Cloud and Cloud Migration Security: Is Your Data Safe?

In this blog, we explore the challenges organizations face when establishing and maintaining cloud and cloud migration security, the impact of shadow IT on security, and effective strategies to classify and protect sensitive information.

Recent surveys paint a stark picture of cloud migration security challenges. According to IDC and Ermetic research, a staggering 98 percent of companies have experienced at least one cloud data breach in the past two years, with 83 percent reporting multiple incidents. Even more alarming, 43 percent of organizations have sustained 10 or more security breaches, underscoring the urgent need for robust cloud migration security strategies.

Cloud control isn’t simply about protecting data. It’s about safeguarding your organization’s most valuable asset in an increasingly interconnected digital ecosystem. As cloud adoption accelerates – with 94 percent of large organizations already running significant workloads in the cloud – understanding and implementing comprehensive cloud and cloud migration security isn’t optional. It’s imperative.

8 Cloud Migration Security Steps to Follow

Fortunately, there are several cloud migration principles and steps you can follow to secure your cloud footprint.

1. Know and Catalog Your Data

For starters, you need to identify the data you already have in the cloud. This could involve:

• A business line employing a cloud-based SaaS tool (for example, Atlassian for project management or GitHub for source control)
• Programs that automate manual processes that may collect and consolidate data into a non-governed data store
• Internet of Things (IoT) devices (printers, cameras, and so on) that might be uploading usage metrics data into your network

Then, secure your data by acting to catalog the cloud-based tools and services you have, such as:

• A survey of the cloud solutions you control
• A department survey of work-related digital tools
• A network-wide reconnaissance that detects Internet-seeking applications and users who frequently visit cloud service-oriented websites (for example, a lot of log entries for Dropbox visits)

The applications organizations use to handle their identified and cataloged data aren’t always the products they initially selected for that purpose. While most organizations would prefer their app portfolio to consist of leadership-approved IT solutions, the implementation of shadow IT alternatives has become widespread as departments seek unauthorized options that they believe are more conducive to innovation, productivity or efficiency.

In some instances, these unofficial options, so to speak, can help your enterprise manage cloud migration security. Commonly used Shadow IT choices include:

• Consumer-grade cloud services, such as Google Drive or Dropbox, for storing and sharing business data
• Personal smartphones or tablets for tapping into company data or systems
• Customized software or tools that employee teams are developing without the endorsement of IT departments

Accordingly, shadow IT isn’t going away. Gartner, Inc. reveals that 41 percent of company employees obtained, developed or modified technology that wasn’t visible to their IT leaders – i.e., shadow IT – in 2022 and that 75 percent of them will do so by 2027.

2. Determine Your Data Classification and Risk

Protecting your data and ensuring cloud and cloud migration security also involves determining your data classification and risk using common security definitions. These definitions include:

• Regulated or restricted data (e.g., patient health information, PHI, payment card information, or nonpublic financial disclosures)
• Protected data (such as customer and donor lists and employee data)
• Company confidential data, such as internal communications and collaboration

Because of the rise of big data, predictive analytics and – especially – AI, the ability for other enterprises to find a needle in a haystack has increased. Consider adding OPSEC, a security and risk management process that pinpoints apparently harmless actions that could expose your critical or sensitive data to cyber theft.

This exposure could include data that reveals information about your sales and delivery pipeline or potential investments and acquisition targets. Social media posts and photos posted online may contain geographic location information that inadvertently leaks this strategic data, while notes on expense reports may also unintentionally expose it.

Once you identify the data that’s at risk, create a concise matrix by data classification for each cloud vendor that includes standards to follow on encryption, password security, access control, and separation of duties.

The corollary to identifying your data classification and level of risk is knowing what rules and laws can support that effort and keep your cloud data inviolable.

Since 2018, compliance regulations to protect data in the cloud have become increasingly rigorous. In that year, the European Union adopted the General Data Protection Regulation (GDPR) to unify and toughen data protection laws in all EU member states and safeguard privacy rights of all European Economic Area (EEA) citizens. It stipulates that:

• Companies can process and store personal data only within the EEA or other permitted countries unless the affected individual allows otherwise.
• Organizations should only collect and store personal data that is necessary for their operations.
• Organizations should not retain personal data for longer than necessary.
• Individuals have the right to access the personal data kept by an organization.
• Individuals can ask companies to delete their personal data.

Beyond the EU, the GDPR applies to any organization processing or storing personal data about EEA residents, regardless of the organization’s location. Moreover, after the United Kingdom exited the EU, it adopted its own version of the GDPR, the U.K. GDPR, which is almost identical to the EU GDPR.

The California Consumer Privacy Act (CCPA) that became effective at the start of 2020 – and later was amended with additional privacy protections that took hold three years later – contains stringent requirements pertaining to personal information a company might process or store when using a public cloud.

The CCPA obligates organizations that keep California residents’ personal information in their cloud accounts to execute all data disclosure and deletion requests. Accordingly, companies must know about every cloud data store containing data that might be subject to a CCPA request.

The evolution of the data regulatory landscape hasn’t only included more types of covered data and tougher compliance rules but also the need to account for more variability among data handling and storage requirements spanning multiple regions and industries. When cloud providers operate across borders, they can confront compliance challenges involving potential conflicts with local regulations.

The increase in data regulations has pressured organizations to remain compliant with regulatory standards in the cloud. Typical compliance methods, such as periodic audits and manual checks, aren’t sufficient anymore, but the emergence of continuous compliance is applying automation and real-time monitoring to ensure that cloud environments unfailingly comply with regulatory standards.

Automation tools can make compliance management easier by creating compliance reports and maintaining audit trails, and they enable real-time monitoring and alerts to immediately detect and correct any departure from compliance standards.

3. Implement Monitoring Tools and Best Practices for Cloud Migration Security

Failsafe cloud migration security and established cloud security depend upon having leading-edge cloud-based tools and best practices in place to protect your data. Let’s look at some of the most recent solutions and effective procedures that have been adopted, as well as some that have come to the forefront this year.

Cloud Migration Tools

• Cloud security posture management (CSPM) is an instrument that continuously monitors cloud configurations to detect any possible security risks. CSPM tools deliver automated compliance checks and security analyses that alert you to any functional anomalies so you can quickly solve problems and pre-empt potential data breaches.
• Cloud workload protection platform (CWPP) security extends to cloud workloads that include virtual machines, containers and serverless workloads. It deploys features such as workload hardening, vulnerability management, and runtime protection, and it provides protection throughout workload lifecycles.
• Cloud infrastructure entitlement management (CIEM) manages and controls identities and permissions within a cloud system. With CIEM, businesses can monitor and supervise user entitlements, which reduces the risk of identity-related security failures and gains visibility into user access to resources, which lets teams enforce least-privilege access and shrink the attack surface.
• Identity and access management (IAM) features, such as single sign-on, multi-factor authentication and role-based access control, ensure that only valid users can access data. IAM also can monitor and log user activities for audit purposes.
• AI-Powered Threat Detection Platforms use machine learning to analyze network traffic and data generated by endpoints to find potential threats. AI-fueled incident response tools automate the malware containment and elimination process.

Best Practices for Secure Cloud Data

• Data encryption should apply to cloud data at rest and in migration and requires tough so that even intercepted data remains secure. It is a continuous process, not a one-time activity.
• Understand the share responsibility model, which sets out the security responsibilities of the cloud provider (securing the underlying infrastructure) and the customer (protecting their data, applications, and user access) so that businesses can know what security controls to put in place.
• Create and enforce robust cloud security policies that cover functions such as data protection, incident response, access control, and compliance. These policies automatically enforce compliance standards in every cloud deployment, migration and maintenance.
• Secure endpoints, including laptops, workstations, and mobile devices, by implementing security measures such as antivirus software, malware protection, software, firewalls, and secure communications protocols. Businesses should also set up endpoint detection and response (EDR) solutions to conduct real-time monitoring and management of endpoint security.
• Enable and monitor security logs to see what users are doing, what system events are happening, and the traffic on the network. These logs are essential for developing user behavioral analytics that can spot suspicious activities and probe security incidents.
• Cloud incident response plans can protect against and, when necessary, confront cyberattacks. They should clearly stipulate what measures to take if a security breach happens, including communication protocols, roles and responsibilities, and recovery procedures.
• DevSecOps is a secure software development lifecycle (SSDLC) procedure that integrates security into the first stages of software development with automation tools that analyze code for identified vulnerabilities and give developers feedback in real time.

Establishing cloud security in multi-cloud or hybrid cloud is its own special challenge, because spreading databases, cloud services, and applications workloads across multiple public clouds gives cybercriminals a bigger infrastructure surface to target.

The best protection against this is the adoption of standardized and synchronized security policies across all cloud environments. Plus, centralizing all public-cloud security data into a repository such as a security data lake provides a 24/7 look at the whole multi-cloud environment, along with comprehensive monitoring, from a single interface.

Cloud-native application protection platforms (CNAPP) and secure access service edge (SASE) systems help secure hybrid networks and multi-cloud platforms whose varying and sometimes incompatible workflows often complicate the data protection function.

There are particular cloud and cloud migration security tactics that would apply to hybrid clouds and others that would apply to multicloud deployments.

Hybrid cloud teams should use federated identity management for seamless access control across different environments. They should also encrypt data in transit and at rest and develop robust backup and disaster recovery plans. Finally, they need to have consistent security policies for all private and public clouds.

Multicloud teams should apply the aforementioned standardized security frameworks and centralized monitoring and management tools and continuously track and audit cloud environments to ensure they meet compliance and regulatory requirements.

4. Deploy Identity and Access Management Methods and Concepts

While it’s sometimes overlooked during a cloud migration, identity and access management (IAM) is integral to making data migration secure.

IAM tracks employee activity and controls access to programs and applications so companies can identify suspicious trends or transactions and avoid errors. It employs guidelines, procedures, and technological identity access management instruments to oversee identities and limit who can access systems and examine data.

As with other aspects of cloud and cloud migration security, IAM methods and concepts are updated to address contemporary cyber risks. Here are some of the current trends you need to adopt for data protection in the cloud:

• Machine identity, combining least privilege and zero trust. The zero-trust model makes employees and others submit to authentication and verification checks during login and in-between sessions so that businesses can enable machine identity. Also, enterprises ought to pair the minor privilege concept with the zero-trust model so that employees with network access only can access the systems they need and to automate machine identification.
• Enhanced multifactor authentication (MFA). Organizations that require MFA through one-time passwords can assure authentication by automatically checking usage patterns, locations, IP addresses, and the devices they use.
• Decentralized identity ecosystems. Instead of using centralized systems, enterprises can use blockchain in a decentralized process to strengthen identity management. The user-centric nature of these systems preserves user identity and fosters alignment of identity governance and administration (IGA) and other regulatory compliance with the organization’s data privacy and security infrastructure.
• AL- and ML-powered (machine learning) IAM systems. AI systems of this kind can make identity verification much more precise. Machine learning algorithms that help IAM systems interpret millions of user actions, behaviors and authentication transactions can detect and forecast discrepancies or security failures.
• Identity as a service (IDaaS). This cloud-based subscription service furnishes IAM technology and can assist IT operations in controlling access for large workforces and cutting down on manual workflows.
• OAuth. This open-standards identity management protocol establishes secure access for websites, devices and mobile apps.
• Privileged access management (PAM). PAM manages accounts of users with greater permitted access to high-risk systems, and its tools often enable secure password storage and session recording.

The least privilege and MFA approaches are among the processes you can employ for provisioning, deprovisioning and monitoring access to your data portfolio. Other processes suitable for this purpose include:

• User provisioning software, which helps HR and IT teams regulate access, application roles, and security policies throughout departments and groups
• Group-based access contracts and role-based asset controls

Note that cloud provisioning can be dynamic, where resources can be scaled up or down, depending upon demand, and include infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS) formats.

In both provisioning and deprovisioning, automated systems can simplify processes and make user access management more efficient. On the one hand, they can automatically create an account where access is tied to the user’s role. On the other, they can offboard accounts so they are automatically removed and can’t obtain unauthorized access.

5. Know Your Enemy: What Are the Most Common Security Breaches?

Cloud security breaches have become alarmingly frequent. Survey data from IDC and Ermetic revealed that, in the past two years, the percentage of companies reporting at least one cloud data breach had grown by almost 20 percent, from 79 to 98 percent. Even worse, 83 percent of reporting organizations had experienced multiple breaches, and 43 percent had sustained 10 or more such incidents.

So, what are the worst culprits responsible for this situation?

• Ransomware is a biggie. According to Verizon’s Data Breach Investigations Report (DBIR), ransomware incidents shot up by 13 percent in 2022 – an increase as big as the previous five years combined.
• Phishing may be the most common offender. The phisher could be a scammer, pretending to be a trusted source, who emails targets such as banks, mobile companies, or postal delivery services and attempts to fool them into surrendering sensitive data such as VoIP system login credentials or card details. Or it could be someone trying to get their target to click on a seemingly benign but actually malicious link or attachment and unwittingly trigger a malware attack on the target device.
• Cloud misconfigurations are the third most common initial attack vector in cloud security breaches, according to IBM’s Cost of a Data Breach Report. What’s so damaging about these incidents is that, on average, it takes 186 days to identify them and another 65 days to repair them – costing companies about $3.86 billion. Because it’s easy to use the cloud and share data on it, it’s a challenge to restrict data access only to authorized parties. And, because it’s difficult to have total visibility into and control of cloud infrastructure, organizations with multi-cloud deployments may have a variety of vendor-provided security controls, which can make it easy for a misconfiguration to occur.
• The lack of security measures is problematic, too. Many companies don’t use all the permissions they have a right to deploy, which lets hackers victimize accounts with misconfigured permissions without IT teams detecting their data thefts.
• Insecure interfaces/APIs (application programming interfaces) can also be vulnerable. Many cloud service providers offer multiple such interfaces to their customers, but the related, required customer documentation can empower wrongdoers to detect and exploit methods for accessing and exfiltrating sensitive data.

6. Consider the Flipside of AI

As much of a boon as AI can be in securing data in the cloud, both during and after migration, it also can present security challenges. AI systems tap into vast datasets to learn and make forecasts, which complicates the protection of all that data. These systems also may generate false positives that can trigger unnecessary alarms and de-sensitize people to valid alerts.

Model theft, also known as model inversion or extraction, can happen when AI miscreants recreate a model by querying it heavily and using its response to mimic its functionality. A resource exhaustion attack (such as a denial-of-service or DoD attack) can deluge AI systems by devouring their computational resources so that they malfunction.

However, you can successfully address these challenges. Data anonymization techniques and strict access controls can safeguard sensitive information. You can also reduce false positives by continuously training AI models on updated datasets and real-world attack scenarios to improve their accuracy over time.

Limiting how much information hackers can deduct from model outputs can prevent model theft, and using differential privacy can be effective, too, because the noise it adds to outputs can shroud the underlying data. Rate limiting and resource allocation controls can frustrate resource exhaustion attacks by restricting how much any entity can use an AI system.

Furthermore, load balancing and scaling mechanisms can evenly spread out the computational load, so that systems can operate properly even during peak demand.

7. Develop a Clearly Understood Acceptable Use Policy

In today’s digital landscape, a cloud and cloud migration security policy is a must to protect your data assets and mitigate the risks of compromising those assets in migration and at rest.

Such a policy, consisting of a framework of rules and guidelines, empowers an organization to find out where it’s vulnerable to cyber threats, enforce data privacy standards, and react quickly and effectively to breach incidents. Typically, the policy has sections that:

• Define the goals and scope of the policy so stakeholders know its purpose and what it covers
• Detail organizational roles and their specific security-related responsibilities
• Classifies data according to its sensitivity and tells how the data must be handled
• Specifies who can access particular kinds of data in the cloud and establishes protocols for authentication and authorization
• Stipulates data encryption standards for data at rest and in transit
• Describes identity and access management processes, including the use of multifactor authentication and the principle of least privilege
• Outlines incident response and reporting procedures, including detection, response, recovery and notification
• Addresses compliance and auditing by defining compliance requirements aligned with pertinent laws, regulations and other standards and by setting out audit processes to ensure compliance and point to areas needing improvement

Neither a cloud migration security nor an established cloud security policy is set in stone for all time once it’s been approved and put in place. Cloud security policy management is a continuous process to ensure the policy stays as effective, relevant, and enforceable as it was on day one. That means:

• Establishing essential security performance indicators (for example, detected intrusion attempts, security incident volume, incident severity levels, incident response and resolution times, and total false positives and negatives)
• Planning for future audits
• Requiring regular testing of cloud security applications with procedures such as penetration tests and breach-attack simulations

Involving the workforce will keep your cloud and cloud migration security policies vital and nimble. Train stakeholders about the policy and its updates to clarify what you expect them to do to preserve security and compliance. Creating an enterprise-wide feedback mechanism on the policy’s effectiveness can adapt it to evolving practical needs and reveal where it could stand to improve.

8. Stay Agile, Innovative and Secure

Agility in cloud computing is all about being able to rapidly scale resources up or down. It also gives you the flexibility to adjust to dynamic workloads and react promptly and effectively to market demands That agility requires robust cloud security measures, such as encryption, identity and access management, and network security.

It may also be that what businesses do to become agile in the cloud — i.e., building and maintaining a cloud network that enables efficient and productive business operations — should stay separate from what they do to build and maintain an effective cloud security infrastructure.

An integrated technology solution can securely link employees to applications within private or public clouds without compromising performance or user experience.

A big challenge in reconciling agility and security involves the three main data sources that workers primarily access – SaaS solutions, private applications, and the internet. These are highly vulnerable to breaches linked to cloud data storage that have been allowed by faulty permissions.

That, in turn, largely happens because of human error, which is a direct consequence of the complexity involved in securing cloud systems. Third-party solutions can counter this complexity with a more efficient security infrastructure that addresses security and compliance needs while maintaining open cloud data interaction.

Final Thoughts: Cloud and Cloud Migration Security Must Be Dynamic

With organizations storing and accessing data more often in the cloud and less often on-premises, it’s past time for businesses to adopt a mindset and processes that emphasize data security and risk management in the cloud.

Even as long ago as 2021, O’Reilly’s Cloud Adoption report found that about two-thirds of respondents operated in a public cloud, and 45 percent used a private cloud, while 55 percent still relied to some extent upon on-premises systems. A RightScale survey that year revealed that 94 percent of organizations employing more than 1,000 people had a lot of their workload in the cloud.

Cloud operational capabilities are dynamic in that they constantly evolve as technologies become more sophisticated and operations adapt to changing productivity and performance needs.

The same is true for cloud and cloud migration security, where the growing volume and more highly developed nature of cybercrime are making organizations aware that they must be quick to adapt and change their data protection strategies and infrastructures, if need be, to prevent data theft or — when necessary — respond rapidly and aggressively when their defenses have been breached.

Ready to harness the power of the cloud but not sure where to begin? Our Cloud Computing experts are here to guide you through every step. Let’s talk