Consider how many times a day you check your mobile phone, smartwatch, smart TV, and/or other connected devices. How normal does it seem to be reaching out to an external source, not actually sure where this information is stored, or even coming from, but that it’s there, accessible and ready to be taken in? Organizations wishing to migrate to a third-party cloud solution (‘the cloud’) need to understand this point well. When migrating, where is this data being stored, and do the benefits outweigh the risks? There are definitely benefits, increased availability and decreased hardware costs, just as a few examples, but there’s still the maintenance, validation, configuration, and more. We can’t just ‘migrate to the cloud’ for 'cost reduction reasons' that aren’t clearly identified and validated. When migrating to the cloud, it’s a journey that needs to be assessed and carefully considered:
- Why are you moving to the cloud? It seems almost foolish to ask this simple question, but have you considered the benefits and challenges honestly? Consider such things as the skillsets of your in-house or outsourced maintenance and operations teams. Are they equipped to transition to different workflows, and do they understand the new challenges and possible risks associated with cloud environments? Do you need to provide any upskilling?
- Once you know why you’re migrating, identify which data is suitable to be hosted externally. Remember that the cloud isn’t on-premises, so once this data is transferred over, you have lost control of it. Because there is no simple ‘take it offline’ button, data classification is vital to effective cloud solutions; once it’s live, it’s online.
- Where do responsibilities lie? Once data has moved to the cloud, who will be the data owner, and are they confident in their abilities to maintain said data? Which systems owners will now need to transition to cloud environments, and are they prepared and ready?
Now that we understand why we’re moving, the makeup of the migration team, and what data is being moved, we can begin to research the cloud providers. This will combine the considerations discussed in the points above with the variety of services offered by vendors. After you have chosen your vendor and reviewed the contractual agreements, roles and responsibilities of both parties, it’s time to understand your security and configuration specifics. There are many resources out there, and a simple online search will reveal a variety of products, services, and resources. Instead of telling you what products to use, which frameworks to follow, or who to hire to implement your plan, (These all need to be discussed, but they vary for specific situations.) I’m going to discuss the considerations and speaking points that all affect all parties from the executives to the operations teams.
- Roles and Responsibilities. Fully understand the roles and responsibilities not just of the purchased vendors but also the data owners, system owners, and security operations teams. When putting data in the cloud, your organization does not hand off the responsibility for this data. Essentially, migration adds a data processor within the chain, but the handling remains within the organization’s area of responsibility. An explicit identification of what this entails for the organization is needed, so don’t forget to update your risk register accordingly.
- Incident response. Remember the Target breach of 2013? The operations teams did identify and escalate alerts, but no one took these forward so the process failed. Your team needs to consider the ‘worst case’ scenarios, identify who is responsible for what, who will make up the incident response team and what roles they will play.
- Retention. Historically data storage was pricey, but nowadays this is less of a concern. It’s now simple and relatively inexpensive to collect data, but failing to establish appropriate measures of review, validation and removal leads to expensive audits. Instead of developing a sense of ease with data storage, organizations have become a bit unkempt with their data storage practices. Embedding a policy and procedure from the beginning can allow for a massive reduction in headaches later on - especially for GDPR compliance.
- Disaster recovery and backups. It may seem a little strange to discuss the backup of data whilst it is being held within a high availability environment. However, when disaster strikes, how the data is backed-up is critical. For instance, if hit with ransomware, is it readily available to recover? Consider the NotPetya ransomware that hit Maersk, knocking out all data centers except an offline one in Ghana. If there’s a disruption, whether a DDoS against the cloud provider or a small, localized internet outage, will your organization be able to continue to work whilst offline, or do you require constant access to the data? It could be that having a hybrid approach, where data replicated across both on-premises and in the cloud works better due to the potential cost of an outage.
Cloud services are popular not because of the catchy term but because they empower organizations to collect, store and process data effectively with high availability. The currently existing services can cover a massive variety of situations, and they often prove more effective than attempting to re-design in-house. Cloud environments are great resources, but they must be handled properly. Migration to the cloud, like any other migration program, must be carefully examined to identify the motivations for the move, the appropriate data or services to be transitioned, and team members' clear responsibilities. Without careful consideration, you could end up highly available reputational damage instead of easier storage and/or processing.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
