Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Matt Lock
Matt Lock
Connect Directly
E-Mail vvv

Storms & Silver Linings: Avoiding the Dangers of Cloud Migration

We hear a lot about the sunlit uplands of cloud-powered business, but what about the risks of making information available across the organization?

We're familiar with the many benefits of the cloud. Following a successful cloud migration, organizations can liberate their data from on-premises storage systems and set it free. Teams can collaborate across time zones and build truly global workflows that were unthinkable just a few years ago.

Related Content:

With Cloud, CDO and CISO Concerns Are Equally Important

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How President Biden Can Better Defend the US From Russian Hacks

But when it comes to actually enacting the cloud migration, a hard rain awaits the unwary, particularly when unforeseen circumstances occur, like a global pandemic that forces organizations to hurriedly push forward "two years of digital transformation in two months." We hear a lot about the sunlit uplands of cloud-powered business, but what about the dangers?

Storm on the Horizon
The coronavirus pandemic prompted unprecedented levels of cloud migration. According to Deloitte, the cloud market grew faster in 2020 than in 2019 despite the "steepest economic contraction in modern history." Demand is not likely to slow down any time soon, with IDC reporting that 90% of global enterprises now expect to rely on hybrid cloud by 2022.

The benefits of cloud migration include decreased management overheads and greater flexibility to expand or contract storage requirements with the click of a button rather than purchasing and decommissioning physical servers in a data center.

Yet there is a huge risk to making information available to a distributed workforce. It only takes one compromised endpoint to cause a shattering data breach when an organization's data is overexposed and unmonitored. Further peril awaits organizations that use collaborative tools like Slack, Teams, or SharePoint, which facilitate easy, effortless information sharing but do not adequately incentivize secure working practices. It's now unprecedentedly straightforward to share a sensitive document with a colleague or hand over a password. Sadly, convenience can be the enemy of security.

Overexposed and Underprotected
One of the most concerning stats Varonis' researchers found suggests that a junior analyst who joins a major financial institution has access to 20% of the company's data on their first day of employment — amounting to 11 million files. This is called organization-wide exposure (OWE) and is essentially the opposite of zero trust. Migration can make this problem worse.

When sensitive data is available to the entire company, data breaches, insider threats, and ransomware attacks become much more likely. If this data is distributed across a remote workforce operating away from the scrutiny of IT staff and on-premises protections, the risk is amplified to unacceptable levels.

Good Migrations
The responsibility for migrating data rests on the shoulders of IT, and it's a heavy load to bear. The data must be moved with as little downtime as possible before being placed in the right location and made available to the correct people. This process throws up obvious risks of further overexposure, which means it must be carefully planned.

It's difficult to provide an all-in-one checklist that can be used in all migrations, but there are best practices to follow.

First, exclude stale or obsolete data from the migration to reduce both risk and storage costs. Set up rules to decide whether data is stale, perhaps excluding data that hasn't been accessed for a long time.

Next, put special plans in place for sensitive data such as personally identifiable information, particularly if it is protected by privacy laws. Take a similarly cautious approach towards critical data such as contracts or intellectual property. And take care to avoid further overexposure by granting access to the wrong people. At the same time, ensure the right users are not cut off from the data they need to access to do their jobs.

It pays to build an inventory of the existing data estate, paying attention to dark data. During a migration, many organizations find SharePoint sites, Exchange mailboxes, public folders, and file shares they didn't even know existed. Some will contain toxic and overexposed regulated information, so it's critically important to build a complete and accurate inventory. Apply a classification taxonomy to data so that sensitive files can be flagged, monitored, and treated correctly.

Establishing data owners for sensitive data is also strongly advised. Once these are established, review entitlements before and after migration to weed out excess access and cut down the risk of overexposure.

Getting Organized
To minimize OWE, enact least-privilege access to ensure staff have access only to the files they need. It's crucial to gain visibility over overexposed data by auditing files to assess who has access to them and whether they need to be open to the wider organization or strictly limited to a small number of employees.

Blanket open access should be revoked and permissions replaced with single-purpose groups consisting only of employees who unequivocally need to access that data. This solution can be enacted without causing major disruptions to day-to-day work. Once an organization has visibility over its overexposed files, it can fix permissions at times when the files are not likely to be in high demand.

Ideally, the process of removing open access and replacing permissions with single-purpose groups should be automated.

When migrating into the cloud, it's important to keep your feet on the ground. Remember the storms and you'll enjoy the sunshine all the more.

Matt Lock has 20 years of cybersecurity experience and is an expert on data security. As technical director at Varonis, he heads up the team that undertakes risk assessments and data governance projects, helping organizations to secure and manage ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file