20.08.2019 | Bruno Blumenthal
How to Migrate Securely to the Cloud
Security and the cloud have an extremely ambivalent relationship. Many security specialists are still skeptical about the cloud and see it primarily as a risk. However, the cloud can also be an opportunity and even be beneficial to security. The risks change with the migration of a business application to the cloud. Whether this change is negative depends on various factors and cannot be answered in general terms.
In this article, I would like to look at three areas that have a major impact on the successful and secure migration of a business application to the cloud:
- Information Governance
- risk management
- Identity and access management
Information Governance
Information governance deals with the management of information within the company. The aim is to enable the efficient use, appropriate protection and correct storage of information, while at the same time complying with internal and external requirements.
If you want to migrate a business application to the cloud, you first need to understand what information is being migrated to the cloud with the application. What information is processed in this application and what information is required for the application to function? This sounds logical at first. The challenge usually arises when determining the exact requirements that apply to the information in question. In practice, it is often not so easy to answer questions about the criticality of the information and the legal requirements to which it is subject.
At least since the discussions surrounding the EU GDPR, most companies and cloud providers have become more aware of data protection. However, this is only one legal aspect that can be relevant for a cloud migration. For example, it must be clarified whether the information belongs to the company at all or whether it was only entrusted to it by the customer, such as design plans in the case of contract manufacturing or software source code in the case of individual software development. If the information does not belong to the company, it must be clarified whether there are any conditions imposed by the owner that prohibit or restrict relocation to the cloud Perhaps the outsourcing of information requires the explicit consent of the owner or the owner restricts the geographical storage location.
In order to understand and manage the requirements for the information, it should be divided into classes as part of information governance. The relevant aspects are recorded for each information class. For example, when migrating an application, only the affected information classes need to be identified. The information class then provides the relevant framework conditions for the migration to the cloud.
Risk management
In order to be able to assess the risks associated with a migration to the cloud, the threat situation in the cloud relevant to the company must first be understood. The threat situation is highly dependent on the business area in which the company operates. In which countries is it represented, in which sector does it operate and who are its customers and competitors? An internationally active financial institution has a different threat situation to a local sanitary company or a high-tech start-up in medical technology. What can be easily migrated to the cloud for some is an unacceptable risk for others or requires completely different compensatory measures.
You have to ask yourself whether you have to fear a state attacker, whether business information is lucrative for financially motivated organized crime or whether you could be the target of industrial espionage where a competitor wants to steal intellectual property.
In addition to the risk perspective, the opportunity perspective should not be neglected. The question arises as to whether the company can really operate the business application itself better and more securely than a cloud provider. This view of risk is often neglected in the cloud. Only the risks associated with the use of a cloud solution are considered and the risks arising from internal operation are not taken into account. For SMEs in particular, it is almost no longer possible to operate many applications securely. Secure configuration, system monitoring and patch management often require very specific know-how and robust operating processes that a small IT organization is often unable to provide.
A comprehensive risk assessment is essential when migrating to the cloud. This must be tailored to the company and the application concerned and also include the risks of non-migration.
Identity and access management
The final area that is often underestimated, but is of the utmost importance for success in the cloud, is Identity and Access Management (IAM). Every form of cloud solution involves users and authorizations that need to be maintained. Existing on-premise solutions cannot always be easily extended into the cloud Cloud solutions, for example, cannot simply be integrated into the Active Directory without exposing the Active Directory to the internet. This requires a technical architecture and the associated processes to be able to securely manage users and authorizations in the cloud.
If a comprehensive IAM already exists in the company, then this is usually not a big deal. The cloud solution is ultimately just another target system that needs to be provisioned. However, if an IA architecture is missing or is very much tailored to internal systems, such as Active Directory integration, then integrating a cloud solution can be a major challenge. As part of the cloud strategy, it is advisable to look at the status of the IAM and check whether you have the necessary processes and technical resources in this area to be able to manage users and authorizations in the cloud solution. Manual maintenance of users and authorizations in the cloud solution is strongly discouraged.
However, authentication in the cloud also brings new challenges. For example, when an internal business application is migrated to the cloud, it is usually suddenly accessible from the internet. Simple authentication with a username and password, which may still be appropriate on-premise, is then no longer sufficient. Strong authentication becomes necessary. It makes sense to use a central authentication solution and a federation so that it can be used for different cloud solutions and does not have to be integrated anew each time.
Conclusion
These three topics are not actually specific to the cloud; ideally, a company should already have established processes and solutions in place. If this is the case, they systematically help to master the challenges of migrating to the cloud. However, the maturity level is often not high enough in all areas for these issues to be considered an automatic part of a cloud migration. Therefore, every cloud project should deal intensively with these three topics and ask itself the following questions:
- Do I really know the information that is to be moved to the cloud?
- Do I know which threats are relevant for me in the cloud?
- Can I securely manage my users and their access in the cloud?
Note: This article was also published in the Digicomp Blog published.
Cloud Security Compliance Risk Management