A new study on cloud adoption from Intel Security offered good news and bad news for enterprises. The good news...
is, according to a survey of more than 1,200 IT decision-makers, the frequency of cloud-related data breaches is very low. But the bad news is those decision makers say migration challenges are the most common problem they face. From a security perspective, there are definitely challenges when moving workloads and data into the cloud, either from internal data centers to the cloud or from one cloud provider to another.
The first of the major cloud migration challenges is to ensure only the proper types of data end up in the cloud per policy and data classification requirements. Many organizations have found sensitive data in the cloud when they may not have planned for this, which is often due to a lack of communication to project teams or a lack of understanding of the risks, or both. In the SANS survey cited in Intel Security's study, 40% of respondents indicated that they store or process sensitive data in the cloud (Editor's note: the author provided insight for the Intel Security report). For the other 60% who don't, care needs to be taken to define policies that state what data can be migrated to the cloud and what data can't.
Another cloud migration challenge many organizations face is realizing that not all cloud providers offer the same services and capabilities, and vendor lock-in is a very real possibility. After project teams build infrastructure within a specific cloud provider, moving specific formats of data and systems to other environments may prove difficult, if not impossible. On the same note, exporting data from cloud environments can be a major hurdle for two reasons. First, retrieving very large quantities of data from a cloud provider may require special handling provisions in contracts, possibly requiring shipment of storage hardware to the provider for transfer. Second, the format the data is in when exported may not be compatible with other providers or even internal systems and applications. It's critical to ask questions up front and ensure all data can be exported readily in a format that organizations can work with.
Security teams need to take time before cloud data migrations to evaluate the security controls currently in use in-house, and then compare and contrast options available in cloud provider environments. Invariably, some security controls -- and/or vendors -- will not be available in the cloud provider environment, and this can lead to deployments that are missing crucial security controls coverage if these gaps aren't discovered and accommodated properly. Failure to match existing security controls with equivalent ones in a cloud environment may lead to data exposure, breaches and compliance violations, at a minimum.
Hybrid clouds allow users to store some data on premises, but which is best for cloud data migration? Analyst Mike Matchett explains how to decide.
Another big issue within cloud migration challenges is a lack of due diligence to properly assess the service provider and its security capabilities and posture. Most reputable providers today offer the SSAE 16 SOC 2 at a minimum, and some have more in-depth reports focused on ISO 27001 or compliance mandates like PCI DSS or HIPAA. Vendor management, legal, and security and compliance teams need to require the cloud provider to answer a security questionnaire and determine the level of risk for that provider. Many choose to base their questionnaires on the Cloud Security Alliance Consensus Assessments Initiative Questionnaire, and some providers already have answers for this ready to go. Reviewing these answers can reveal a lot about major security challenges like encryption key management and access, identity management compatibility, network controls available, and whether the cloud provider can accommodate legal and forensics requests from tenants.
If there were one key bit of advice for helping to ease cloud migration challenges, it would be planning. Build a policy that requires involvement of the security team for all cloud projects, determine what the due diligence program looks like, and make sure you aren't moving into any cloud services where you have missing or inadequate controls and data compatibility.
Learn how the Cloud Security Alliance can help compare cloud providers
Discover new ways to work effectively with multiple cloud providers
Find out if a cloud readiness assessment really works