Skip to content

Articles

5 Things I wish I’d known about security before migrating to cloud

Migration to the cloud is a very large concept and represents a significant undertaking for any organisation. The fact that, as a technology, it has been discussed at length for a few years doesn’t mean it’s a given that everyone must do it or that there is only one way to do it. Here are some of the most vital tips that we have learned from our industry partners over the years.

Do the research

Organisations do not need to migrate to the cloud just because everyone else seems to be doing so. Everyone should have clearly defined reasons backed up by strong research and a SWOT analysis. This research should allow everyone involved to clearly understand and communicate the benefits of such a move. These benefits might include agility, scalability, cost savings and innovation.

Anticipate (and seek) the cloud’s added benefits

Most people undervalue – or remain unaware of how public cloud fosters innovation. It’s more than just a place for data. It provides access to a wide array of tools and templates in areas such as big data, machine learning, IoT, and more, that can help differentiate and accelerate business. 

Go long

Public cloud should be viewed with the end in mind. Rather than approaching it iteratively – migrating a few workloads to “see how it goes” it is better to create a long-term plan that demonstrates the viability of migrating an ERP system, a customer service call system, a CRM system, or an on-premises data centre there. Long-term thinking stands a greater chance of extracting value, ensuring consistency, and avoiding missteps.

Modernise

Rather than simply “lifting and shifting” existing processes to the cloud, a migration allows for a redesign. It gives organisations a chance to reassess their existing application life cycle, re-architecting them to take advantage of new cloud-native tools and services. Some organisations choose the approach of allowing legacy applications to continue working on-premises, but as those applications are decommissioned, their replacements will run in cloud using the latest cloud native tools and services. This requires careful planning, but it is important to recognise that a new cloud environment is not just a like-for-like replacement of on-prem, but an advancement.

Focus

Although there are many public clouds out there to choose from, there is little benefit in diversifying and spreading a presence across multiple public clouds or moving workloads from one cloud to another based on spot pricing. This approach is risky and complex. It is far wiser to identify which cloud works best for current and future workloads, and then hire people with the appropriate skills, prepare the migration carefully, and learn about all the efficiencies and cloud consumption discounts that can be applied.

Focusing on a single security vendor also reduces complexity, ensures integration, and provides savings through ELA consumption models. Often, a common management console can be used to control, monitor, and orchestrate diverse environments much more easily.

Secure the hybrid environment

Adopt and maintain a thorough Zero Trust methodology right across on-premises, private cloud, public cloud, and endpoint environments, which includes key techniques such as: “never trust, always verify,” “least privilege,” and micro-segmentation, in all environments.

Securing also includes protecting the physical and virtual network, protecting individual workloads, hardening the web-facing aspects of the environment, proving compliance to auditors, being able to track and deflect bad actors within your environment, and being able to do all of this remotely.

Do not treat security as an afterthought

Security must be built into the process from the very first plans and discussions and scaled in proportion to cloud environment growth. It must be seen as integral to the entire process. 

Include cloud network firewalls, protecting and hardening of workloads – including web-facing applications and those based on containers and serverless technology. Ensure best practice cloud configuration and compliance. Use threat hunting to monitor cloud environments and keep track of bad actors and suspicious behaviour.

Maintain asset visibility

Ensure complete visibility of assets in the cloud and how they’re configured. Make sure that questions around how cloud assets are configured, who put them there, and what permissions they have, can be clearly answered. 

Establish cloud security posture management

The bulk of cloud data breaches can be tied back to cloud misconfiguration and configuration drift issues. Implementing posture management can protect against this. 

Embrace automation

Relying on traditional manual configuration processes in the cloud is a major mistake. The cloud moves and changes too quickly for important security activities to rely on any kind of manual processes. Automation is essential. Define initial engagement parameters and solutions then use machine learning and AI to learn, manage and fine-tune the way to secure the cloud environment. 

Evaluate and control further development

Place solid guard rails around the work that developers are doing in cloud. Developers focus on pushing out new features and functions but might not immediately factor in security. Cloud security posture management policies will assist as developers deal with cloud storage, data bases and more. Additionally, deploy tools that scan GitHub or GitLab code repositories to detect malicious code, misconfiguration or hard-coded credentials before the code goes into production. 

Choose an experienced partner

Work with a cloud security partner who’s done migration many times before – a company that can provide cloud certifications and customer references. Experienced partners should also be trusted advisers who are willing to put forward an opinion or advice.

It is best to select a partner that is a specialist in a particular cloud, such as Azure or AWS, and who therefore knows the platform intimately. Cloud platforms change too quickly for any organisation to be experts in more than one.

An experienced, customer-focused partner should seek to simplify a cloud environment rather than add complexity, offering integrated solutions that work across the various aspects of a cloud environment with common management consoles. They should embrace automation as the best way to keep a cloud environment continuously secure and should provide their customers with regular cloud security insights and improvements relating to the configuration, efficiency, and compliance of the cloud environments. These should be referenceable against accepted best practices such as the AWS or Azure Well Architected Frameworks.

Conclusion

Probably the most important point to take away from this list is that a migration to the cloud is not an “apples for apples” move. It has more in common with trading in a 15-year-old car for a brand-new model. There are technologies and features that the old setup did not and could not have, and these in turn will help an organisation run itself in far more efficient and profitable ways. But before doing so, consider that the second most important takeaway in this collection is to partner with an experienced and reliable vendor that can provide advice along with skill and experience, to ensure the migration truly is a move up to better things. 

————————

Author: Nigel Spence

Cloud Security Partner & Alliance Manager – ANZ

Check Point Software Technologies

Check Point is an industry leader within the enterprise to SME security space from on-premises to multi-cloud environments. The CloudGuard portfolio addresses all of the use cases identified here – from cloud network security, cloud workload protection to cloud posture management. With deep technical and management integration into the AWS and Azure cloud platforms embracing the Zero Trust methodology. Check Point is also Microsoft Azure’s largest co-sell partner leveraging experience from countless cloud deployments around the globe. Furthermore, the recent acquisition by Check Point of SpectralOps has significantly boosted CloudGuard capabilities relating to code-scanning and CI/CD pipeline integration under the whole DevSecOps ‘Shift Left’ security mantra.

Learn more

Download our white paper “Proactivity and Planning: the key to cloud and IT modernisation” to learn more.

 

For more information about how Somerville can play a significantly beneficial role in your organisation’s cloud migration, please contact us.

Migration to the cloud is not an “apples for apples” move. There are technologies and features that the old setup did not and could not have, and these in turn will help an organisation run itself in far more efficient and profitable ways.

Share