HIT Think

8 steps that improve security in a cloud migration

Register now

Large organizations will accelerate cloud adoption this year, Forrester Research predicts. Spending on the global public cloud market is expected to hit $146 billion this year, up from $87 billion in 2015.

If you’re among those organizations, there are several risks and opportunities to consider. The stakes can be high, because cloud providers vary widely in the quality they offer, especially in terms of security.

Organizations that are looking to cloud providers should plan to conduct in-depth conversations with prospective vendors and internal teams about security risks, responses and policies. What should those conversations look like? Here’s a peek:

What selling points does the vendor highlight?
Plenty of organizations simply choose the least expensive cloud provider they can find. What they might not realize is that cloud providers compete on a number of factors, and price is just one. Low-cost service providers have a number of ways to reduce overhead—lighter security is one of them. If cost is a vendor’s differentiator, be wary.

Will the migration be a sprint or a marathon?
Too often, there are aggressive timetables set for cloud migration that leave out any chance of an evaluation and troubleshooting period. There’s no need to push forward just because that’s what the calendar dictates. Start with applications that aren’t mission critical. Test and evaluate their performance before proceeding.

What does that in-between phase look like?
So even though your organization has decided to move slowly, it will operate in a mixed environment for some period of time, with new security policies. Apps in the cloud may have different policies and permissions than those in an organization’s data center. Router and firewall settings might not align. Create a blanket policy to cover this in-between phase, or find a way to automate security configurations during the migration period.

Does an organization’s team have what it takes?
There are still a lot of executives who think IT is a minor support role; they roll their eyes when the IT team starts explaining a problem. But a big IT move like a cloud migration is going to need high-level support from the beginning. Build a team across different roles that has institutional juice to make decisions and move the project forward. Keep this team in place after the migration to form a rapid reaction team that can respond to attacks.

Who else lives in your cloud neighborhood?
Hackers can disrupt multiple enterprises by hitting a single cloud services provider, or even if they’re targeting a single company with which you happen to share a server, your service will degrade. It’s important to know who your organization shares cloud space with and whether they are more likely to be targeted for political or financial reasons or because the cloud provider takes a lax approach to security.

Will security issues threaten your privacy or data integrity?
When an attack occurs, you have to separate the normal traffic from the bad. If your traffic is encrypted, this means that some of that traffic must be at least partially decrypted offsite by your provider’s tools. While that can sort out the malicious traffic, it can also expose sensitive information. Ask your provider to use techniques that limit the amount of decryption and to use behavioral threat algorithms that identify threats using as little decrypted content as possible. This will not only speed up the process, but it also will help ensure the security and privacy of data. Also remember that not all protection services include SSL, so if this is important to your organization, make sure to ask the right questions and don’t make assumptions.

Do you know your response options?
Just because you’ve placed your data in the cloud doesn’t mean you have to place all your faith in your vendor’s security. There are a number of tools on the market that enable organizations to perform their own attack detection and mitigation, even when all transactions are cloud-based. By leveraging DNS changes or BGP redirects with these cloud security providers (if your provider will allow it), you can still have independent, third-party cloud-based protections for your cloud hosting environment.

How cloudy do I need to be?
Remember that cloud doesn’t always mean your data is in an intangible place. Many datacenter providers will build bespoke Virtual Private Clouds (VPCs) in their datacenters for you. They specialize in this type of work and have learned the best ways to overcome many of the migration difficulties other organizations have experienced. What’s more, many of these providers can build custom security protections specifically for your organization—even on independent hardware, if you needed it. A company like this can offer unique advantages in supporting your organization. Many providers will allow you to tour their facilities, which might help you decide if they’re the right fit.

Using cloud services isn’t for everyone, but it’s the right choice for many organizations. Planning the transition is the best way to ensure a successful migration.

For reprint and licensing requests for this article, click here.