Skip to content

Articles

Six key security and optimisation strategies for migrating to the cloud

Modernising your information technology (IT) infrastructure to keep pace with change is no small feat. Like chess, with its many possible moves and strategies, organisations can feel overwhelmed by the many options available.

If you’re betting the business on the cloud, for example, that requires careful planning to secure and optimise your new infrastructure to mitigate risk and maximise performance.

It takes a lot of time and effort just understanding all the options for a cloud migration. Here we save you some of that effort with this snapshot of the latest strategies and emerging trends.

1. Be in no doubt: the cloud really is the future

As we reported in our previous article, “5 Lessons Learned from a Successful Cloud Migration Journey”, Australia has long been an early adopter of new technologies. The cloud is no different, according to Simon Piff, VP of Trust, Security and Blockchain Research at IDC Asia/Pacific.

“The Australian public cloud market … stood at US$4.0 billion in 2019, and is forecast to grow to US$8.1 billion by 2024 – a 15% compound annual growth rate,” he said.

For many organisations, the pandemic has added a sense of urgency to their cloud migration. As Somerville CEO Craig Somerville said: “Organisations have been forced to allow many staff to work from home and have needed to equip them with the resources needed to do so. The cloud can play an important role at this time, and so pressure to increase adoption has never been higher.”

Research firm Gartner adds that hybrid cloud adoption – the mix of on-premise infrastructure, private and public cloud services – is also on the rise. The firm estimates IT spending totalling US$1.3 trillion will soon be affected by the shift to the hybrid cloud.

IT leaders everywhere are on a cloud migration journey to replace legacy systems and modernise IT environments. To help you begin your journey, we asked leading analysts about essential trends to consider.

2. Put security at the heart of software development

Perhaps foremost among digital trends is DevSecOps (short for development, security and operations). It involves automating the integration of security throughout the software development lifecycle from design to integration, testing and deployment.

However, IDC’s Piff questions the DevSecOps hype. “The term itself implies security is added following development,” he observed. “It’s a ‘bolt-on’ approach.”

“If the world had instead adopted a SecDevOps approach (in which security coding comes first), I’d argue that security is considered at the right point in time. But currently (with DevSecOps) it’s not,” Piff cautioned.

Cybersecurity expert Andrew Milroy of Veqtor8 agrees, also calling for a SecDevOps approach where security is “baked into software development upfront” – right in the software code. He calls this “‘shifting left” to address security earlier in the development process.

“Previously, you’d develop a bit of software and, using the simple waterfall method, worry about security later. Using SecDevOps, we’re mindful of security as we’re building the software.”

3. Forget the ‘castle and moat’ approach to network protection

SecDevOps is critical because the traditional approach to cybersecurity is dead.

“Traditionally, we assumed most people work in an office, and so we secured the office network from attack and intrusion,” Milroy explained. “But distributed workplaces, work-from-home and remote work across many devices – such as non-company smartphones and PCs as well as clouds – messes up the “castle and moat” approach. The attack surface has gotten much bigger.” And more porous.

Aaron Bugal, Global Solutions Engineer at UK-based security firm Sophos, agrees. “The shift to remote work brings an erosion of traditional IT configurations,” he explained.

“Changes to facilitate out-of-office work now need refinement to make remote work a permanent system. For example, as users move to the cloud, an identity management system is needed to ensure provisioning of multiple disparate systems and services, such as CRM, ERP and other systems.”

Bugal’s observations support Milroy’s belief that with legacy systems still intact across many organisations even as they migrate more people to the cloud, today’s expanding security perimeter cannot be defended as before. As Milroy puts it, “Many security policies, processes and technologies are no longer fit for purpose.”

4. Go cloud-native sooner rather than later

Like many industry experts, Milroy agrees that moving applications to the cloud without a redesign – also known as the ‘lift and shift’ approach – seriously jeopardises the effectiveness of a migration.

“Many organisations have core activities on-premise and haven’t reconfigured processes to use a cloud service. They’ve just shifted what they already had onto AWS, for example. But this is complex and difficult to manage,” he said.

Going cloud-native, Milroy explains, means having apps specifically designed for the cloud. This can lead to many benefits, such as scalability. “You can increase workloads and decrease them to manage peaks and troughs, and provision services as they’re needed. It provides adaptability and flexibility you won’t get if you’ve just bunged your existing legacy programs and apps into the cloud.”

5. Simplify wide-area networking and security with SASE

Looming larger on the IT horizon is Secure Access Service Edge (SASE). This approach simplifies wide-area networking and security by delivering both as a cloud service directly to the source of connection, rather than to the enterprise data centre.

“This will have an effect as we see more digitisation and more people using a wider range of digital devices from multiple locations. You need policies, processes and technology that allow you to manage that,” Milroy warned.

6. Bake security and optimisation into cloud migrations

Like placing software development ahead of security, Sophos’s Bugal warns that IT managers also often focus on cybersecurity only when a cloud-enablement project has finished.

“Migrating users from on-premise to, say, Azure or Office is great, but that must also include security and optimisation provisions such as MFA (multi-factor authorisation), MDM (mobile device management), and MAM (mobile application management),” Bugal said.

“Security must be a primary consideration at the start – not near or at the end – of cloud projects.”

Somerville agreed, adding: “A cloud migration journey requires a security-first cloud strategy that involves baking security into every aspect of IT, protecting endpoints, access points and networks, and focusing on continuous monitoring and management of cloud security risks and threats. It requires complete visibility across the entire IT environment in order to secure data, users and apps in the cloud.”

As in chess, deciding which pieces to move when modernising security infrastructure isn’t easy. However, those who move decisively, with the right cloud strategies, stand to gain a winning advantage.

A cloud migration journey requires a security-first cloud strategy that involves baking security into every aspect of IT, protecting endpoints, access points and networks, and focusing on continuous monitoring and management of cloud security risks and threats. It requires complete visibility across the entire IT environment in order to secure data, users and apps in the cloud

Share