Security, Compliance Risks Complicate Cloud Migration Efforts
Security and compliance risks are ranked as among the top barriers to achieving value from investments moving to the cloud as organizations grapple with what they consider an “urgent priority,” according to a recent report from Accenture.
The global survey of 800 business and IT leaders revealed security continues to be one of the top barriers to cloud migration efforts as they shift ever more complex and business-critical systems.
Indeed, cloud migration doesn’t come without risks, particularly to a company’s data; cloud migrations make data more accessible as it flows behind the scenes between different services.
These risks are higher if the migration speed is accelerated to try to take advantage of objectives like cost savings, the survey found.
Martijn Loderus, vice president at Symmetry Systems, said when speed is a priority, the biggest risk is that digital transformations tend to revert to “lift and shift” cloud migration without the support of experienced partners.
“Often they fail to use cloud-native services; this results in an opaque infrastructure solution that becomes increasingly difficult to manage,” he said. “With cloud expertise and skills—particularly in security—in high demand, organizations can fail to take advantage of the opportunity to secure their data more effectively and quickly overlook compliance requirements because of the scale and complexity they are suddenly exposed to.”
When data is migrated outside of the traditional perimeter, traditional security approaches struggle to restrict access to data using their traditional mindset of securing the systems and networks on which that data is stored.
Loderus said security teams, therefore, need to deploy a data-centric security strategy that applies zero-trust fundamentals to prevent unauthorized access to data and services and make access control enforcement as granular as possible down to the data object.
He added that most compliance regulations remain focused on data—ranging from privacy regulations to PCI regulations.
“These regulations require organizations to not only know where their data is and what data it is but be able to understand how it is being used and who is using it,” he explained. “As organizations execute on their cloud migration, they need to ensure they have tight control and visibility of their data that they haven’t had before.”
Vijay Chander, co-founder and CTO at Valtix, said security leaders must empower cloud security architects to create a blueprint and work across teams to drive consistency.
“By selecting a cloud security reference architecture, organizations can align on what cloud security best practices minimize risk while also balancing the costs or technology and resources,” he said.
He cautioned that adherence to specific details of compliance standards can often be missed when moving to the cloud.
“While the CSPs can satisfy some of the basics for a standard like PCI, they don’t provide a comprehensive solution,” he said. “Auditors find the gaps after the migration and cloud teams are left scrambling to try to plug the holes.”
Chander said as organizations make the move, they quickly realize that security in the public cloud is very different from the data center.
While there are shared responsibilities in the cloud, ultimately, it’s up to the organization to protect its workloads and data.
“Organizations must think through their cloud security architecture and defense-in-depth strategy to protect their assets, but must do so while managing cost considerations,” he noted. “Multi-cloud adds additional risk and further complicates the situation since, with a lack of standards, each cloud requires a different approach.”
Guillaume Ross, deputy CISO at JupiterOne, said security leaders can ensure that some guard rails are in place by starting with cloud policies that will limit the use of known “dangerous” configurations as early as possible.
“This will pay off because the less experience an organization has in the cloud, the more likely they are to make ‘simple’ mistakes that could be dangerous,” he explained. “Then, ensure your migration to the cloud is going to leverage the features the cloud has to offer.”
He added that data residency and encryption is often a concern, especially in regulated environments.
“Thankfully, as the cloud has matured quite a bit over the last decade, most vendors now propose different ways of controlling where data resides and is processed,” Ross said.
Loderus admitted organizations struggle to secure data at scale in the cloud—making seemingly obvious (at least in hindsight) mistakes that result in yet another cloud data store being inadvertently exposed publicly.
“Cloud migration provides an opportunity to treat data with the respect it deserves and ensure that the use of data is instrumented from the start, allowing organizations to continually right-size least privilege to data; and respond effectively to potential data breaches,” he said.
