Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

// // //
6/24/2021
10:00 AM
Matt Lock
Matt Lock
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv

Storms & Silver Linings: Avoiding the Dangers of Cloud Migration

We hear a lot about the sunlit uplands of cloud-powered business, but what about the risks of making information available across the organization?

We're familiar with the many benefits of the cloud. Following a successful cloud migration, organizations can liberate their data from on-premises storage systems and set it free. Teams can collaborate across time zones and build truly global workflows that were unthinkable just a few years ago.

Related Content:

With Cloud, CDO and CISO Concerns Are Equally Important

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How President Biden Can Better Defend the US From Russian Hacks

But when it comes to actually enacting the cloud migration, a hard rain awaits the unwary, particularly when unforeseen circumstances occur, like a global pandemic that forces organizations to hurriedly push forward "two years of digital transformation in two months." We hear a lot about the sunlit uplands of cloud-powered business, but what about the dangers?

Storm on the Horizon
The coronavirus pandemic prompted unprecedented levels of cloud migration. According to Deloitte, the cloud market grew faster in 2020 than in 2019 despite the "steepest economic contraction in modern history." Demand is not likely to slow down any time soon, with IDC reporting that 90% of global enterprises now expect to rely on hybrid cloud by 2022.

The benefits of cloud migration include decreased management overheads and greater flexibility to expand or contract storage requirements with the click of a button rather than purchasing and decommissioning physical servers in a data center.

Yet there is a huge risk to making information available to a distributed workforce. It only takes one compromised endpoint to cause a shattering data breach when an organization's data is overexposed and unmonitored. Further peril awaits organizations that use collaborative tools like Slack, Teams, or SharePoint, which facilitate easy, effortless information sharing but do not adequately incentivize secure working practices. It's now unprecedentedly straightforward to share a sensitive document with a colleague or hand over a password. Sadly, convenience can be the enemy of security.

Overexposed and Underprotected
One of the most concerning stats Varonis' researchers found suggests that a junior analyst who joins a major financial institution has access to 20% of the company's data on their first day of employment — amounting to 11 million files. This is called organization-wide exposure (OWE) and is essentially the opposite of zero trust. Migration can make this problem worse.

When sensitive data is available to the entire company, data breaches, insider threats, and ransomware attacks become much more likely. If this data is distributed across a remote workforce operating away from the scrutiny of IT staff and on-premises protections, the risk is amplified to unacceptable levels.

Good Migrations
The responsibility for migrating data rests on the shoulders of IT, and it's a heavy load to bear. The data must be moved with as little downtime as possible before being placed in the right location and made available to the correct people. This process throws up obvious risks of further overexposure, which means it must be carefully planned.

It's difficult to provide an all-in-one checklist that can be used in all migrations, but there are best practices to follow.

First, exclude stale or obsolete data from the migration to reduce both risk and storage costs. Set up rules to decide whether data is stale, perhaps excluding data that hasn't been accessed for a long time.

Next, put special plans in place for sensitive data such as personally identifiable information, particularly if it is protected by privacy laws. Take a similarly cautious approach towards critical data such as contracts or intellectual property. And take care to avoid further overexposure by granting access to the wrong people. At the same time, ensure the right users are not cut off from the data they need to access to do their jobs.

It pays to build an inventory of the existing data estate, paying attention to dark data. During a migration, many organizations find SharePoint sites, Exchange mailboxes, public folders, and file shares they didn't even know existed. Some will contain toxic and overexposed regulated information, so it's critically important to build a complete and accurate inventory. Apply a classification taxonomy to data so that sensitive files can be flagged, monitored, and treated correctly.

Establishing data owners for sensitive data is also strongly advised. Once these are established, review entitlements before and after migration to weed out excess access and cut down the risk of overexposure.

Getting Organized
To minimize OWE, enact least-privilege access to ensure staff have access only to the files they need. It's crucial to gain visibility over overexposed data by auditing files to assess who has access to them and whether they need to be open to the wider organization or strictly limited to a small number of employees.

Blanket open access should be revoked and permissions replaced with single-purpose groups consisting only of employees who unequivocally need to access that data. This solution can be enacted without causing major disruptions to day-to-day work. Once an organization has visibility over its overexposed files, it can fix permissions at times when the files are not likely to be in high demand.

Ideally, the process of removing open access and replacing permissions with single-purpose groups should be automated.

When migrating into the cloud, it's important to keep your feet on the ground. Remember the storms and you'll enjoy the sunshine all the more.

Matt Lock has 20 years of cybersecurity experience and is an expert on data security. As technical director at Varonis, he heads up the team that undertakes risk assessments and data governance projects, helping organizations to secure and manage ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-38129
PUBLISHED: 2022-08-10
A path traversal vulnerability exists in the com.keysight.tentacle.licensing.LicenseManager.addLicenseFile() method in the Keysight Sensor Management Server (SMS). This allows an unauthenticated remote attacker to upload arbitrary files to the SMS host.
CVE-2022-38130
PUBLISHED: 2022-08-10
The com.keysight.tentacle.config.ResourceManager.smsRestoreDatabaseZip() method is used to restore the HSQLDB database used in SMS. It takes the path of the zipped database file as the single parameter. An unauthenticated, remote attacker can specify an UNC path for the database file (i.e., \\<at...
CVE-2022-37024
PUBLISHED: 2022-08-10
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code execution.
CVE-2022-37003
PUBLISHED: 2022-08-10
The AOD module has a vulnerability in permission assignment. Successful exploitation of this vulnerability may cause permission escalation and unauthorized access to files.
CVE-2022-37004
PUBLISHED: 2022-08-10
The Settings application has a vulnerability of bypassing the out-of-box experience (OOBE). Successful exploitation of this vulnerability may affect the availability.