Security risks of cloud migration
As organizations move more and more mission-critical systems to the cloud, there are growing concerns about the security risks of cloud migration. Cloud security is now well understood, and there are well-established tools and methodologies for protecting cloud workloads. However, these security methods can break down in the crossover from on-premise to cloud environments, leading to catastrophic breaches or data exposure.
Learn Cloud Security
What Is cloud migration?
Cloud migration involves moving applications, data, and other digital assets from an on-premises data center to the cloud. These might be custom-built applications or applications the organizations licensed from a third-party vendor. There are several approaches to cloud migration, including:
- Moving applications as is — this is known as “lift and shift.”
- Making small changes to applications to enable their move to the cloud
- Rebuilding or refactoring applications to make them more suitable for a cloud environment
- Switching from legacy applications to new applications that support the cloud or are provided by cloud vendors.
- Building new applications for the cloud is known as “cloud-native development.”
What are the key benefits of cloud migration?
The overall goal of most cloud migrations is to gain the benefits of the cloud — hosting applications and data in a highly efficient IT environment that can improve parameters like cost, performance and security.
Key motivations for migrating to the cloud include elastic scalability, a desire to optimize costs or switch from a capital expenditure to an operating expenses model and a need for new technologies, services, or features only available in a cloud environment.
Perhaps more importantly, cloud computing frees corporate IT teams from the burden of managing uptime and improves the organization’s ability to deploy new services and grow to support changing business requirements.
Key considerations for cloud migration projects
A primary concern in migration projects is which applications to migrate. Consider moving an application to the cloud if it fits one or more of the following criteria:
- The application does not require low latency when communicating with on-premise resources.
- There are no specific security or compliance requirements for keeping the application on-premises.
- The application is subject to fluctuating loads over time, which can make the elasticity of the cloud more attractive.
- Prioritize applications that are not business-critical to ensure your first migrations are successful. When you gain more experience, migrate your business-critical apps.
Consider which deployment and pricing model is most suitable for your workloads:
- Deploying applications in the public cloud provides unlimited scalability and a pay-as-you-go model.
- Building a private cloud has a high upfront expense but provides more scalability, enhanced security and reduced operating costs.
Finally, when deploying to the public cloud, choose your provider:
- The top three cloud providers — AWS, Microsoft and Google — offer equivalent services for most use cases.
- Niche cloud providers exist who can support use cases and may offer competitive pricing or other differentiators.
- Many companies adopt a multi-cloud approach, deploying different workloads to different cloud providers depending on the cost and suitability of their technical solution.
Security risks of cloud migration
Cloud migration requires careful planning because it is vulnerable to several attacks. During migration, sensitive data is transferred, making it vulnerable to attack. In addition, at various stages of a migration project, attackers can gain access to unsecured dev, test or production environments.
Plan cloud migration efforts in anticipation of the following threats:
- API vulnerabilities: application programming interfaces (APIs) act as communication channels between environments. APIs must be secured at all stages of the cloud migration process.
- Blind spots: moving to the cloud means giving up control of some aspects of your operation. Before migrating, check what security your cloud provider offers and how to complement it with third-party security solutions.
- Compliance requirements: ensure that your target cloud environment supports the required compliance standards. This includes compliance certifications by the cloud provider and procedures carried out by the organization to ensure cloud workloads, data and access are secure. All these can and will be audited as part of compliance requirements.
- Uncontrolled growth: cloud migration is not a one-time process. After migrating applications to the cloud, the organization will likely add more resources, consume new cloud services and add more applications. It is very common to start using additional SaaS applications once they are already running in the cloud. These new services and applications must be properly secured, creating a major operational challenge.
- Data loss: cloud migration involves data transfer. It is essential to ensure that data is backed up in case of errors in the migration process. All data transfer occurs over encrypted channels, with careful management of encryption keys.
Learn Cloud Security
5 ways to mitigate cloud migration security risks
Here are a few best practices that can help improve security during and after cloud migrations:
- Establish a set of security standards and criteria: work with compliance, IT and development teams to develop basic security standards. At a minimum, these standards should cover access control, IaC templates, cloud workload vulnerability management and secure DevOps procedures.
- Assign dedicated staff to identity and access management (IAM): identity management is critical and highly dynamic in the cloud. Assign dedicated staff to ensure IAM is managed properly and maintained over time.
- Enforce multi-factor authentication: at all stages of cloud migration, it’s necessary to require multi-factor authentication, including within development environments. This reduces the risk of unauthorized access to administrator accounts and critical assets.
- Enable cloud-wide logging: all major cloud service providers provide centralized logging services (for example, Amazon CloudTrail). Leverage this feature throughout your migration and send logs to a central collector for analysis. Use these logs to create a baseline of system behavior during the migration to detect and investigate security incidents more easily.
- Use cloud security posture management (CSPM): CSPM solutions monitor cloud systems for misconfigurations and, in some cases, can immediately remediate them. This can be very important for tracking many cloud assets during different stages of migration and ensuring that critical data and assets have the appropriate security settings.
Learn Cloud Security
Build your cloud security skills and get hands-on experience in Infosec Skills. What you'll learn:- Cloud architecture
- Cloud management
- Cloud pentesting
- CSP security features
- And more
In this Series
- Security risks of cloud migration
- The rise of cloud computing: Trends and predictions
- Understanding the basics of cloud infrastructure: What you need to know
- How cloud security, data privacy, and cybersecurity convergence drives successful careers
- Secure cloud computing: What you need to know
- Working across multiple cloud service providers: CSP security learning path
- Securing cloud-based applications training: What you need to know
- DevSecOps in the Azure Cloud
- Amazon Athena Security: 6 essential tips
- Securing cloud endpoints: What you should know
- AWS security and compliance overview
- CloudGoat walkthrough series: IAM privilege escalation by attachment
- CloudGoat walkthrough series: EC2 server-side request forgery (SSRF)
- CloudGoat walkthrough series: Remote code execution
- CloudGoat walkthrough series: Lambda Privilege Escalation
- Information security strategy for the hybrid and multi-cloud
- CloudGoat walkthrough series: Cloud Breach S3
- CloudGoat walkthrough series: IAM privilege escalation by rollback
- Working with CloudGoat: The “vulnerable by design” AWS environment
- Malicious Amazon Machine Images (AMIs)
- Key findings from Ponemon’s State of Vulnerability Management in the Cloud and On-Premises report
- Cloud Pentesting Certification Boot Camp: The ultimate guide
- Cloud Based IDS and IPS Solutions [Updated 2019]
- AWS Security Monitoring Checklist [Updated 2019]
- Amazon Inspector: A cloud-based vulnerability assessment tool
- System administrator vs. cloud administrator
- 5 key cloud security use cases
- Deep Packet Inspection in the Cloud
- Honeypots in the Cloud
- Biometrics in the Cloud
- Open-Source Intelligence Collection in Cloud Platforms
- How to Safeguard Against the Privacy Implications of Cloud Computing
- AWS Cloud Security for Beginners — Part 2
- AWS Cloud Security for Beginners — Part 1
- AWS Security Monitoring Checklist — Part 2
- Rise of the Rogue Cloud: The Fundamental Security Mistake Enterprises Make and How to Correct It
- Controlling the Risks of Cloud-Enabled End-Point Security Products
- The Ultimate Guide to CCSP Certification
- Five Reasons Why Security Professionals Need the Cloud
- Amazon S3 Buckets-Hardening
- Cloud Service Reconnaissance
- Cloud Computing Security: Be Secure Before Moving to Cloud
- Cloud Technology Bringing New Possibilities in Threat Management
- Attacking the Cloud
- Man in the Cloud Attacks: Prevention and Containment
- Cloud originated DDoS attacks
- Where Is Your Data Safer? In the Cloud Or On Premise?
- DDOS Protection for Public Cloud Customers
- Security Barriers in the Adaptation of Cloud Technology
- SIEM as a Service
- Cloud Security Incident Compensation
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Cloud security
Cloud security