Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

// // //
6/24/2021
10:00 AM
Matt Lock
Matt Lock
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv

Storms & Silver Linings: Avoiding the Dangers of Cloud Migration

We hear a lot about the sunlit uplands of cloud-powered business, but what about the risks of making information available across the organization?

We're familiar with the many benefits of the cloud. Following a successful cloud migration, organizations can liberate their data from on-premises storage systems and set it free. Teams can collaborate across time zones and build truly global workflows that were unthinkable just a few years ago.

Related Content:

With Cloud, CDO and CISO Concerns Are Equally Important

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How President Biden Can Better Defend the US From Russian Hacks

But when it comes to actually enacting the cloud migration, a hard rain awaits the unwary, particularly when unforeseen circumstances occur, like a global pandemic that forces organizations to hurriedly push forward "two years of digital transformation in two months." We hear a lot about the sunlit uplands of cloud-powered business, but what about the dangers?

Storm on the Horizon
The coronavirus pandemic prompted unprecedented levels of cloud migration. According to Deloitte, the cloud market grew faster in 2020 than in 2019 despite the "steepest economic contraction in modern history." Demand is not likely to slow down any time soon, with IDC reporting that 90% of global enterprises now expect to rely on hybrid cloud by 2022.

The benefits of cloud migration include decreased management overheads and greater flexibility to expand or contract storage requirements with the click of a button rather than purchasing and decommissioning physical servers in a data center.

Yet there is a huge risk to making information available to a distributed workforce. It only takes one compromised endpoint to cause a shattering data breach when an organization's data is overexposed and unmonitored. Further peril awaits organizations that use collaborative tools like Slack, Teams, or SharePoint, which facilitate easy, effortless information sharing but do not adequately incentivize secure working practices. It's now unprecedentedly straightforward to share a sensitive document with a colleague or hand over a password. Sadly, convenience can be the enemy of security.

Overexposed and Underprotected
One of the most concerning stats Varonis' researchers found suggests that a junior analyst who joins a major financial institution has access to 20% of the company's data on their first day of employment — amounting to 11 million files. This is called organization-wide exposure (OWE) and is essentially the opposite of zero trust. Migration can make this problem worse.

When sensitive data is available to the entire company, data breaches, insider threats, and ransomware attacks become much more likely. If this data is distributed across a remote workforce operating away from the scrutiny of IT staff and on-premises protections, the risk is amplified to unacceptable levels.

Good Migrations
The responsibility for migrating data rests on the shoulders of IT, and it's a heavy load to bear. The data must be moved with as little downtime as possible before being placed in the right location and made available to the correct people. This process throws up obvious risks of further overexposure, which means it must be carefully planned.

It's difficult to provide an all-in-one checklist that can be used in all migrations, but there are best practices to follow.

First, exclude stale or obsolete data from the migration to reduce both risk and storage costs. Set up rules to decide whether data is stale, perhaps excluding data that hasn't been accessed for a long time.

Next, put special plans in place for sensitive data such as personally identifiable information, particularly if it is protected by privacy laws. Take a similarly cautious approach towards critical data such as contracts or intellectual property. And take care to avoid further overexposure by granting access to the wrong people. At the same time, ensure the right users are not cut off from the data they need to access to do their jobs.

It pays to build an inventory of the existing data estate, paying attention to dark data. During a migration, many organizations find SharePoint sites, Exchange mailboxes, public folders, and file shares they didn't even know existed. Some will contain toxic and overexposed regulated information, so it's critically important to build a complete and accurate inventory. Apply a classification taxonomy to data so that sensitive files can be flagged, monitored, and treated correctly.

Establishing data owners for sensitive data is also strongly advised. Once these are established, review entitlements before and after migration to weed out excess access and cut down the risk of overexposure.

Getting Organized
To minimize OWE, enact least-privilege access to ensure staff have access only to the files they need. It's crucial to gain visibility over overexposed data by auditing files to assess who has access to them and whether they need to be open to the wider organization or strictly limited to a small number of employees.

Blanket open access should be revoked and permissions replaced with single-purpose groups consisting only of employees who unequivocally need to access that data. This solution can be enacted without causing major disruptions to day-to-day work. Once an organization has visibility over its overexposed files, it can fix permissions at times when the files are not likely to be in high demand.

Ideally, the process of removing open access and replacing permissions with single-purpose groups should be automated.

When migrating into the cloud, it's important to keep your feet on the ground. Remember the storms and you'll enjoy the sunshine all the more.

Matt Lock has 20 years of cybersecurity experience and is an expert on data security. As technical director at Varonis, he heads up the team that undertakes risk assessments and data governance projects, helping organizations to secure and manage ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1142
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
CVE-2023-1143
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
CVE-2023-1144
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
CVE-2023-1145
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
CVE-2023-1655
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.