. This point is critical, your data is still sitting somewhere in the physical world and that somewhere needs securing in the same way any local architecture would.

The responsibility has just been transferred to the Cloud Service Provider (CSP). This is just one example of how responsibility for security is shaken up by moving to a cloud environment.

Understanding this Shared Responsibility Model is vital to understanding and managing your cloud security risks effectively, as is ensuring you are not just using the cloud platform’s default security settings. Using a third-party expert cloud security assessment service provider is a great way to ensure your settings are set up as effectively as they should be for your organisation’s unique needs.

Before migration

Know your assets, know your risk

Risk-based decision-making is fundamental to information security. Unsurprisingly, it is also the key driver behind secure cloud migration. We recently covered the importance of ensuring and maintaining information security in relation to the cloud – the new iteration of the ISO 27001 standard outlines the processes required for the acquisition, use, management and exit from cloud services in relation to the organisation’s unique information security requirements. Understanding risks presented during cloud migration enables you to prioritise countermeasures and mitigate risks that fall outside your organisation’s risk-acceptable criteria, whilst facilitating (rather than hindering) business operations.

Fundamental to knowing and evaluating your risks is to a) know what your assets are, and b) understand the criticality of those assets to your business. Without a clear picture of the scope of the migration, organisations will struggle to effectively design a secure cloud environment and continue to protect their assets during and after migration.

Knowing your assets is only a part of this, other important points to consider include:

  • Regulatory and compliance requirements: Depending on the data you process; you may be subject to data security, processing, or residency requirements. Whilst most major CSPs have a range of tools and reports available to manage in line with the shared responsibility model,
  • Availability and Performance Requirements: You are at the mercy of a 3rd If the CSP has an outage, you may suffer significant disruption which is outside your control to remediate. Tech lock-in should also be considered. Having an exit strategy in place from the beginning is advisable, especially for smaller CSPs.
  • Outsourcing Security: Depending on the service and the deployment model, security measures are outsourced to the CSP. In some cases, especially when dealing with critical assets, this may not meet your business security and compliance requirements.
  • Internal knowledge and skills to operate a cloud environment: Misconfigurations or human error during cloud deployment or application development may lead to poor design decisions, misconfigurations, or data leaks. Working in the cloud often requires changes to processes and change management or deployment workflows and an understanding of the cloud tech stack (e.g., around API (Application Programming Interface), authentication, and session management, etc.)
  • Cost Management and Scaling Requirements: The cloud operating model is built on just-in-time access to resources and the scaling of resources quickly. This can lead to unexpected or spiralling costs if not managed.

Determine a cloud migration model that meets your security requirements

There are three key cloud migration models each with their own benefits, drawbacks, and costs. These are:

  • Public Cloud: Cloud resources are shared by multiple consumers with segregation happening logically on the CSP’s hardware. Whilst this may be cost and resource efficient you have no control over the underlying infrastructure which may lead to security and compliance concerns
  • Private Cloud: The underlying infrastructure is dedicated to hosting only your organisation. This has the most enhanced security and control offerings at the cost of maintaining the hardware and staffing the appropriately skilled cloud engineers.
  • Hybrid Cloud: Mixes both elements of a public and private cloud model. The obvious benefit is that it adopts the best of both models in terms of efficiency and security. However, this is a complex integration to get right and requires specialist expertise to build and maintain which, if done wrong, could open vulnerabilities and lead to data exposure.

The model you choose must be driven by the output of your risk assessments. For example, you may decide that the most critical information is better off behind your managed firewall in which case a Hybrid Cloud model could be considered. If you are a government, top secret documents on a Public Cloud environment may be unacceptable (though I am sure it happens…) making Private Cloud a more suitable model.

Understand your responsibility

The Shared Responsibility Model is not a new concept in security and outsourcing. It is something that is often misunderstood especially as cloud offerings adapt and change rapidly. Nor are they applied equally by CSPs. AWS and Microsoft publish clear guidelines to help identify their responsibility from yours, but it is not always clear. Whether you are looking for IaaS (Infrastructure as a service), PaaS (Platform as a Service), or SaaS (software as a service) solutions you must work with your CSP to understand what your responsibility is in your cloud environment.

Identity and Access Management (IAM)

IAM refers to the policies and permissions that define who gets access to and can use resources in your cloud environment. It is critical to get right but can be complex to effectively juggle user identities, roles and permissions and tempting to keep them broad to limit management overhead or work around an issue. Overly permissive user or service accounts are a common vulnerability exploited to compromise your assets. Permission should be assigned on an as-needed basis to mitigate this risk. Leverage RBACs (Role Based Access Control) and Authentication controls such as multi-factor authentication for additional layers of management controls and protection, requiring multiple credentials for verification and is now considered a foundational security control rather than a nice to have.

Firewall and network security

In cloud migration, network security is paramount. Luckily, most major IaaS providers have a comprehensive set of native features to enable granular networking such as VPCs (Virtual Private Clouds) (Virtual Private Cloud), Security Groups, and Firewalls that can be configured to restrict access to environments to only those who require it. Utilise multiple features to achieve a virtual defence in depth model.

Beyond that Network Security encompasses practices such as:

  • IDS (Intrusion Detection Systems), IPS (Intrusion Prevention Systems), and web app firewalls These systems monitor network and/or system activities for malicious exploits or security breaches and protects web-facing resources from common internet borne attacks such as SQL injections and Cross-Site Scripting.
  • Network Logging and Monitoring: Without proper logging and monitoring, an organisation cannot detect and respond to cloud security incidents, leaving them vulnerable to cyberattacks.
  • Zero Trust Model: This model operates under the principle of ‘never trust, always verify.’ Even traffic originating from within the network must be verified before gaining access to network resources. We discuss the principles behind zero trust in our blog ‘What is zero-trust security?“.

Storage and encryption

Getting cloud storage and encryption right is fundamental to your migration. Whilst CSPs are getting better at ensuring default settings are secure (such as preventing S3 buckets from defaulting public) it is still your responsibility to ensure that the storage and encryption configuration meet your organisation’s security requirements. How data is handled at rest and in transit may have significant compliance as well as security considerations. Your key management requirements should be assessed against the resource overhead involved.

Customer-managed keys (CMKs) provide customers with direct control over encryption keys, offering enhanced security but requiring diligent effort for proper management, while provider-managed keys delegate key management to the cloud provider, simplifying the process but potentially raising concerns about control and dependency on the provider’s security measures.

Avoiding misconfigurations: Secure configuration reviews and automation

CSP play a vital role in securing the services that they provide; however, they often prioritise user experience, usability, and ease of deployment, at a trade-off with security. We always advise adopting a proactive approach to the secure configuration of your cloud environment. CSPs provide a suite of native tools (often free) tools and services to assess security measures and monitor compliance with security policies.

After migration

Monitoring, auditing, incident response

Post-migration, an Incident Response Plan is essential. Maintaining a close watch over your cloud environment is pivotal to detecting and responding to potential security breaches. This plan outlines the processes that will take place in response to a detected security incident. Continuous monitoring involves the use of tools like IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems) solutions that continually analyse your cloud environment for signs of malicious activity. Auditing refers to the process of reviewing logs and configurations to ensure they meet security and compliance standards.

Build backup and recovery strategies

Your cloud migration security strategy should include robust backup and disaster recovery plans and include all of these in your Business Continuity Plan. This plan ensures that critical operations continue smoothly, even when unexpected incidents occur. Regularly backing up data and systems to secure remote locations ensures that, in the event of a breach or system failure, you can swiftly restore operations without significant disruption.

Other considerations

Security awareness: Training your team

Staff are the front line of your security programme. The effectiveness of cloud security measures hinges on the expertise, awareness, and diligence of your team. Staff should have cyber security awareness training to operate securely in the new environment and be empowered to identify and report suspicious events and respond to incidents appropriately.

Conclusion

The core message of this blog is that taking a proactive, holistic, and coordinated approach to cloud migration security from the outset is vital. It helps ensure that cloud vulnerabilities and risks are identified and addressed early on whilst minimising disruption to your core business, and it reduces the need for costly retroactive security controls.

Security must also be considered an ongoing process, continuing well after the migration is completed. Your cloud security controls should be continuously monitored to ensure that your environment complies with your organisation’s security requirements, assessed and cloud penetration testing should be factored in to ensure they meet your risk and business objectives as threats change and evolve.

Need help with migrating your cloud?

If you need help or advice on managing your cloud security, we are here to help. We advise on security vulnerabilities; help you select the security technology and check that your systems are configured correctly. Contact us for a friendly chat.

  • This field is for validation purposes and should be left unchanged.

Take a deep dive into cloud security

Download our FREE Guide to Cloud Security.

Complete guide to cloud security

Image by rawpixel.com on Freepik
Patrik Jakus 2

Written by Patrik Jakus

Patrik is a Cloud Security Assessor at Evalian, providing professional security services to clients. Having previously worked for a managed security service provider as a Security engineer specialising in cloud technologies, Patrik was involved in a variety of projects including Cloud Security Assessments, DLP (Data Loss Prevention) engineering, MDR (Managed Detection and Response) engineering and Attack Surface Management. Patrik is certified in AWS, Azure and Ethical Hacking.