Alleen beschikbaar in het Engels
Security Challenges of a Cloud Migration
Blogpost 18 May 2021 by Roy Stultiens (Security Specialist) & Ricardo Sanchez (Senior Security Specialist) at Secura
Many organizations want to migrate to one of the large public cloud providers, such as Azure, AWS or GCP. However, the new cloud environment comes with unique security challenges and risks. This blogpost summarizes the most important points that were discussed in the webinar “Security Challenges of Cloud Migration”, which was the first webinar in a series about cloud security.
Risks of the cloud
Using cloud services also comes with inherent risks. Depending on the specific type of service, there is less visibility on the stack. For instance, if you use a PaaS service,
there is generally no insight or control over the provider-managed
infrastructure. You need to trust the provider to securely manage and
update the hardware, operating system etc.
In addition, cloud architecture differs from on-premise architecture. Workloads might need adjustments to be used securely in cloud environments as access control, networking and encryption works in a different way. This can be challenging and might require developers and administrators to acquire new skills.
The more cloud specific services you use, the harder it will be to move away from that cloud provider. This creates a vendor lock-in, which might cause issues if you need to migrate to another cloud provider.
Also note that the attack surface increases if you use public cloud services. The access portals are publicly available and everyone with correct credentials can sign into an account. For this we highly recommend to enforce MFA for all users and regularly rotate access keys, to minimize the impact of stolen or leaked credentials.
The biggest security threats in cloud environments are:
- Misconfiguration of cloud services / wrong set-up
- Unauthorized access
- Insecure interfaces / APIs
- Hijacking of accounts, services or traffic
Migrating to the cloud can be done using different methodologies. There is a wide array of strategies to pick out:
1. Lift and Shift
- Use the cloud as Infrastructure as a Service
- Perform as little modification as possible
- Do not re-architecture your environment to match cloud specific needs
- Simply “grab” traditional infrastructure and deploy it in the cloud
This method is often performed by “traditional” companies that want to move to the cloud. Note that with this method, you may be missing some benefits of the cloud and that default configurations are not always secure.
- Provide overall guidelines to all teams on how to move to the cloud and how to collaborate
- Teams get training and then move at their own pace to the cloud
This method is ideal where organizational units operate independently. Note that it requires a security mature company that trusts users in making secure configurations. Be careful with shadow IT and teams not migrating according to plan. Always trust yet verify.
- Do a complete redesign of your architecture and take full advantages of the cloud.
- Requires knowledge about the cloud provider and its services
This strategy makes full use of the cloud services and best fits for new workloads or small companies who migrate to the cloud. Be careful with the false sense of security that might come with using cloud services.
4. Future State/Hybrid
- All new deployments are created with proper cloud architecture
- Existing infrastructure/applications remain on-premise
This strategy is often used by companies which have many on-premise applications but want to innovate. Using a hybrid environment requires you to maintain two different infrastructures, which can be a complicated process. In addition, safeguards must be in place to prevent pivoting between environments.
Top Security Tips
Of course, a cloud migration is not a one-day job. In order to have a safe & foolproof cloud migration process, we lined up the following security tips for you:
- Train your people on cloud
Realize that there is a difference between cloud and on-premise environments. Administrators and users should be trained to have the proper knowledge about the new environment and acquire new skills
- Get IAM right
Spend time to fine-tune the access management policies. Build policies based on the least-privilege principle. Enforce MFA for all user accounts
- Use Infra as code
Preferably use infrastructure as code to deploy new resources and perform reviews on this code. This ensures similar resources on each deployment and reduces the risks inherent of manual configurations
- Security awareness and behaviour
Train employees on awareness, to minimize the risks of social engineering or phishing attacks
- Application / Infra penetration tests still applies
Traditional application vulnerabilities are not automatically mitigated when hosting in the cloud. It is still recommended to perform penetration tests on these environments
- Security maturity reviews
Assess the security level of the cloud environment and evaluate if the company is ready to migrate (some) workloads to the cloud. Assess if the risks are accepted
All in all, there are a few key takeaways that can be derived from all of these challenges, risk and benefits of moving to the cloud:
- Cloud environments come with unique challenges (people, process and technology)
- Multiple strategies exist to migrate to the cloud, each with their own benefits and drawbacks
- Cloud can increase security of your environment, but can also give a false sense of security
- More to configure, update and maintain with unique cloud services
- If the risks are addressed, cloud can be great for your business
Let's move to the Cloud!
This blog is written by Roy Stultiens & Ricardo Sanchez, who are
both Secura's cloud security experts. They are both renowned experts
that acquired many certificates over the past few years and with a vast
experience in providing cloud security services, they are your
one-stop-shop in learning more about the cloud. The content of the blog
is based on Secura's Cloud webinar in April 2021, performed by Ricardo
Sanchez. At the moment, Ricardo is also offering a 2-day Cloud Security
Training. Check out our cloud security training curriculum here to find out more or register now for the Cloud training.