A major component of digital transformation for many organizations is migration to the cloud. Even when only a part of your infrastructure or a portion of your apps is being moved, it can still be a hefty undertaking.
That means few companies can make the shift to the cloud all at once. Cloud migration is frequently broken up into smaller, logical parts. It’s a beneficial strategy that prevents migration projects from becoming overwhelming on multiple fronts — from resourcing to tasks to budget.
There is one area, though, that requires special consideration with any move to the cloud. That area is cybersecurity. Yet despite being flagged by IT leaders as a top consideration for digital transformation, cybersecurity is often treated as a separate initiative.
The keys to successful cloud migration are knowledge, planning, and adopting a comprehensive view that cuts across IT disciplines. It’s crucial that security and risk management be among those disciplines right from the start. Doing so requires first understanding the broad scope of potential risks and then taking measured, well-planned steps toward migration in lockstep with cybersecurity teams.
The goals of digital transformation are unique to each and every organization and incorporate everything from breaking down silos and improving workflows to modernizing applications for resilience and scalability. Technology ecosystems like MACH (Microservices based, API-first, Cloud-native and Headless) have the cloud intertwined with application modernization and improvements, and with good reason. The cloud offers cost savings, accessibility, and a myriad of other benefits.
The truth is, though, there are always risks with connected systems, whether those systems are housed locally, co-located, or in the cloud. A cloud migration doesn’t make the need for security disappear, it just alters the threat vectors.
Without proper planning and implementation, migrations can open up new vulnerabilities, even while it inherently closes others. The most concerning security elements with a cloud migration, though, are ignorance and existing security issues.
It’s a common misconception that a move to the cloud will alleviate risks and place the responsibility for cybersecurity in the hands of the cloud provider. While it’s correct that the provider now has responsibility for securing connections, hardware, and the underlying systems, the reality is that it’s a shared responsibility. A recent case study by IBM X-Force IRIS showed that cloud-based applications, which frequently remain the responsibility of the company, account for 45% of cloud-related cybersecurity threats.
With the exception of “as a Service” services (Software as a Service, Database as a Service, etc.), an organization continues to be responsible for the security of their applications, even in the cloud. This means that a “lift and shift” of your existing apps won’t eliminate vulnerabilities that you already have in your software or platforms.
Therefore, ensuring security while conducting your cloud migration means taking a measured approach that integrates cybersecurity into the process, not bolting it on after the migration is complete.
Just as the drivers for digital transformation are unique to an organization, so are the steps to securing the apps, infrastructure, and services that are part of that transformation. However, there are some steps that are largely universal across enterprises.
Many organizations start down the path to cloud migration, thinking that they have everything they need to get there smoothly. But, once they are in the thick of it, they begin to recognize that — thanks to mounting technical debt, rushed deadlines, and tribal knowledge — they simply don’t know everything. In fact, they don’t even know what they don’t know.
It can be tempting to rush into a migration with the intention that your teams will do the documentation needed to catalog and track applications, access, ports, and so on, at a later date. Unfortunately, doing that after the fact may just be moving an existing security vulnerability — or even a backdoor — from your infrastructure to the cloud.
Before you even begin contemplating how to migrate your applications, you need to understand what you have and the access associated with it. If you don’t have an inventory, or it’s out of date, it’s important to update it as an early part of your transformation.
This is also important for access management. Best practices recommend that users, applications, and services have the lowest access needed to get the job done. Many times, much higher levels of access are granted as a shortcut. In the interests of security, an audit of user and app access should be completed or updated, as well.
This is an ideal project for an outside, trusted partner. While your teams are progressing with other transformation tasks and planning, an experienced partner can handle inventorying and cataloging your ecosystem and documenting your access management.
If you’ve heard your application and infrastructure teams suggest that apps should be evaluated before they are refactored for the cloud, you now have one more reason to do so: cyber threats.
In this case, evaluating what apps and services should be re-engineered for the cloud is mostly about reducing your threat surface. Certainly, many of your applications will need to be refactored for security and performance in the cloud.
Some of your applications, though, may no longer be needed or can be factored in with other applications. For example, you may have an API that is used by the accounting team to pull weekly reports, and a similar API developed for the sales team, both of which were built before your API strategy leveraged reuse. Now would be a good time to develop a single API that can be used for both business groups. Instead of monitoring and managing threats for two services, you now have only one.
You may also have applications that were developed at a time when there was nothing available with the appropriate functionality, but today there are off-the-shelf applications that can do the same thing, more securely and with less maintenance. Evaluating the need and usage against new contenders will prevent you from migrating an app that no longer fits the bill, and may, in fact, introduce additional threats and vulnerabilities to your cloud environment.
One of the strengths of digital transformation is the removal of silos between departments and business units. The same can be said for the transformation projects themselves. These are not just development projects, or infrastructure, or database, or security. Digital transformation should cut across all of the technical functional areas to be robust.
Ideally, you’ll create a Center of Excellence (CoE) to lead out on the transformation. The CoE will support cross-team and cross-skill viewpoints of the modernization and migration of your systems. The idea is to include relevant voices — including cybersecurity — right from the start. This bakes security into the transformation, instead of adding it on later, potentially after a breach has occurred.
This can be a lot for an organization to tackle, especially one in the midst of planning a digital transformation initiative. This can be an ideal situation for the addition of a trusted partner with cross-functional teams and extensive experience facilitating the creation of a CoE, the implementation of a DevSecOps process, and an understanding of cybersecurity and the cloud. This is especially critical for companies in regulated industries — government, healthcare, defense, and so on — who cannot afford to risk creating or introducing vulnerabilities into their cloud environments.
With digital transformation on the tip of every enterprises’ tongue, it can be hard to talk about slowing down. However, the groundwork created and used for your transformation initiatives and especially your cloud migrations will be well served with these steps. Not only will it speed up the process in the long run, but it can help you avoid unnecessary cybersecurity risks during the transition.
DMI has helped enterprises get to the cloud safer and faster. With a highly experienced team familiar with both application development, cloud infrastructure and cloud migration processes, and cybersecurity, DMI can help even the most heavily regulated organization achieve the speed and scalability benefits of transformation securely.