Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/24/2021
10:00 AM
Matt Lock
Matt Lock
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Storms & Silver Linings: Avoiding the Dangers of Cloud Migration

We hear a lot about the sunlit uplands of cloud-powered business, but what about the risks of making information available across the organization?

We're familiar with the many benefits of the cloud. Following a successful cloud migration, organizations can liberate their data from on-premises storage systems and set it free. Teams can collaborate across time zones and build truly global workflows that were unthinkable just a few years ago.

Related Content:

With Cloud, CDO and CISO Concerns Are Equally Important

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How President Biden Can Better Defend the US From Russian Hacks

But when it comes to actually enacting the cloud migration, a hard rain awaits the unwary, particularly when unforeseen circumstances occur, like a global pandemic that forces organizations to hurriedly push forward "two years of digital transformation in two months." We hear a lot about the sunlit uplands of cloud-powered business, but what about the dangers?

Storm on the Horizon
The coronavirus pandemic prompted unprecedented levels of cloud migration. According to Deloitte, the cloud market grew faster in 2020 than in 2019 despite the "steepest economic contraction in modern history." Demand is not likely to slow down any time soon, with IDC reporting that 90% of global enterprises now expect to rely on hybrid cloud by 2022.

The benefits of cloud migration include decreased management overheads and greater flexibility to expand or contract storage requirements with the click of a button rather than purchasing and decommissioning physical servers in a data center.

Yet there is a huge risk to making information available to a distributed workforce. It only takes one compromised endpoint to cause a shattering data breach when an organization's data is overexposed and unmonitored. Further peril awaits organizations that use collaborative tools like Slack, Teams, or SharePoint, which facilitate easy, effortless information sharing but do not adequately incentivize secure working practices. It's now unprecedentedly straightforward to share a sensitive document with a colleague or hand over a password. Sadly, convenience can be the enemy of security.

Overexposed and Underprotected
One of the most concerning stats Varonis' researchers found suggests that a junior analyst who joins a major financial institution has access to 20% of the company's data on their first day of employment — amounting to 11 million files. This is called organization-wide exposure (OWE) and is essentially the opposite of zero trust. Migration can make this problem worse.

When sensitive data is available to the entire company, data breaches, insider threats, and ransomware attacks become much more likely. If this data is distributed across a remote workforce operating away from the scrutiny of IT staff and on-premises protections, the risk is amplified to unacceptable levels.

Good Migrations
The responsibility for migrating data rests on the shoulders of IT, and it's a heavy load to bear. The data must be moved with as little downtime as possible before being placed in the right location and made available to the correct people. This process throws up obvious risks of further overexposure, which means it must be carefully planned.

It's difficult to provide an all-in-one checklist that can be used in all migrations, but there are best practices to follow.

First, exclude stale or obsolete data from the migration to reduce both risk and storage costs. Set up rules to decide whether data is stale, perhaps excluding data that hasn't been accessed for a long time.

Next, put special plans in place for sensitive data such as personally identifiable information, particularly if it is protected by privacy laws. Take a similarly cautious approach towards critical data such as contracts or intellectual property. And take care to avoid further overexposure by granting access to the wrong people. At the same time, ensure the right users are not cut off from the data they need to access to do their jobs.

It pays to build an inventory of the existing data estate, paying attention to dark data. During a migration, many organizations find SharePoint sites, Exchange mailboxes, public folders, and file shares they didn't even know existed. Some will contain toxic and overexposed regulated information, so it's critically important to build a complete and accurate inventory. Apply a classification taxonomy to data so that sensitive files can be flagged, monitored, and treated correctly.

Establishing data owners for sensitive data is also strongly advised. Once these are established, review entitlements before and after migration to weed out excess access and cut down the risk of overexposure.

Getting Organized
To minimize OWE, enact least-privilege access to ensure staff have access only to the files they need. It's crucial to gain visibility over overexposed data by auditing files to assess who has access to them and whether they need to be open to the wider organization or strictly limited to a small number of employees.

Blanket open access should be revoked and permissions replaced with single-purpose groups consisting only of employees who unequivocally need to access that data. This solution can be enacted without causing major disruptions to day-to-day work. Once an organization has visibility over its overexposed files, it can fix permissions at times when the files are not likely to be in high demand.

Ideally, the process of removing open access and replacing permissions with single-purpose groups should be automated.

When migrating into the cloud, it's important to keep your feet on the ground. Remember the storms and you'll enjoy the sunshine all the more.

Matt Lock has 20 years of cybersecurity experience and is an expert on data security. As technical director at Varonis, he heads up the team that undertakes risk assessments and data governance projects, helping organizations to secure and manage ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-41393
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows forgery of SSH host certificates in some situations.
CVE-2021-41394
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows alteration of build artifacts in some situations.
CVE-2021-41395
PUBLISHED: 2021-09-18
Teleport before 6.2.12 and 7.x before 7.1.1 allows attackers to control a database connection string, in some situations, via a crafted database name or username.
CVE-2021-3806
PUBLISHED: 2021-09-18
A path traversal vulnerability on Pardus Software Center's "extractArchive" function could allow anyone on the same network to do a man-in-the-middle and write files on the system.
CVE-2021-41392
PUBLISHED: 2021-09-17
static/main-preload.js in Boost Note through 0.22.0 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal Electron API.