We’ve gathered some expert opinions about the top cloud migration security risks that organizations should think about when moving to the cloud.
Organizations are moving to the cloud in droves, some more cautiously than others, mindful of the security risks inherent in both cloud computing itself and the migration process. Information about the top security risks of moving to the cloud, however, can seem contradictory.
The 2019 Cloud Security Report from Cybersecurity Insiders noted that while 93% of cyber security professionals surveyed were concerned about public cloud security, 84% were confident in their own organization’s security posture. These numbers suggest that organizations are more worried about the security of their cloud service providers (CSPs) than about the cloud security risks they can control themselves.
However, a recent report from Cloud Security Alliance, Top Threats to Cloud Computing: Egregious Eleven, points out that unlike in previous years, organizations now seem less concerned with security risks that fall within the purview of their cloud service providers, such as denial of service. “Instead,” the report says, “we’re seeing more of a need to address security issues that are situated higher up the technology stack that are the result of senior management decisions.”
So if you’re planning to migrate any of your business operations to the cloud, what should you be most concerned about? Should you focus on the security of the software, platform, and infrastructure offered by your CSP? Or should you do more to secure your own applications and processes? What poses the greatest cloud migration security risk: data exposure, misconfiguration, regulatory compliance, policy and strategy, or something else entirely?
We’ve rounded up some expert opinions about the top security risks during cloud migration that organizations should keep in mind.
I would say the top three are:
—Chenxi Wang, founder and general partner, Rain Capital
DevOps has become part of C-suite and board-level discussions, attesting to the growing critical value of web applications and digital transformation as part of the broader business strategy. However, if the frequency of breaches and the growing concerns of CISOs are any indication, executives aggressively pushing for cloud solutions often have a mistaken understanding of the nature of the security risks that cloud adoption and careless DevOps programs can introduce into their organization.
—Lior Cohen, senior director of products and solutions, cloud security at Fortinet
While changes to applications and the underlying cloud services are introduced increasingly frequently, in most cases there are no controls that validate the security and compliance of cloud services configuration changes beyond day one. The manual, “day one” or “point in time” type of compliance and validation of cloud services configuration become increasingly insufficient for public cloud workloads, as was demonstrated by a slew of recent data breaches in financial institutions that were associated with cloud services misconfigurations.
—Tatiana Lavrentieva, cloud security and operations practice lead, Synopsys
Off site Cloud Computing simply isn’t secure and can’t be made secure. Very limited access on site cloud computing “can “ be made secure, but not with internet access to it, or other easy off site access. Hillary Clinton’s server insecurities should be warnings to everyone imho.
It’s the visibility. [Organizations migrating to the cloud] feel like when they move their stuff to the cloud, they lose a lot of visibility that they had for the stuff on-prem. They have the tooling and they know how to look at stuff in their own network. But once they start moving out things to the cloud they lose that visibility.
—Marcus Hartwig, senior product marketing manager at Vectra AI
Organizations should prevent users from having permissions to open up new attack surfaces and time-box access to sandbox environments. For instance, opening up a NAT (network address translation) gateway from a hybrid networking environment in AWS isn’t necessarily bad—in fact, it’s necessary in some cases—but it introduces the possibility of a server using that NAT gateway to pull packages or content from any remote resource. Users shouldn’t be the sole bearers of responsibility—the organization should build in preventive measures.
—Kinnaird McQuade, senior consultant, Synopsys
Confidence in the service provider, own staff and technologies used. Understanding the the appropriate access/integration requirements with non cloud systems.
Identifying weakest penetration points within current systems’, addressing those points in migration plane.
[In a Ponemon Institute survey of more than 600 federal IT decision-makers] 71 percent said that visibility and governance are challenges to securing cloud use.
Some of the cloud applications being used may be well known and highly secure, but there may be other less popular or custom applications on the cloud that are being used to store and transmit sensitive data. In many cases, the federal IT security manager is the last to know when a new application is accessed from the cloud. In some cases, they may never know—a sobering prospect for managers whose ability to deter threats is dictated in large part by the amount of control they have over their networks.
—George Kamis, CTO for global governments and critical infrastructure at Forcepoint
Although we have seen great strides in automation from cloud platforms, they can amplify problems.
Simple script errors can open holes or bring services to a halt—quickly and automatically. You can’t trust the cloud to monitor itself, and if you are ultimately responsible for security (and all the potential harm of a breach), nor should you trust the cloud. The automation and efficiency—as with every computing shift going back to the migration to client/server from mainframes—uncovers unexpected nuances that require attention and investment. In such an open, automated environment, organizations need to deploy granular monitoring of cloud data access and control. The more open environments get, the more controls and monitoring you need.
—Ameesh Divatia, co-founder and CEO at Baffle, Inc.
I worry about it getting windy and the cloud migrating over Russia and it raining my emails over the Kremlin
For me it has to be data security