As organizations plan to move workloads and applications into the cloud, they encounter a fundamental problem. The security controls and practices they’ve built for their on-premises environments aren’t quite what they’ll need in the cloud, where everything is software-based and deeply integrated.
The cloud presents new opportunities for all enterprises — but it also comes with new risks, and considerations and strategies to mitigate these risks. Let’s explore how businesses should approach the security aspects of a cloud migration, from fundamentals of access control and governance to API integrations and continuous monitoring.
How does cloud security differ from on-premises security?
There are three significant differences between cloud and on-premises security:
Shared responsibilities. The concept of the shared responsibility model for data protection and cybersecurity has been part of most outsourcing arrangements for many years, but the nature of shared security responsibilities changed with the advent of cloud. All major cloud providers support shared responsibility in the cloud, but not all of these models are created equal.
Your IaaS cloud provider agreement should clearly delineate these responsibilities. AWS, for example, breaks down its responsibility model into two primary categories:
- Security in the cloud is the customer’s responsibility. This includes data protection, identity and access management (IAM), OS configuration, network security and encryption.
- Security of the cloud is AWS’ responsibility. This means the underlying pieces of the infrastructure, including the compute elements, hypervisors, storage infrastructure, databases and networking.
All cloud providers are wholly responsible for physical security of their data center environments. Additionally, they are responsible for data center disaster recovery planning, business continuity, and legal and personnel requirements that pertain to security of their operating environments.
Cloud customers still need to plan for their own disaster recovery and continuity processes, particularly in IaaS clouds where they build infrastructure. Customers that want to manage data backups in SaaS and PaaS environments should incorporate these into existing data protection and recovery strategies.
Software. Another major difference between on-premises and cloud security is that everything in the cloud is software-based. This brings unique requirements for controls and processes, and potentially new tools and services to fulfill security objectives. Again, the cloud provider is responsible for managing and securing the hardware that underpins its services.
Governance. Be prepared to restructure governance workflows and alignments. In cloud, they need to be much more agile and continuous, with representation from diverse groups of stakeholders and technical disciplines. You will need to involve a wider variety of stakeholders to make decisions much more quickly than is typical for on-premises governance practices.
Cloud migration security considerations
There are numerous important cloud security considerations, but these should be your top priorities:
Regulatory and compliance requirements. Any cloud environment you migrate to must meet necessary regulations and compliance requirements. All major cloud service providers offer a range of compliance and audit attestations related to the capabilities and controls they maintain, per the aforementioned shared responsibility model. However, organizations must ensure they meet privacy requirements on their end of the shared responsibility. For example, they may need specialized cloud security controls and services to meet stringent industry requirements, such as those for finance, healthcare and government agencies.
Cloud control plane visibility. The cloud control plane provides a set of controls and settings. It enables various types of functionality, such as logging enablement and administrative access. Large, complex environments, such as AWS or Microsoft Azure, can have an overwhelming amount of settings to enable and monitor. Organizations should leverage industry best practices, such as applying the Center for Internet Security benchmarks to initially configure and secure cloud accounts and subscriptions, and monitoring carefully thereafter for changes and risky configuration settings.