Three Cloud Migration Assumptions Which Put Organizations at Risk

BY Dana Iskoldski

Many organizations get so caught up in the promise of cloud that they overlook the challenges associated with migrating to a new environment and keeping it secure.

This was an issue surfaced at last month’s People in Cybersecurity conference by Ajay Sood of Symantec, Arani Adhikari of KPMG, Marcos Santiago of TD Canada, and BlueCat's own Andrew Wertkin.

Together, they broke down the most common cloud migration mistakes they see in the industry.

Falsehood #1: My Cloud Service Provider Will Keep Me Secure

Adhikari, who consults on cybersecurity-related projects for KPMG, told us that customers need to understand “cybersecurity as a joint responsibility for both the CSP and Cloud Service Subscriber (CSS).” Those who assume a Cloud Service Provider (CSP) will comprehensively guard their network as part of their service package – and relax alertness as a result – risk exposure to avoidable cyber incidents.

Examples of such incidents are easy to find. Some were simply caused by unsecured Amazon S3 buckets (these are like file folders, but in the cloud). The result was exposed voter and customer data at companies like FedEx, Booz Allen Hamilton, and more.

“When an Amazon S3 bucket with sensitive information is exposed, it is not due to any issue on Amazon's front," Adhikari explains. "It is due to the misconfiguration of settings that lead to the buckets being public–this is the subscriber organization's responsibility.”

While Amazon has taken steps to help clients better manage settings on their own end, Adhikari maintains the client “is still responsible for hardening the operating system they host, making sure that the hosted applications are securely deployed, conducting vulnerability assessments on them, etc.”

Falsehood #2: Cloud Is An Extension of My Network

During the panel, Wertkin cautioned that cloud is a completely different landscape from traditional network architectures. It needs to be treated that way, too. “You're not in your firewall anymore," he said. "There's not a boundary. We're removing the border between internet and intranet in many, many cases.”

Consider this: queries which come in from the cloud typically get privileged access to the network. Only, there's no rigorous pre-check for them. The moment those queries enter the corporate network, they're left to act unchecked. This is because enterprises often build their networks in an ad hoc, decentralized way. That inhibits visibility and control over internal queries in any at-scale, meaningful way.

To build a backdoor between internet and intranet requires a more ready, you need resilient network architecture for cybersecurity (see: Enterprise DNS for cloud). It just isn’t cautious to treat cloud like a simple additional server on the network.

Falsehood #3: Cloud is Cheaper

Ajay Sood noted that cloud is “a never-ending journey.” While cloud computing doesn’t come with the same expense spikes that traditional IT infrastructure demands every few years, it isn’t free of cost guesswork and risk.

“Looking at the applications we have now, can we predict where they will be in five or ten years? Every time you need a new application, or any time there’s a new piece of technology, or a new protocol, or a new way of interfacing with your customers or your workers, you’re going to have to adopt that in the cloud. What people don’t often recognize is that the dynamic nature of cloud applications means increased complexity, and it’s also getting more expensive.”

This expanded cost consideration also applies to cybersecurity in the cloud. It isn’t just a CSP’s responsibility. Cloud security isn't same as on-prem security.  Securing that sprawling compute in the cloud requires additional budget.

Moving to cloud isn’t a prerogative, it’s a responsibility. Cybersecurity incidents can happen when network infrastructure becomes disjointed, responsibility for security is fragmented, and long-term funding is absent. Before your cloud migration, triple-check those factors to ensure they can support your cloud initiative through its lifetime.

Learn more about getting your DNS ready for the cloud here.