Organizations have traditionally kept all their IT infrastructure on-premises and had physical access to the data centers with the ability to control and maintain all the necessary hardware equipment. Today, most organizations migrated to the cloud to some degree relinquishing control of the hardware and software components they use to a third-party cloud provider such as Microsoft (Azure), Amazon (AWS), Oracle (OCI), Google (GCP) or even low-code FaaS (Function as a Service) and Serverless Cloud Providers such as Netlify, Vercel etc. The choices are enormous and to meet different business requirements, organizations often end up building a multi-cloud strategy to support their business operations.
A cloud migration can be defined as moving some or all an organization’s data center capabilities from on-premises to the cloud or multi-cloud environment. Data and applications along with the underlying infrastructure are no longer managed at the company premise but transferred to the cloud for easier maintenance and cheaper costs. Most organizations decide to move their infrastructure to the cloud to increase the performance of their environment and increase security defenses while being able to scale at their wish.
Organizations have traditionally kept all their IT infrastructure on-premises and had physical access to the data centers with the ability to control and maintain all the necessary hardware equipment. Today, most organizations migrated to the cloud to some degree relinquishing control of the hardware and software components they use to a third-party cloud provider such as Microsoft (Azure), Amazon (AWS), Oracle (OCI), Google (GCP) or even low-code FaaS (Function as a Service) and Serverless Cloud Providers such as Netlify, Vercel etc. The choices are enormous and to meet different business requirements, organizations often end up building a multi-cloud strategy to support their business operations.
A cloud migration can be defined as moving some or all an organization’s data center capabilities from on-premises to the cloud or multi-cloud environment. Data and applications along with the underlying infrastructure are no longer managed at the company premise but transferred to the cloud for easier maintenance and cheaper costs. Most organizations decide to move their infrastructure to the cloud to increase the performance of their environment and increase security defenses while being able to scale at their wish.
Planning a Cloud Migration
An intense effort and long period of preparation are needed to begin the actual migration process. It is paramount for any organization to establish a cloud migration strategy before any steps are taken to start the process. Many organizations tend to start the migration before establishing clear guidelines and planning before the migration. Since each application has different requirements, the approach for migration will differ for each workload. It is key to have a solid business case and strategy for each application or data set before any migration efforts are taken to ensure adequate security measures are maintained throughout the process.
A key prerequisite is a strategic plan for migrating all application workloads with prioritization assigned for each, with a pilot and a testing version developed to be able to adjust the strategy based on the initial results. A successful strategy will have a written migration strategy document to guide the process and navigate the workloads of each team involved in the migration. The end goal is a transition of all workloads without impacting the availability or operations of any system while maintaining the security of the entire organization. The key factor is to have security in mind during the planning instead of having security of the cloud infrastructure be an afterthought.
Planning a Cloud Migration
An intense effort and long period of preparation are needed to begin the actual migration process. It is paramount for any organization to establish a cloud migration strategy before any steps are taken to start the process. Many organizations tend to start the migration before establishing clear guidelines and planning before the migration. Since each application has different requirements, the approach for migration will differ for each workload. It is key to have a solid business case and strategy for each application or data set before any migration efforts are taken to ensure adequate security measures are maintained throughout the process.
A key prerequisite is a strategic plan for migrating all application workloads with prioritization assigned for each, with a pilot and a testing version developed to be able to adjust the strategy based on the initial results. A successful strategy will have a written migration strategy document to guide the process and navigate the workloads of each team involved in the migration. The end goal is a transition of all workloads without impacting the availability or operations of any system while maintaining the security of the entire organization. The key factor is to have security in mind during the planning instead of having security of the cloud infrastructure be an afterthought.
Prerequisites for a Safe Cloud Migration
Prerequisites for a Safe Cloud Migration
Determine Migration Roles
Before beginning the process, establish the leading roles, and teams and assign responsibilities for each member. This way, all necessary factors will be considered from data migration, architecture plans, cloud requirements, and priority assignments for each workload. Ensure that the most skilled staff is assigned to the project as many decisions will need to be made during the migration process with technical plans made for the best possible outcome. By clearly defining roles, organizations minimize the risk of missing any key security measures that need to be out in place.
Pick a Cloud Provider and Level of Migration
Organizations might decide to migrate their workloads to more than one cloud provider. In that case, ensure that the reasons for picking multiple cloud providers are justified. Once a cloud provider is determined, determine the level of migration. A level of cloud migration is determined by the number of changes that are made to the infrastructure that will host your workloads. With a deeper level of changes, organizations will be able to maximize the cloud capabilities of the new environment. Additionally, after picking a cloud vendor, review all the security products that are available as part of the cloud service.
Establish SLA, KPIs and Performance Baselines
Establishing Key Performance Indicators or KPIs is highly recommended to monitor and have insight into the cloud migration process. KPIs will also reveal any underlying problems during the migration and will indicate at what stage of migration organizations are at.
It is also recommended to establish baselines that measure past performance with the future performance of workloads in the cloud. Baselines can reveal any issues in performance and should be created for each KPI measure that is tracked.
Develop a Cloud Security Architecture Blueprint
Migrating to the cloud environment can be daunting for many organizations, especially when organizations have had their workloads on-premises in an onsite data center. The simple fact that the workloads will now be “somewhere” in the cloud where you don’t have any physical controls can be a scary scenario.
With that said, moving to the cloud can be a safe journey if the right process is followed. In fact, building your security footprint in the cloud can result in higher maturity if the right architecture and controls are established and that starts will first understanding your current on-premises security architecture and translating that architecture into the cloud.
The same driving security principles will apply where multi-tiered security architecture controls are implemented; perimeter security controls, DMZ network segments and internal network zones all need to be configured and isolated through NFGW. Web and API services need to be protected with WAF and API gateways, resiliency through GSLB, CDN and LB services and so on.
The only difference when designing a cloud security architecture are the technical controls differ in nature – you can opt for cloud-native security controls or use 3rd party solution that are available through the marketplace.
One of the first things an organization should establish is a Cloud Security Blueprint. This blueprint document should cover all the different security controls in the cloud; the reference design patterns that need to be established covering north-south and east-west traffic flows across the service, control, and management plane.
Determine Migration Roles
Before beginning the process, establish the leading roles, and teams and assign responsibilities for each member. This way, all necessary factors will be considered from data migration, architecture plans, cloud requirements, and priority assignments for each workload. Ensure that the most skilled staff is assigned to the project as many decisions will need to be made during the migration process with technical plans made for the best possible outcome. By clearly defining roles, organizations minimize the risk of missing any key security measures that need to be out in place.
Pick a Cloud Provider and Level of Migration
Organizations might decide to migrate their workloads to more than one cloud provider. In that case, ensure that the reasons for picking multiple cloud providers are justified. Once a cloud provider is determined, determine the level of migration. A level of cloud migration is determined by the number of changes that are made to the infrastructure that will host your workloads. With a deeper level of changes, organizations will be able to maximize the cloud capabilities of the new environment. Additionally, after picking a cloud vendor, review all the security products that are available as part of the cloud service.
Establish SLA, KPIs and Performance Baselines
Establishing Key Performance Indicators or KPIs is highly recommended to monitor and have insight into the cloud migration process. KPIs will also reveal any underlying problems during the migration and will indicate at what stage of migration organizations are at.
It is also recommended to establish baselines that measure past performance with the future performance of workloads in the cloud. Baselines can reveal any issues in performance and should be created for each KPI measure that is tracked.
Develop a Cloud Security Architecture Blueprint
Migrating to the cloud environment can be daunting for many organizations, especially when organizations have had their workloads on-premises in an onsite data center. The simple fact that the workloads will now be “somewhere” in the cloud where you don’t have any physical controls can be a scary scenario.
With that said, moving to the cloud can be a safe journey if the right process is followed. In fact, building your security footprint in the cloud can result in higher maturity if the right architecture and controls are established and that starts will first understanding your current on-premises security architecture and translating that architecture into the cloud.
The same driving security principles will apply where multi-tiered security architecture controls are implemented; perimeter security controls, DMZ network segments and internal network zones all need to be configured and isolated through NFGW. Web and API services need to be protected with WAF and API gateways, resiliency through GSLB, CDN and LB services and so on.
The only difference when designing a cloud security architecture are the technical controls differ in nature – you can opt for cloud-native security controls or use 3rd party solution that are available through the marketplace.
One of the first things an organization should establish is a Cloud Security Blueprint. This blueprint document should cover all the different security controls in the cloud; the reference design patterns that need to be established covering north-south and east-west traffic flows across the service, control, and management plane.
Perform Refactoring of Applications and workloads
All cloud providers offer features that increase scalability, performance, and availability. From dynamic scaling, resource allocation, and service-oriented architecture, refactor your applications so that all the benefits of the cloud can be utilized to the maximum.
Create a Data Migration Plan
Insufficient data migration planning can result in a failed cloud migration and even worse, a security breach that can cost the company a large sum of money and reputational loss. It is highly recommended to pay special attention to data migration plans and organize them appropriately. Keep in mind that the location of your data and data access mechanisms are very important. If the data and access mechanisms are in separate locations (cloud and on-premises), the performance of your applications can suffer. If unsure on what is the best way to proceed, it might be best to use data-migration services that are offered by all major cloud providers where security is treated as an integral part of the data migration process.
Perform Refactoring of Applications and workloads
All cloud providers offer features that increase scalability, performance, and availability. From dynamic scaling, resource allocation, and service-oriented architecture, refactor your applications so that all the benefits of the cloud can be utilized to the maximum.
Create a Data Migration Plan
Insufficient data migration planning can result in a failed cloud migration and even worse, a security breach that can cost the company a large sum of money and reputational loss. It is highly recommended to pay special attention to data migration plans and organize them appropriately. Keep in mind that the location of your data and data access mechanisms are very important. If the data and access mechanisms are in separate locations (cloud and on-premises), the performance of your applications can suffer. If unsure on what is the best way to proceed, it might be best to use data-migration services that are offered by all major cloud providers where security is treated as an integral part of the data migration process.
Building the Cloud Security Architecture
Implementing the base cloud security architecture from the blueprint is an essential task that should be completed before any actual migration. This phase will ensure the documented cloud security blueprint and technical controls are implemented which will mitigate any misconfigurations that may arise during the migration.
The most common misconfiguration we find is the exposure of workloads on the public internet without any perimeter controls. Key reference controls need to cover the following domains.
- Perimeter Security Controls
- Network Segmentation and Secure Internet Access
- Workload Security – Detection and Response (EDR)
- Hardening Blueprint, Golden Images and Guardrails
- Remote Access Security Controls
- Identity and Privileged Account Governance and Zero Trust Identity
- Cryptographic and Key Management
- Data Security and Data Loss Prevention (DLP)
- Cloud Security Real-Time Monitoring
- Cloud Automation and Security – DevSecOps
Plan the Migration of the Production Workloads
At some point during the migration, production systems need to be switched from on-premises to cloud. The timing of the switch will mostly depend on the complexity of the systems and their architecture. Nonetheless, the production applications or services can be migrated all at once or one at a time. Both approaches have their benefits and potential risks.
Review Plans for Resource Allocation
Organizations need to keep in mind that migrating applications to the cloud will not bring all the benefits a cloud infrastructure can provide. It is vital to review applications and have a plan in place to distribute resources to applications accordingly to take full advantage of the dynamic resource allocation and scalability features of the cloud.
Extensive planning and resources go into a successful cloud migration. Having/recruiting skilled staff is the first prerequisite in the process. Creating high-level plans for cloud migration will help guide the involved teams and provide structure and security to the migration process. Refactoring applications and services, establishing KPIs and baselines, and determining levels of cloud migration are all necessary steps to ensure safe and effective migration. Lastly, having a data migration plan including a plan for migrating the production workloads will increase the chances of having a secure and functioning cloud environment.
Building the Cloud Security Architecture
Implementing the base cloud security architecture from the blueprint is an essential task that should be completed before any actual migration. This phase will ensure the documented cloud security blueprint and technical controls are implemented which will mitigate any misconfigurations that may arise during the migration.
The most common misconfiguration we find is the exposure of workloads on the public internet without any perimeter controls. Key reference controls need to cover the following domains.
- Perimeter Security Controls
- Network Segmentation and Secure Internet Access
- Workload Security – Detection and Response (EDR)
- Hardening Blueprint, Golden Images and Guardrails
- Remote Access Security Controls
- Identity and Privileged Account Governance and Zero Trust Identity
- Cryptographic and Key Management
- Data Security and Data Loss Prevention (DLP)
- Cloud Security Real-Time Monitoring
- Cloud Automation and Security – DevSecOps
Plan the Migration of the Production Workloads
At some point during the migration, production systems need to be switched from on-premises to cloud. The timing of the switch will mostly depend on the complexity of the systems and their architecture. Nonetheless, the production applications or services can be migrated all at once or one at a time. Both approaches have their benefits and potential risks.
Review Plans for Resource Allocation
Organizations need to keep in mind that migrating applications to the cloud will not bring all the benefits a cloud infrastructure can provide. It is vital to review applications and have a plan in place to distribute resources to applications accordingly to take full advantage of the dynamic resource allocation and scalability features of the cloud.
Extensive planning and resources go into a successful cloud migration. Having/recruiting skilled staff is the first prerequisite in the process. Creating high-level plans for cloud migration will help guide the involved teams and provide structure and security to the migration process. Refactoring applications and services, establishing KPIs and baselines, and determining levels of cloud migration are all necessary steps to ensure safe and effective migration. Lastly, having a data migration plan including a plan for migrating the production workloads will increase the chances of having a secure and functioning cloud environment.
See also: