By Brian Wilson, Director of Information Technology, BitTitan
As more enterprises begin migrating to the cloud, the question of cybersecurity is increasingly urgent. While cloud migration offers many benefits, it’s key to understand your company’s overall goals. Security and data protection can be maintained and even enhanced by a move to the cloud, but the appropriate processes and procedures must be understood and implemented for safeguards to be effective.
Set Appropriate Goals
Problems arise if you fail to understand or adequately set your company’s cloud-migration goals. The cloud is a big amorphous term. Companies can get stuck when they find themselves in a “boiling the ocean” scenario. Migration projects must be broken down into deliverable actions with a realistic timeline.
It’s sometimes easy to assume the cloud is the panacea, especially with the cloud’s cost-cutting benefits. Cost is certainly a motivating factor, but the cloud is not a cost-cutting solution for every situation in every business. For example, an inappropriately-sized cloud environment that’s larger than a company requires will escalate costs.
It’s crucial to understand what an organization will gain in terms of flexibility, security and compliance. Most operating systems will work in the cloud, offering flexibility on the software and workloads they deploy. In addition, many cloud companies make significant investments in security, which are much bigger than what an individual company’s IT department could make.
Take a Holistic View
Fundamentally, the overall migration process remains the same, whether you’re moving from on-premises-to-cloud or cloud-to-cloud. Though in an on-prem environment, most companies are working with known systems and tool sets for security, network monitoring or mobile device management. Those existing tools might not translate to the cloud, even if fundamentally, your processes haven’t changed. It’s important to plan for having the right set of security processes and tools during a migration that presents a hybrid infrastructure, either temporarily during the migration, or as part of the ongoing architecture.
Given this, it’s vital to take a holistic view and evaluate the total environment so you can plan how to manage, monitor and secure operations within the cloud. Also, it’s important to understand that migration often brings new security responsibilities to managed service providers (MSPs) and their clients. These might include new application scanning tools, intrusion detection systems with event logging, internal firewalls for individual applications and database or data-at-rest encryption.
Though the underlying platform is the cloud provider’s provenance, it’s up to enterprises to decide how the platform will be used, what data will reside there, who will have access to it and how it will be protected. By thinking holistically about these things, you’ll be more successful in achieving the appropriate level of cybersecurity protection.
The quest to guard against cyberthreats is never-ending. The cloud and all things associated with it are always evolving, and it’s a constant battle to stay one step ahead of the bad actors.
Therefore, companies must understand their risk profile and the level of protection they need. For example, businesses that handle personal data such as names, phone numbers, social security or credit card numbers, or medical info will likely have higher risk profiles than those who do not.
Sensitive data must be safeguarded, while appropriate employee education and procedures must be in place. The key to understanding your risk profile is to identify possible threats, and with that in mind, consider where you might be most vulnerable — both internally and externally. Use that information to drive conversations about the level of risk tolerance that is acceptable for your organization. In turn, this will define the level of investment required to minimize or mitigate any existing gaps in your risk profile.
Remember: regardless of whether data lives on-prem or in the cloud, the number-one security threat is still human error when it comes to data breaches caused by phishing attempts or ransomware. Companies should educate employees on appropriate procedures, while also leveraging their provider’s security tips and offerings. This often involves communicating risks, making security a responsibility for all staff and providing people with routine training.
Not All Data is Equal
Finally, companies should understand how to differentiate and classify sensitive and non-sensitive data. Companies can come to rely on their MSP’s abilities to automate data storage and security.
For larger corporations that may be running an Azure environment, for example, there’s greater willingness to rely on their MSPs to automate various provisioning activities. If an organization wants more control in those areas, they must be aware of their responsibility to turn those features off.
Additionally, regarding governance, companies get far greater leverage through automation methods that can facilitate application deployment, perform routine maintenance tasks to provide a level of uniformity that follows best practices and simplify compliance accreditation.
As a company considers a cloud migration, the simple edict is to understand from where you’re starting and where you ultimately hope to land — all before beginning a migration project. A clear vision of what your company wants to accomplish will ultimately determine your success. It’s a new environment that requires support from everyone involved.
Brian Wilson is the Director of Information Technology at BitTitan, where he specializes in the areas of IT strategy, roadmaps, enterprise systems and cloud/SaaS technologies. Prior to joining BitTitan, Brian worked as an executive with San Jose-based IT services company Quantum and in various IT consultant roles with Cascade Technology Consulting, PricewaterhouseCoopers and the Application Group. Brian has over 25 years of experience as a senior IT executive, with an industry background that spans high technology, consulting, commercial real estate and manufacturing.