9 cloud migration security considerations and challenges – TechTarget

Getty Images
As organizations plan to move workloads and applications into the cloud, they encounter a fundamental problem. The security controls and practices they’ve built for their on-premises environments aren’t quite what they’ll need in the cloud, where everything is software-based and deeply integrated.
The cloud presents new opportunities for all enterprises — but it also comes with new risks, and considerations and strategies to mitigate these risks. Let’s explore how businesses should approach the security aspects of a cloud migration, from fundamentals of access control and governance to API integrations and continuous monitoring.
There are three significant differences between cloud and on-premises security:
Shared responsibilities. The concept of the shared responsibility model for data protection and cybersecurity has been part of most outsourcing arrangements for many years, but the nature of shared security responsibilities changed with the advent of cloud. All major cloud providers support shared responsibility in the cloud, but not all of these models are created equal.
Your IaaS cloud provider agreement should clearly delineate these responsibilities. AWS, for example, breaks down its responsibility model into two primary categories:
All cloud providers are wholly responsible for physical security of their data center environments. Additionally, they are responsible for data center disaster recovery planning, business continuity, and legal and personnel requirements that pertain to security of their operating environments.
Cloud customers still need to plan for their own disaster recovery and continuity processes, particularly in IaaS clouds where they build infrastructure. Customers that want to manage data backups in SaaS and PaaS environments should incorporate these into existing data protection and recovery strategies.
Software. Another major difference between on-premises and cloud security is that everything in the cloud is software-based. This brings unique requirements for controls and processes, and potentially new tools and services to fulfill security objectives. Again, the cloud provider is responsible for managing and securing the hardware that underpins its services.
Governance. Be prepared to restructure governance workflows and alignments. In cloud, they need to be much more agile and continuous, with representation from diverse groups of stakeholders and technical disciplines. You will need to involve a wider variety of stakeholders to make decisions much more quickly than is typical for on-premises governance practices.
There are numerous important cloud security considerations, but these should be your top priorities:
Regulatory and compliance requirements. Any cloud environment you migrate to must meet necessary regulations and compliance requirements. All major cloud service providers offer a range of compliance and audit attestations related to the capabilities and controls they maintain, per the aforementioned shared responsibility model. However, organizations must ensure they meet privacy requirements on their end of the shared responsibility. For example, they may need specialized cloud security controls and services to meet stringent industry requirements, such as those for finance, healthcare and government agencies.
Cloud control plane visibility. The cloud control plane provides a set of controls and settings. It enables various types of functionality, such as logging enablement and administrative access. Large, complex environments, such as AWS or Microsoft Azure, can have an overwhelming amount of settings to enable and monitor. Organizations should leverage industry best practices, such as applying the Center for Internet Security benchmarks to initially configure and secure cloud accounts and subscriptions, and monitoring carefully thereafter for changes and risky configuration settings.
Privileged access controls. A cloud migration introduces new types of privileged users, such as cloud architects, site reliability engineers and DevOps engineers. Plan to implement strong privilege oversight when moving to most cloud provider environments.
Automation and APIs. Organizations must design security controls with some degree of automation to adapt and scale throughout a cloud migration, including the pace of ongoing cloud operations. This is most often accomplished via extensive use of cloud provider APIs, as well as specialized tools and services that can help streamline and integrate security automation for desired use cases.
Alongside the plethora of cloud security considerations during migrations, security teams should prepare to encounter and mitigate an array of challenges along the way:
Lack of skills and knowledge. Many DevOps and cloud engineering teams “take things into their own hands” due to a lack of cloud technology and security understanding.
Data exposure. Large cloud service environments contain a wide variety of data storage and processing services. It’s easy to accidentally expose data through poorly configured access controls, encryption and other data protection measures.
Lack of visibility and monitoring. Cloud migrations introduce a much more dynamic pace of change and day-to-day operations. Security teams often scramble to understand what is going on in cloud environments, especially when dealing with a multi-cloud environment.
Poor IAM. It is a challenge to identify appropriate least-privilege roles and identity policies, particularly in large and multi-cloud scenarios that involve numerous types of use cases and different identity policy engines for each provider. Weak or improperly applied identity policies and permissions are a vulnerable target for attackers in the cloud.
Misconfigured control plane settings. In addition to IAM, the cloud control plane handles various configuration settings that, if improperly managed, could lead to exposure or increased threat surface. These could include administrative console access, weak authentication requirements, porous network access controls and exposed APIs.
Organizations can take many steps to successfully prepare for and mitigate cloud migration security challenges.
The most important first step in a cloud migration plan is to establish proper cloud governance. For day-to-day cloud engineering, oversight and administration, including change management, design a governance model with the following team breakdown:
To ensure cohesion across teams, form a cloud governance committee with representatives from all of these areas above, as well as dotted-line representation from legal, compliance, audit and technology leadership.
Once you have a central cloud governance structure is in place, here are some other top security priorities for any organization migrating to the cloud:
Establish a set of security standards and baselines. Develop baseline security standards in collaboration with the governance team. At a minimum, the list should include cloud control plane configuration, IaC templates, cloud workload vulnerability posture, and DevOps and cloud infrastructure privilege assignment.
Create a dedicated IAM function. Identities and role/privilege assignment are critical in the cloud, so dedicate an operational focus on this area.
Require multifactor authentication for all administrative access. Enable multifactor authentication for any privileged access to the cloud environment. This will help mitigate common brute-force attacks against administrative accounts.
Enable cloud-wide logging. All major cloud service providers offer logging services, such as AWS CloudTrail and Azure Monitor. Turn these on and send the logs to a centralized collector or service for analysis. Use logs to develop cloud behavior baselines and detect security events or incidents.
Invest in a cloud security posture management service. Organizations should continuously monitor the state of all things, from the cloud control plane to the current configuration of assets. As cloud deployments increase in number and complexity, a service that tracks all configuration settings in numerous clouds or cloud accounts becomes invaluable to help detect misconfigurations that could cause security issues.
Though containers bring a lot of benefits, no container engine is perfect. Get an idea of what Docker troubleshooting involves, …
This year’s VMworld conference ran virtually from Oct. 5 through Oct. 7. Read the latest news and announcements about and from …
Tanzu integration and vSphere VM Service lets developers and admins spin up VMs and guest OSes as desired-state images in vSphere…
VMware DR ensures your workloads remain secure and online in the event of a disaster. You can use best practices, such as …
VMware’s updates to its VCF product include additional security measures, such as FIPS support, as well as improvements to its …
CDP protects data in the case of a disaster — an essential part of any security procedure. But CDP can introduce high …
Third-party printer management vendors make printing from a virtual desktop easier for IT admins to set up and support. Learn …
Organizations that run VMware Horizon need to factor in printer management to their overall IT strategy. They should learn …
Thin clients generally require less attention from desktop administrators, but sometimes, IT needs to intervene to set up or …
Think you’re ready for the AWS Certified Solutions Architect certification exam? Test your knowledge with these 12 questions, and…
Amazon said its van monitoring system is designed solely for driver safety. But many industry experts have concerns regarding the…
Amazon would like to strengthen its global footprint, but the e-commerce giant faces roadblocks and challenges today that did not…
Data centers contain risks such as height, environmental and electrical hazards. Keep your staff safe by assessing the level of …
Running a sustainable data center requires organizations to consider factors such as facility sustainability, efficient storage …
Partnering with the DMTCP Project, MemVerge supports the open source distributed multithreaded checkpointing technology, which …
Microsoft Graph offers several administrative advantages when handling jobs on Microsoft 365 and Azure AD, but be aware of some …
It might take some effort to rework scripts to take advantage of PowerShell jobs capabilities, but it will free you to handle …
Microsoft released a security update to shut down a publicly exploited vulnerability in the beleaguered on-premises messaging …
All Rights Reserved, Copyright 2010 – 2021, TechTarget

Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info

source