As organizations plan to move workloads and applications into the cloud, they encounter a fundamental problem. The security controls and practices they've built for their on-premises environments aren't quite what they'll need in the cloud, where everything is software-based and deeply integrated.
The cloud presents new opportunities for all enterprises -- but it also comes with new risks, and considerations and strategies to mitigate these risks. Let's explore how businesses should approach the security aspects of a cloud migration, from fundamentals of access control and governance to API integrations and continuous monitoring.
How does cloud security differ from on-premises security?
There are three significant differences between cloud and on-premises security:
Shared responsibilities. The concept of the shared responsibility model for data protection and cybersecurity has been part of most outsourcing arrangements for many years, but the nature of shared security responsibilities changed with the advent of cloud. All major cloud providers support shared responsibility in the cloud, but not all of these models are created equal.
Your IaaS cloud provider agreement should clearly delineate these responsibilities. AWS, for example, breaks down its responsibility model into two primary categories:
- Security in the cloud is the customer's responsibility. This includes data protection, identity and access management (IAM), OS configuration, network security and encryption.
- Security of the cloud is AWS' responsibility. This means the underlying pieces of the infrastructure, including the compute elements, hypervisors, storage infrastructure, databases and networking.
All cloud providers are wholly responsible for physical security of their data center environments. Additionally, they are responsible for data center disaster recovery planning, business continuity, and legal and personnel requirements that pertain to security of their operating environments.
Cloud customers still need to plan for their own disaster recovery and continuity processes, particularly in IaaS clouds where they build infrastructure. Customers that want to manage data backups in SaaS and PaaS environments should incorporate these into existing data protection and recovery strategies.
Software. Another major difference between on-premises and cloud security is that everything in the cloud is software-based. This brings unique requirements for controls and processes, and potentially new tools and services to fulfill security objectives. Again, the cloud provider is responsible for managing and securing the hardware that underpins its services.
Governance. Be prepared to restructure governance workflows and alignments. In cloud, they need to be much more agile and continuous, with representation from diverse groups of stakeholders and technical disciplines. You will need to involve a wider variety of stakeholders to make decisions much more quickly than is typical for on-premises governance practices.
Cloud migration security considerations
There are numerous important cloud security considerations, but these should be your top priorities:
Regulatory and compliance requirements. Any cloud environment you migrate to must meet necessary regulations and compliance requirements. All major cloud service providers offer a range of compliance and audit attestations related to the capabilities and controls they maintain, per the aforementioned shared responsibility model. However, organizations must ensure they meet privacy requirements on their end of the shared responsibility. For example, they may need specialized cloud security controls and services to meet stringent industry requirements, such as those for finance, healthcare and government agencies.
Cloud control plane visibility. The cloud control plane provides a set of controls and settings. It enables various types of functionality, such as logging enablement and administrative access. Large, complex environments, such as AWS or Microsoft Azure, can have an overwhelming amount of settings to enable and monitor. Organizations should leverage industry best practices, such as applying the Center for Internet Security benchmarks to initially configure and secure cloud accounts and subscriptions, and monitoring carefully thereafter for changes and risky configuration settings.
Privileged access controls. A cloud migration introduces new types of privileged users, such as cloud architects, site reliability engineers and DevOps engineers. Plan to implement strong privilege oversight when moving to most cloud provider environments.
Automation and APIs. Organizations must design security controls with some degree of automation to adapt and scale throughout a cloud migration, including the pace of ongoing cloud operations. This is most often accomplished via extensive use of cloud provider APIs, as well as specialized tools and services that can help streamline and integrate security automation for desired use cases.
Cloud migration security challenges
Alongside the plethora of cloud security considerations during migrations, security teams should prepare to encounter and mitigate an array of challenges along the way:
Lack of skills and knowledge. Many DevOps and cloud engineering teams "take things into their own hands" due to a lack of cloud technology and security understanding.
Data exposure. Large cloud service environments contain a wide variety of data storage and processing services. It's easy to accidentally expose data through poorly configured access controls, encryption and other data protection measures.
Lack of visibility and monitoring. Cloud migrations introduce a much more dynamic pace of change and day-to-day operations. Security teams often scramble to understand what is going on in cloud environments, especially when dealing with a multi-cloud environment.
Poor IAM. It is a challenge to identify appropriate least-privilege roles and identity policies, particularly in large and multi-cloud scenarios that involve numerous types of use cases and different identity policy engines for each provider. Weak or improperly applied identity policies and permissions are a vulnerable target for attackers in the cloud.
Misconfigured control plane settings. In addition to IAM, the cloud control plane handles various configuration settings that, if improperly managed, could lead to exposure or increased threat surface. These could include administrative console access, weak authentication requirements, porous network access controls and exposed APIs.
How to mitigate cloud migration security risks
Organizations can take many steps to successfully prepare for and mitigate cloud migration security challenges.
The most important first step in a cloud migration plan is to establish proper cloud governance. For day-to-day cloud engineering, oversight and administration, including change management, design a governance model with the following team breakdown:
- Central DevOps and cloud engineering: This team manages the DevOps pipeline -- code, builds, validation and deployment. Ideally, they integrate security tools, such as static code assessment and dynamic web scanning, throughout that pipeline with automation. It is a multidisciplinary team that includes developers and infrastructure specialists who have adapted their skills to infrastructure as code (IaC) and more software-defined environments.
- Image management: Ideally, this team has separate duties to build and maintain a repository of container and workload images. Developers use these images within the pipelines intended for cloud deployment.
- IAM: Mature governance models include a separate IAM team that manages directory service integration, federation and single sign-on, as well as policy and role definitions within SaaS, PaaS and IaaS environments. If there is not a definitive team, then at least commit a few IT operations and/or DevOps engineers to focus on this.
- Information security: All teams should incorporate infosec to integrate scanning tools and standards for acceptable code, system/image vulnerabilities, pipeline monitoring and secrets management. They should also define and maintain standard definitions for network security parameters and tools.
To ensure cohesion across teams, form a cloud governance committee with representatives from all of these areas above, as well as dotted-line representation from legal, compliance, audit and technology leadership.
Once you have a central cloud governance structure is in place, here are some other top security priorities for any organization migrating to the cloud:
Establish a set of security standards and baselines. Develop baseline security standards in collaboration with the governance team. At a minimum, the list should include cloud control plane configuration, IaC templates, cloud workload vulnerability posture, and DevOps and cloud infrastructure privilege assignment.
Create a dedicated IAM function. Identities and role/privilege assignment are critical in the cloud, so dedicate an operational focus on this area.
Require multifactor authentication for all administrative access. Enable multifactor authentication for any privileged access to the cloud environment. This will help mitigate common brute-force attacks against administrative accounts.
Enable cloud-wide logging. All major cloud service providers offer logging services, such as AWS CloudTrail and Azure Monitor. Turn these on and send the logs to a centralized collector or service for analysis. Use logs to develop cloud behavior baselines and detect security events or incidents.
Invest in a cloud security posture management service. Organizations should continuously monitor the state of all things, from the cloud control plane to the current configuration of assets. As cloud deployments increase in number and complexity, a service that tracks all configuration settings in numerous clouds or cloud accounts becomes invaluable to help detect misconfigurations that could cause security issues.