Current macroeconomic forces are moving leaders to increasing their organizations’ use of cloud-based services and products. One-third of cloud leaders surveyed in the Q4 2022 Google Cloud Brand Pulse Survey plan to migrate from legacy enterprise software to cloud-based tools, and a third are migrating on-premise workloads to the cloud.
Simply put, there is a demand for the flexibility the cloud offers enterprises. And promises of efficiencies and reduced costs make the move off legacy networks and onto the cloud attractive for leaders watching their bottom line.
First, there are risks to both public and private sector organizations that should be considered before moving operations to the cloud. Carnegie Mellon University lists some of those risks but leading with organizations having reduced visibility and control. Another major concern is data security, according to ISACA. But there’s also the concern of identity and access management. In a study by Delinea, statistics showed that 74% of data breaches involved privileged access abuse.
The good news is there are some practical ways IT leaders can mitigate risks when moving to the cloud include being aware of data residing in your own and third-party estates, developing a plan for who owns which risks within an organization, and weighing security as much as cost and efficiency. Here are four places to start right now.
1. Know where your data resides across your own and third-party estates – in particular, customer data you have a duty to protect
Cloud service providers store data in remote servers. A concern all organizations share is that they may not have complete control over their data, and they look for assurance on how their data are secured and protected from unauthorized access. Things to consider are strong access controls, like multi-factor authentication, strict password policies, even biometric authentication when possible. The goal is to ensure that only authorized individuals can access consumer data.
Another security factor to consider is the encryption process for your own or a third-party cloud provider. A strong encryption process will implement techniques to protect consumer data both stored and during any transfer. Encryption ensures that even if unauthorized individuals gain access to the data, they cannot decipher it without the encryption key.
Finally, consider employee training about best security practices including proper handling and protection of consumer data. Train employees on recognizing and reporting potential security threats, such as phishing emails or suspicious activities, to prevent data breaches.
2. Develop a plan for who owns which risks within an organization and discuss a clearly established shared responsibility model for cloud security
A thorough plan for risk management is a lengthy process but should start with two key ideas: identifying the stakeholders involved in risk management and cloud security, and then performing a risk assessment. Stakeholders could include anyone involved in creating your content security policy (CSP), from the IT department to your legal team. Once identified, their roles and responsibilities should be clearly defined. A comprehensive risk assessment should also be performed to identify potential risks and vulnerabilities associated with cloud adoption.
When creating the shared responsibility model, an organization should determine which aspects of security are the organization's responsibility and which are the CSP's responsibility. The model should cover areas such as infrastructure, network security, data protection, access controls, vulnerability management, and incident response.
The shared responsibility model should also include a security incident response team.
3. Consider patching and vulnerability management
Maintaining security patches and updates provided by the cloud service provider is an important step in managing vulnerabilities. Keeping patches and updates maintained means more reliance on third parties when moving to the cloud. While central handling typically reduces time unpatched, it can complicate the process. Regularly apply patches to operating systems, applications, and software used in the cloud environment. Organizations and third-party providers should implement a proactive vulnerability management program to identify and address security weaknesses promptly.
4. Weigh security as much as cost and efficiencies when deciding on the optimal cloud provider to purchase from—and have the right people in place to properly transition to the cloud
Cloud service providers can make or break a business. While most businesses witness an improvement in security maintenance when switching to a cloud provider, not every provider is created equal.
Cloud products and services change on a regular basis, and it’s not unusual for hyperscalers to issue updates daily. This can quickly become overwhelming. Finding the right IT personnel to manage this task can be daunting. Outsourcing or scaling in house can be expensive, too. In fact, choosing the wrong team is the top mistake organizations make that leads to skyrocketing costs during cloud migration, according to Gartner. Having the right people with the right skill sets and knowledge onboard from the start makes for a smoother, more efficient cloud transformation.
Strong in-house teams are important, but they also often require additional technical support. Fortunately, solutions are available to help the people in your organization analyze end-to-end IT infrastructure as they identify, migrate, and manage cloud workloads. Insights across applications, data, and network and cloud monitoring tools help you make better decisions and eliminate many of the security risks that can arise during cloud migration.
While migration to the cloud can be challenging and messy—and potentially expose an organization to security threats—a thoughtful, calculated approach to the transition can successfully mitigate the risks. Understanding where data resides, developing a plan for who owns what, managing vulnerabilities and weighing security when choosing providers will all help reduce potential threats. Ultimately, the benefits of the transformation outweigh the potential risks, especially when there’s a proper plan in place to transition.
