7 Steps to a Smooth, Secure Cloud Transition
Security leaders share their top steps to keep in mind as your organization moves data and applications to the cloud.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltf97ee240e0d27b7e/64f0d84125438905b576508b/cloudintro2.jpg?width=700&auto=webp&quality=80&disable=upscale)
The rapid rate of cloud adoption has put the spotlight on security as businesses try to control and secure data and applications. Employees are moving to the cloud regardless of what the security team says, and their habits aren't changing any time soon.
Cloud adoption has ramped up over the past five years, according to a new Cloud Threat Report released by Oracle and KPMG this week. The percentage of businesses using public cloud services went from 57% in 2013 to 85% in 2018. In 2013, only 21% of organizations said they used infrastructure-as-a-service (IaaS). This year, that number hit 51% - a 143% increase.
This major shift is creating a new wave of cybersecurity challenges, says Akshay Bhargava, vice president of Oracle's cloud business group. Enterprise cloud users are realizing the complexity of threats to data in the cloud as new devices and identities access cloud environments.
"The biggest finding for us is just difficulty keeping pace at scale," he explains. "Many organizations are facing a challenge: their cloud adoption is growing significantly faster than their ability to secure their cloud footprint."
Ninety percent of survey respondents categorize at least half of their cloud-resident data as sensitive. It's worth noting that "sensitive" is a subjective term but generally, this information includes CRM data, personally identifiable info, payment card data, legal documents, source code, designs, and other types of intellectual property.
Despite the increasing trust in the cloud - 83% of respondents rate cloud security as good or better than on-prem security - companies often fail to take the right steps to ensure they're secure during the cloud transition. One of these is properly vetting a cloud service provider before doing business with them - a step that challenges many organizations.
Most (98%) of Oracle/KPMG's respondents conduct formal security reviews of public cloud service providers before doing business with them. However, only 47% conduct these assessments on their own and 52% use a third party. The challenge comes from a lack of industry standard benchmarking providers' security programs, which creates ambiguity.
If you're thinking with a cloud-first mindset, you should be making sure all the right boxes are checked before you make the leap. Here, security experts highlight the most important steps to keep in mind while moving to the cloud. Did they miss any? Feel free to add to our list.
Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.
Oftentimes organizations think about the cloud provider's infrastructure as an extension of their own, "bringing an old-school legacy mentality" to cloud adoption, says Patrick Foxhoven, CIO and vice president of emerging technologies at ZScaler.
"A lot of times, companies will think about how to pin their corporate network with the cloud provider's environment and run physical circuits stitching the two together," he says. As a result, connectivity is static and businesses miss certain advantages, like achieving the full portability and elasticity of the cloud.
Foxhoven attributes the misstep to a lack of insight and education around the new capabilities that cloud can provide, as well as "unwillingness to think about new things."
Before you transfer data to a cloud provider, take an inventory and determine what, exactly, you're moving and what you want to do with it, says John Pironti, president of IP Architects. Understand which data security controls you need to meet your objectives.
"What is it I have now, and what am I looking to do when I get there?" he says. Ask your cloud provider which security options they will give you and how you'll receive security updates. As you inventory your data and plan the move, Pironti advises prioritizing protective qualities including data privacy, availability, encryption, visibility, and how you can prevent unauthorized users from accessing your data in the cloud.
"Customers are realizing they're still on the hook to provide security for some of the things that happen in the cloud," says Vittorio Viarengo, vice president of marketing for McAfee's Cloud Business Unit. Now businesses are starting to take a closer look at their specific security needs.
The security your provider offers will vary depending on your cloud service. If you're browsing infrastructure-as-a-service platforms, he says, the provider is responsible for host infrastructure, operating system infrastructure, and physical security so nobody can access the actual server. The customer is responsible for network security, application-level controls, identity and access management (IAM), endpoint protection, and data classification and accountability. Software-as-a-service providers handle physical security, and network and application security, but customers are on the hook for data and user security, IAM, and endpoint protection.
"In a cloud environment you have to be very careful, very diligent about reviewing security settings," says Pironti. "It's easy to make a mistake; it's easy to leave something open."
He points to the wave of incidents throughout 2017 in which major companies misconfigured their Amazon S3 storage buckets and accidentally exposed their data to the public. On-premise environments have data safeguards that cloud environments don't, he notes. People conceptually realize their cloud-based data doesn't have this protection, but don't take the proper steps to make sure it's safe.
As you plan your cloud transition, it's important to meet with everyone involved to make sure all members of the team know how things are going to work.
"One of the most critical things is, first of all, have the DevOps, developers, and security teams speaking the same language," says Govshteyn. "Get them to agree on the basics: what is our most important data, what are our most important applications."
"Another common mistake is misunderstanding pricing models, and what goes into a solution," says Foxhoven. Businesses need to determine the financial implications of running different apps in a cloud environment. For some applications, it's economically advantageous to move to the cloud. For others, the cost might not justify the effort. An application that needs a ton of raw online storage, accessible in real time, might not make sense to move to a cloud provider, he notes.
As they try to convince their executive boards to move to the cloud, security pros often sell the idea that cloud services will let them reduce staff. In fact, the opposite is true, says Pironti.
"We actually need more staff with cloud," he points out. "We need a new level of conversation, a new level of focus." While cloud adoption can cut infrastructure costs to a certain extent, it won't reduce staff.
What kind of employees should you be looking for? "People who understand services and applications," Pironti says, adding that these skills should be more in-demand than infrastructure and operating system security. "They need to understand services and how they work, which exposures they create."
As they try to convince their executive boards to move to the cloud, security pros often sell the idea that cloud services will let them reduce staff. In fact, the opposite is true, says Pironti.
"We actually need more staff with cloud," he points out. "We need a new level of conversation, a new level of focus." While cloud adoption can cut infrastructure costs to a certain extent, it won't reduce staff.
What kind of employees should you be looking for? "People who understand services and applications," Pironti says, adding that these skills should be more in-demand than infrastructure and operating system security. "They need to understand services and how they work, which exposures they create."
The rapid rate of cloud adoption has put the spotlight on security as businesses try to control and secure data and applications. Employees are moving to the cloud regardless of what the security team says, and their habits aren't changing any time soon.
Cloud adoption has ramped up over the past five years, according to a new Cloud Threat Report released by Oracle and KPMG this week. The percentage of businesses using public cloud services went from 57% in 2013 to 85% in 2018. In 2013, only 21% of organizations said they used infrastructure-as-a-service (IaaS). This year, that number hit 51% - a 143% increase.
This major shift is creating a new wave of cybersecurity challenges, says Akshay Bhargava, vice president of Oracle's cloud business group. Enterprise cloud users are realizing the complexity of threats to data in the cloud as new devices and identities access cloud environments.
"The biggest finding for us is just difficulty keeping pace at scale," he explains. "Many organizations are facing a challenge: their cloud adoption is growing significantly faster than their ability to secure their cloud footprint."
Ninety percent of survey respondents categorize at least half of their cloud-resident data as sensitive. It's worth noting that "sensitive" is a subjective term but generally, this information includes CRM data, personally identifiable info, payment card data, legal documents, source code, designs, and other types of intellectual property.
Despite the increasing trust in the cloud - 83% of respondents rate cloud security as good or better than on-prem security - companies often fail to take the right steps to ensure they're secure during the cloud transition. One of these is properly vetting a cloud service provider before doing business with them - a step that challenges many organizations.
Most (98%) of Oracle/KPMG's respondents conduct formal security reviews of public cloud service providers before doing business with them. However, only 47% conduct these assessments on their own and 52% use a third party. The challenge comes from a lack of industry standard benchmarking providers' security programs, which creates ambiguity.
If you're thinking with a cloud-first mindset, you should be making sure all the right boxes are checked before you make the leap. Here, security experts highlight the most important steps to keep in mind while moving to the cloud. Did they miss any? Feel free to add to our list.
Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024