How to ensure security in a cloud migration
For
as
long
as
organizations
have
been
interested
in
moving
resources
to
the
cloud,
they’ve
been
concerned
about
security.
That
interest
is
only
getting
stronger
as
cloud
usage
grows
–
making
it
a
perfect
topic
for
the
latest
#CIOTechTalk Twitter
chat.
For
as
long
as
organizations
have
been
interested
in
moving
resources
to
the
cloud,
they’ve
been
concerned
about
security.
That
interest
is
only
getting
stronger
as
cloud
usage
grows
–
making
it
a
perfect
topic
for
the
latest
#CIOTechTalk Twitter
chat.
The
chat
brought
together
a
host
of
security
consultants
and
practitioners
who
weren’t
shy
about
weighing
in
with
their
thoughts
on
a
series
of
questions
around
the
main
topic:
how
to
remain
secure
during
cloud
migrations.
It’s
a
timely
topic
given
the
rapid
cloud
migration
currently
underway.
More
than
two-thirds
of
the
850
IT
leaders
who
participated
in
a
recent
Foundry
survey
said
they
were
accelerating
their
cloud
migration.
Yet,
of
the
top
10
challenges
they
face,
four
relate
to
security:
-
Data
privacy
and
security
challenges,
cited
by
35%
of
respondents -
Lack
of
cloud
security
skills/expertise:
34% -
Governance/compliance:
29% -
Securing
and
protecting
cloud
resources:
25%
To
get
the
ball
rolling,
host
Isaac
Sacolick
(@nyike)
asked
what
main
security
challenges
teams
encounter
when
migrating
to
the
public
cloud.
Among
the
responses
(edited
slightly
for
clarity;
this
was
Twitter,
after
all):
–
Lack
of
visibility/control
over
[network]
activity–
Complex
compliance
requirements
compounded
by
lack
of
internal
compliance
expertise–
Insider
threats
and
malicious
activity–
and
the
list
goes
on
and
on
@willkelly
Easy
to
come
up
w/50
#cloud
#infosec
challenges.
Significant
is
ensuring
cloud
code
repositories
are
secured,
especially
for
#GitHub.
Many
recent
breaches,
including
#LastPass
#Okta
#Intel
&
#Samsung,
where
attackers
got
source
code
access.
@benrothke
Sacolick
noted
in
the
early
days
of
cloud,
he’d
see
cloud-certified
architects’
drawings
with
no
mention
of
security
and
wondered
if
things
were
better
today.
Yes
but
it’s
a
tale
of
two
cities.
The
“aware”
are
mature
and
focus
on
#DevOps
and
integrated
ways
to
deploy
secure
capabilities
(like
programmatically
deploying
firewall
rules
in
#cloud).
[Between
them
and]
those
who
are
not
is
a
HUGE
gap
–
not
a
lot
in
the
middle.
@DigitalSecArch
Imagine
designing
an
office
building
without
architectural
plans.
It’s
called
a
disaster.
@benrothke
When
asked
how
security
teams
should
protect
data
applications
and
who’s
responsible
for
security,
respondents
were
quick
to
answer
with
some
variation
of:
It
is
a
shared
responsibility
between
the
cloud
service
provider
and
the
customer.
@ArsalanAKhan
But
respondents
disagreed
on
how
clear
those
responsibilities
are
to
customers:
Too
often,
without
full
understanding,
shared
responsibility
=
false
sense
of
security.
@BrendenBosch
Except
it
is
not
fine
print.
The
#cloud
service
providers
make
it
very
clear.
They
post
it
on
their
web
site.
They
share
it
in
their
portal.
They
send
it
to
the
customer.
@benrothke
Wayne
Anderson,
a
security
and
risk
management
leader
at
Microsoft,
offered
his
“personal
guide
to
cloud
security
shared
responsibility”:
If
it’s
in
your
interface
(compute,
network,
FW,
DB,
identity
etc.),
you
own
it.That’s
EVERYTHING
except
the
hyper-scale
management
plane.Your
#cloud
CSP
won’t
save
you.
@DigitalSecArch
Next
up
was
the
question
of
how
on-premises
assets
can
securely
link
to
cloud
assets,
which
likewise
generated
some
healthy
back-and-forth.
Integrate
on-premise
data
center
to
#cloud,
consider
using
VPN,
direct
connect,
or
dedicated
network.
Implement
identity
and
access
management,
and
continuously
monitor
and
update
security
posture.
@CraigMilroy
VPN,
Direct
Connect,
Secure
Gateways,
IAM,
Encryption,
Network
Segmentation,
etc.
These
measures
help
ensure
that
data
is
securely
transmitted
between
the
on-premise
and
cloud
environments,
and
that
access
to
sensitive
data
and
applications
is
tightly
controlled.
@ArsalanAKhan
This
is
part
of
it,
but
just
as
much
is
assuming
the
connections
are
public
internet,
and
then
designing
the
application
to
deal
with
that
reality
–
hostile
network.
#encryption,
managed
#latency,
#identity
inspection,
and
certificate
validation,
etc.
@DigitalSecArch
Assume
that
there
are
no
boundaries
and
everything
is
on
the
open
#internet.
Secure
from
there.
@CPetersen_CS
Next
the
#CIOTechTalk chat
focused
on
which
governance
and
compliance
issues
organizations
need
to
take
into
account
before
migrating
to
public
cloud,
another
of
the
top
security
issues
cited
in
the
Foundry
survey.
Prior
to
#cloud
migrations,
orgs
to
consider
governance
&
compliance
issues
such
as
#dataprivacy,
regulations,
industry
standards,
&
internal
policies.
Assess
end
to
end
risk/#security,
PIA,
clearly
define
data
ownership
via
#datagovernance.
@CraigMilroy
Your
team
has
same
obligations
in
the
#cloud
as
you
have
anywhere
else
in
your
business.
For
the
love
of
all
things
–
please
stop
trying
to
give
your
cloud
provider’s
SOC2
report
to
auditors.
It
doesn’t
address
your
application
practices
or
3rd
party
or
incidents.
@DigitalSecArch
But
on
the
other
hand,
@Ostendio
notes
the
ability
to
manipulate
SOC
2
scope
has
led
to
significant
abuse
…
[making
it]
difficult
to
compare
audits.
Allows
orgs
to
avoid
auditing
areas
that
are
their
weakest
link.
@benrothke
@benrothke
makes
a
very
good
point.
As
a
Deming
fan,
you
can’t
audit
in
security.
It’s
either
there
at
design/build
time,
or
it’s
not.
All
the
audits
in
the
world
can’t
stop
breaches
that
are
out
of
scope
or
happen
at
the
wrong
time
in
the
yearly
cycle.
@CPetersen_CS
The
final
chat
question
was
on
how
working
with
a
partner
can
enhance
visibility
and
strengthen
security
posture.
In
general,
Twitter
panelists
supported
the
idea,
with
some
caveats.
Most
people
don’t
do
their
own
plumbing
or
electrical
work.
They
use
a
trusted
partner.
So
too
with
the
#cloud.
Find
that
trusted
partner.
But
you
must
know
what
you
need
them
to
do
if
you
want
them
to
do
it
right.
And
vet
them
very,
very
well.
@benrothke
Trying
to
be
an
expert
at
everything
=
knowledge
of
next
to
nothing.
Find
partners
you
trust.
@nyike
Finally,
Peterson
had
another
interesting
take
on
partnering,
followed
by
the
last
word
from
Sacolick,
the
chat
moderator:
It’s
definitely
a
way
to
speed
up
an
org’s
“time
to
competence”
in
specific
areas,
but
it
must
come
with
knowledge
transfer
commitments
and
either
an
acknowledgement
that
the
arrangement
is
permanent
or
a
time
line
for
the
customer
to
assume
responsibility.
@CPetersen_CS
Good
partners
execute.
Great
partners
advise
their
clients.
The
best
partners
educate
their
client’s
staff
so
that
they
make
smarter
decisions.
@nyike
You
can
check
out
the
full
February
2,
2023,
discussion
at
#CIOTechTalk.
And
learn
more
about
effective
cloud
migration
strategies,
visit
the
NTT
Communications
website.
About Author
