Most businesses either have a cloud migration strategy or have already moved. Cloud is simply better than on-premises—and not just because of lower costs.
It might not be the best thing to have your head in the clouds. But it has become a very good thing, or at least a very popular thing, to have your business in the cloud—multiple surveys confirm it.
Druva, a cloud data management and security company, reported last month that moving virtualized workloads to the cloud, or cloud migration, is either a reality or a near-term goal for an overwhelming majority—90%—of 170 organizations it surveyed during July and August.
The Cloud Industry Forum reported more than a year ago that overall cloud adoption in the U.K. was at 88%, with 67% of users expecting to increase their adoption of cloud services over the coming year.
Forbes cited an April 2017 study from Intel Security that found 73% of companies are planning to move to a fully software-defined data center within two years.
And while the Druva survey found that most respondents plan to use a hybrid approach to cloud migration, the bottom line is clear: Cloud has become mainstream.
There are multiple reasons for widespread cloud migration, but they all share a common theme: For most businesses, the cloud simply works better than so-called on-premises.
And it isn’t just about money. While any organization is interested in cutting costs, the Druva survey also found the main drivers of cloud migration were disaster recovery, ease of management, and archival.
All of which provide plenty of incentives for businesses to move to the cloud—which is exactly what they are doing.
Given the variety of organizations, along with their needs, capabilities, and priorities, they are employing a number of ways of migrating applications to the cloud. Steven Cohen, product marketing manager at Synopsys, profiled a number of them last December.
Lift and shift. This means moving an application, as is, to the cloud. It is appealing to organizations for which it is more efficient to, in effect, rent servers and data center infrastructure than to build, manage, and maintain their own. It generally involves using IaaS (infrastructure as a service) from the cloud provider.
Lift and refit. This is what it sounds like—moving applications to the cloud and then tweaking them so they will work more effectively in the cloud environment.
Cloud native. This refers to new applications developed and built specifically for the cloud. An incentive to do that would be the CSP (cloud services provider) offering services that make application development faster. Obviously, these apps are designed to integrate well with the cloud computing architecture and to take advantage of a CSP’s computing frameworks and services.
All this comes with a caveat, however. Organizations shouldn’t think they can simply migrate workloads, storage, applications, and other operations into the hands of a CSP and forget about security because “they’ll take care of it.”
Mark Zurich, managing director at Synopsys, notes that organizations need to pay due diligence to a long list of potential cloud migration security risks, some of them similar to what plagues every organization in any configuration, but some unique to the cloud.
They include data breaches and data loss, insecure APIs, malicious insiders, advanced persistent threats (APTs), denial of service, shared technology vulnerabilities, shared tenancy, multiple users on the same stack, and lack of encryption.
Besides all that, as Cohen put it nearly a year ago, “the cloud interfaces with just about every application and corresponding infrastructure stack in existence.”
That, as any security expert will tell you, makes the cloud an attractive attack surface—there are so many potential entry points.
In a second post, we will focus on how organizations can integrate cloud security into their software security initiatives (SSIs).
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.