Prepping a cloud migration? Center security questions to ease your burden
Anton Chuvakin
Security Advisor, Office of the CISO, Google Cloud
David Stone
Solutions Consultant, Office of the CISO, Google Cloud
In our Security Leaders Survival Guide, we answer tough questions about how to weave security through your digital transformation.
Financial services organizations that are planning to move to the cloud have to be ready to tackle organizational and technology challenges — and risks.
Locking down a cloud migration strategy can be made more complex when it comes to the crucial question of applications. Which applications will migrate to the cloud? Which will stay put? How do their interdependencies change after migration?
Organizations usually choose to migrate to the cloud in direct response to a business imperative, such as competition, saving costs, or eliminating technical debt. To securely drive the business strategy, your CISO is often tasked with laying the framework and processes around your organization’s migration.
Thoughtful, serious consideration of how the cloud can legitimately and positively change an organization is vital to their digital transformation success, said Rafal Los, head of services strategy at Extrahop.
"A lot more companies now pursue a thoughtful transition to the cloud, pursuing the digital transformation approach, rather than just using cloud as a colo as a few years ago,” he said on our Cloud Security Podcast.
Part of your planning efforts should include prioritizing what you need to get right from day one — and what can reasonably wait for day two, year one, and beyond. Asking three key questions up front can help you determine the best ways to set your priorities:
How should you approach financial and other applications in your migration? You can take a “6R” approach, which means considering whether to retire, retain, rehost, replatform, refactor, or rearchitect an application. You want to make sure the business knows that each of the components used has a security implication and potential long-term capex and opex costs.
Are you looking at application migration from a business risk-based perspective? Asking the business what would happen if an application migration fails is key, as is understanding data sensitivity and workload criticality.
How effectively can security resources be used? This includes determining resources and funding requests. Be transparent with key stakeholders on how issues are prioritized, so that dependencies can be identified and the business can make an informed decision around which risks are acceptable.
Anticipate outcomes for primary drivers of your cloud migration
While cloud migration is often complex, the goals that drive your organization to make the leap to cloud should be clear. Common reasons that financial services organizations cite for jumping to the cloud include exiting their data centers to migrate data and modernize applications, and integrating advanced artificial intelligence (AI) and machine learning (ML) technologies.
Exiting the data center
This happens all the time: The decision is made to move everything from the data center to the cloud. Dealing with big opex and capex expenses is usually a factor here, setting up a fast lift-and-shift approach that requires minimum viable secure product controls just to get it done.
Too often, the drive to migrate to the cloud to develop new business functionalities takes precedence over security posture. Most of the time, your security team can’t stand in the way of this. However, you need to make sure that the business understands the risks that are left unmitigated by this approach.
Security fits better into the entire cloud environment when you can demonstrate cost reductions.
Not taking advantage of cloud-first defenses means that the business will bear an opex burden trying to maintain or migrate some current on-premises systems at an increased cost. While your risk profile may be acceptable or even decrease slightly, you often have to backtrack when it comes to strengthening cloud security. Ideally, you’re aware of the migration activity and can at least monitor progress.
There are three vital actions that resource-constrained security teams can take when they need to sustain their security operations and risk posture:
Communicate early and often with the business and project teams around risks and selective opportunities to improve posture as your organization moves to the cloud.
Set up a risk monitoring program with stakeholders to show which risks are decreasing and which are holding at current levels.
Create opex budgets to maintain current tools, and set up an additional budget to adopt cloud-first tooling and start migrations over time.
Even though exiting the data center is the main goal, you’re still going to end up with the same organization you had yesterday — with the same operations in the same technology stack. You’ve just deployed a modern cloud technology stack, which means it’s up to you to figure out the best way to add on new capabilities for more securely governing the cloud that’s now within your sphere of operations.
Migrate data and modernize applications
Most financial services companies choose a more systematic approach to cloud migration, one that hinges on selecting applications you want to modernize in a prioritized manner. That approach typically rolls out in three ways — think of it as a three-part priority pyramid:
The legacy applications zone includes the applications you just lifted and shifted and segment into a kind of legacy apps containment bucket.
Applications ready to be semi-modernized are those you might not take all the way to the cloud, but you can still make significant improvements to — just enough to leverage some cloud advantages. This is where you start to realize benefits like reduced costs, operational improvements, and security enhancements. As you deploy more secure system pipelines, you’ll not only be able to raise the security posture around your data and applications, but also establish better governance around that stack.
Priority applications ready to be cloud-first are those you’ve identified to recode and retool to become truly cloud-first. This is an integral part of your transformation journey as you move your organization from the old legacy mindset to a completely new way of doing business.
It’s also where you’ll see the biggest uplift in attack-surface reduction, along with security improvements in operations. Cost savings come with this move as well, because you’ll be paying less for these applications to run. Why? Because you’ve essentially made a digitally unique application, putting the business logic into different cloud function formats to create a modern cloud application.
Investing in prioritizing applications is where you’ll see the biggest business drivers and benefits for long-term sustainability. You can prove the return on investment through a competitive advantage and financial perspective. What’s more, security fits better into the entire cloud environment when you can demonstrate cost reductions.
Security teams are not as connected as they should be with the cloud migration process… When this happens, it forces security teams to play catch-up during the entire digital transformation, which then results in greater overall risk for the business.
At the end of the day, this approach requires a heavier up-front investment — but it also pays greater long-term dividends and supports a more future-oriented strategy.
Why communication and collaboration have never been more important
We often notice that security teams are not as connected as they should be with the cloud migration process. They’re not connected with front-end strategy and processes, to funding, or to resources. When this happens, it forces security teams to play catch-up during the entire digital transformation, which then results in greater overall risk for the business.
This is why reaching out, initiating communication, and becoming involved with executives and stakeholders who are leading the transformation is vital to build partnerships across the organization. That includes compliance teams with whom you want to reach a consensus on third-line regulatory models.
Encouraging continuous communication and collaboration is essential. Your overarching goal is to show the value of how leadership can build consensus and make everyone successful. Your team can help reduce friction in development, produce widgets faster, and boost productivity gains.
At the end of the day, you may have to settle for security that’s just good enough for day one. year one, and beyond to achieve future goals.