1) The document discusses key considerations for developing a secure cloud migration strategy, including strategic alignment, security management and governance, access management, data classification and management, encryption, monitoring and reporting, and identity and access management.
2) It identifies 10 key security architecture considerations for cloud migration: division of responsibility, multi-tenancy, data classification and management, encryption and key management, monitoring and reporting, access management, business continuity, risk assessment, change management, and security as a service.
3) The document emphasizes that access management is one of the most critical security areas for cloud, and identity and access management as a service and cloud access security brokers are growing trends to help govern cloud services.
Streamlining Python Development: A Guide to a Modern Project Setup
Migrating to Cloud? 5 motivations and 10 key security architecture considerations you should consider.
1. Migrating to Cloud?
Know, if you are ready? 5 motivations and
10 key security architecture considerations
towards your cloud migration strategy
2. Content
Abstract 3
Strategic Alignment 5
Security Management and Governance 5
Managed Business Continuity and Disaster Recovery 5
Access plane is the new logical perimeter 6
Automation 7
10 key security architecture considerations towards
your cloud migration strategy:
Division of Responsibility and SLAs.................................8
Multi-tenancy..................................................................9
Data classification and Management...............................8
Encryption and Key Management...................................9
Monitoring and Reporting...............................................9
Access Management......................................................10
Business Continuity and Disaster Recovery...................10
Risk Assessment.............................................................11
Change Management....................................................12
Security-as-a-Service.....................................................12
References 14
2
3. Migrating to cloud can be a daunting and an inevitable
challenge that you may need to take on sooner rather
than later or may already find yourself amidst.
Whether you are an executive, in management or a leader, and are wondering
• if your business strategy should include a cloud migration strategy or
• how to embark upon the journey of migrating to cloud with security
considerations in place, then this article will provide you with some insights
and would hopefully serve as your companion through this journey.
Monica Verma
Senior Manager
Risk Advisory Services - PwC Norway
3
4. By 2020, a Corporate “No-Cloud” Policy Will Be as Rare as a “No-Internet” Policy Is Today [1] .
Gartner predicts the total cloud computing market to
reach $411 billion by 2020 i.e. to nearly double from
$219.6 billion in 2016 [2] . Forrester predicts that more
than 50% of global enterprises will rely on at least one
public cloud platform to drive digital transformation
and delight customers [3] .
The above predictions will not come across as a
surprise to you. With the ever increasing adoption
of cloud technologies, more and more organizations
are modifying their business strategy to include and
prioritize cloud migration and automation.
Traditionally, some of the most important reasons for
organizations to move to cloud have been:
1. Cost reduction
2. Scalability
3. Increased availability
5 motivations and 10 key security
architecture considerations towards
your cloud migration strategy
As technology has advanced, the adoption of cloud
has also expanded the cyber threat horizon.
The inclusion of various heterogeneous components
adds to the complexity and intricacy of managing
information security within cloud.
The following are a few examples of components that
add heterogeneity to the cloud infrastructure:
a) Various services (SaaS, PaaS, IaaS) from
multiple vendors
b) Various networked and interconnected devices,
referred to as Internet of Things (IoTs) [4]
c) Multiple identities spread across these
heterogeneous services and devices
4
5. In this article, we will first look at the fundamental
aspects that build a sound foundation and
business case for migrating to cloud. Furthermore,
we will go deeper into some of the best practices
for an efficient cloud adoption and migration
strategy, and a secure cloud architecture design.
Before I go into details, let’s briefly look at these
important questions: ”Why do we want to adopt
cloud technology? Are there any other reasons
apart from the traditional: cost reduction,
scalability and increased availability?
These are good but do they provide sufficient
business case for our organization to change
our business strategy?” With the expansion of
the threat landscape, and with more stringent
compliance, legal and regulatory (e.g. GDPR)
requirements coming into play, we see an ever
increasing number of considerations, now more
than ever, that affect the decision to adopt and
implement a cloud strategy. The following are
some key points that must be considered and can
drive a business strategy towards the cloud:
Strategic Alignment
As with any project initiative, one must ask, whether the project strategy is in alignment with
the business strategy? What are the overall (security) objectives for migrating to cloud? Are they
aligned with the business goals and business objectives/OKRs [5]?
It is vital to establish the governing security objectives and principles for the migration. An
exercise must be conducted in order to map these to business objectives. This supports not
only the business case for the migration but also for investing into security when moving to
cloud. Management approval and support has always been a key consideration for any security
management program and this is no different for business-efficient and secure cloud migrations.
Security Management and Governance
With the adoption of cloud, security is a shared responsibility between the Cloud Service
Providers (CSPs) and the consumers e.g. a business organization. Additionally, cloud vendors
provide various options for security configuration for the consumers, along with a recommended
best practice baseline to begin with. This is contrary to the way sales were done historically,
where the default configuration for products or devices mostly entailed a disclaimer to have the
settings changed and configuration hardened upon the first set-up e.g. change admin-admin
combination on your router, software web shop, etc.
Most of the big cloud service providers such as Microsoft, Amazon, Google provide detailed
information on their respective shared responsibility model [6][7] .
Managed Business Continuity and Disaster Recovery
Although a 100% availability cannot be guaranteed, business continuity and operational uptime
is critical to every business. Disaster recovery plays a key role in business continuity. Additionally,
with the ever increasing threat of ransomware [8] , business as usual & always can come to
a complete halt without proper disaster recovery plans in place. Not only are there financial
risks associated with downtime, but there are added reputational risks and operational costs
involved. Although, the underlying concept and process for designing Business Continuity Plans
(BCPs) and Disaster Recovery Plans (DRPs) remain fundamentally the same (e.g. a risk-based
and business-criticality-based approach to defining Recovery Point Objectives [9] and Recovery
Time Objectives [10] ), cloud technology can provide a better and more scalable management of
the business critical assets and operations. The disaster recovery delivery model by the CSPs can
vary from a light-pilot recovery site to hot-standby infrastructures. Additionally, with adoption of
cloud, cost effectiveness is another major advantage for business continuity, since the Total Cost
of Ownership (TCO) is reduced.
1
2
3
5
6. We have seen evolution in network security
products for over a decade. However, today, we see
that the meaning of the term perimeter has become
more fluid. Access is the new logical perimeter
and forms a key concept with regards to defining
and defending perimeter today, particularly in a
cloud infrastructure due concepts such as shared
data-usage or multi-tenancy.
At the same time, we have seen a multitude of data
breaches over the last decade [11] , e.g. Ashley
Madison, Yahoo, Verizon, Equifax, to name a few.
This is of particular importance, when the data
extracted is sensitive personal data and can be used
to steal or impersonate identity. With studies
showing that corporate breaches increase the
probability of identity theft [12] , the management
of identity becomes more vital.
Today, we see that identity is a critical component,
and insufficient authentication or misconfigured
access management one of the key factors for
losing consumer trust [13] . Additionally, due to
technological advancements such as Bring Your
Own Device (BYOD) [14] , Internet of Things
[4] , Blockchain [15] , etc. and adoption of
cloud, it’s not only required to manage identity
cross-functional within an organization, however,
identity also needs to be managed cross-platform,
cross-technology and cross-infrastructure.
The good news is, although there are many
IAM tools out there, we are seeing a shift in the
adoption of IAM as a Service (IDaaS).
By 2020, 40% of identity and access management
(IAM) purchases will use the IDaaS delivery model
- up from less than 20% in 2016 [16] .
4 Access plane is the new logical perimeter
6
7. To err is human. Humans have been one of the weakest
links of the cyber security chain.
Automation
5
To err is human. Humans have been one of
the weakest links of the cyber security chain.
Although automation is relevant for on-premise
architectures as well, however, cloud
technology requires and demands deployment
and changes within the infrastructure and
production cycle to be more rapid, agile and
granular, making automation all the more
critical. There is also the added factor of
DevOps. The DevOps team are constantly
looking into more agile development models
whilst ensuring security, accuracy and shorter
development cycles [17] . DevOps teams are
increasingly adopting cloud services for the
above reasons. Whether DevOps, infrastructure
or architectural changes, automation ensures
that concept, functionality and changes are
deployed without affecting speed, accuracy
and security.
7
8. 1. Division of Responsibility and SLAs
What is your responsibility and what is the
provider’s? What are the responsibilities that your
cloud service provider offers to manage for you?
This pertains not only to the division in terms of
managing the OSI ISO layers but also and more
importantly in terms of security and privacy respon-
sibilities at various layers. It is vital that there is a
clear understanding of the division of responsibi-
lities and the cloud service provider security model.
Additionally, it is important to understand and
document, what Service Level Agreements (SLAs)
would exist with the cloud service providers in case
of a cyberattack affecting availability, integrity and
confidentiality (loss of data). This is also particularly
relevant in case of managed security services such as
incident handling, vulnerability management, threat
and risk monitoring, etc. It is vital that there are
proper contractual clauses in place for the SLAs and
the cloud service provider’s management of risks.
All major cloud service providers such as Microsoft,
Amazon and Google provide detailed information on
their shared responsibilities and security models [6]
[7] .
10 key security architecture
considerations towards your
cloud migration strategy
So far we looked into some important factors that provide motivations and business case for adopting
cloud technology. Let’s say, we now understand the fundamentals, and have a business case in place, for
our organization and the business to benefit from going to cloud. Based on the factors discussed above,
your organization and decision makers need to ask, ”We have a business case but are we ready to migrate
into public cloud, whether partially or completely? What are the vital steps of the migration strategy?”
We will now build upon the above key deciding factors and look into the top 10 key areas for designing
a security architecture for cloud migration. Below are key considerations and some of the security best
practices towards your cloud migration strategy, and helping you design a secure architecture for your
cloud environment:
8
9. What risks does multi-tenancy pose for your
organization and how would it affect your cloud
architecture? Multi-tenancy can exist in any cloud
service model. A SaaS, a PaaS or equaivalently
an IaaS service could be shared between multiple
tenants. Multi-tenancy, although a key cost
benefactor, introduces various security issues such
as inadequate logical segrations between various
tenants, data leakage, insufficient data separation,
single point of failure of services for all tenants, etc.
Different CSPs might be multi-tenant at different
layers [18] e.g. one CSP might be multi-tenant at the
hardware level and share a virtual machine with its
subscribers and another might be multi-tenant at the
database level and share the a database between its
subscribers. Hence, it is vital to understand, before
you go to cloud, how does your service provider
handle multi-tenancy [19][20][21] .
2. Multi-tenancy
Data management is another key deciding factor for
the migration strategy you adopt. What kind of data
will be handled and processed in the cloud, has the
data already been classified e.g. Sensitive PII, PII,
confidential, etc., where will it be stored (geo-lo-
cation of the servers), how is the data flowing, how
is it handled both when stored and when in transit,
where is your DC actually located? You need to think
about data management in terms of critical business
processes, security, compliance, performance/
latency, repercussions in case of data loss, and other
risks involved e.g. how would you ensure privacy
of customer data, and compliance to legal and
regulatory requirements. Is there a data lifecycle
management process within the organization? Will
there be a Data Loss Prevention (DLP) solution in your
cloud infrastructure? With new and more stringent
regulations such as GDPR and the recent Cambridge
Analytica (CA) scandal [22] , transparency on data
processing policies and data management lifecycle
is all the more critical to business and operations. A
transparent understanding and processes in place
for data flow, data handling and seamless data
integration in cloud can go a long way to prevent
reputational loss or in case of a data leak, severe
financial penalties.
3. Data classification and Management
9
10. 4. Encryption and Key Management
5. Monitoring and Reporting
There are various reasons why encryption and key
management might play an important role in your
cloud strategy such as key vaults for managing secrets
and keys, encryption of specific data, encryption of
entire virtual machines, etc. Furthermore, you must
consider, where and how will the keys be stored? How
will they be managed?
Data segregation, and secure storage and management
of data is critical to a public cloud environment
especially due to multi-tenancy and particularly for the
organizations where data breach is not only one of the
biggest operational risks, but could also significantly
damage the reputation and customer trust. Majority
of the multi-tenant cloud applications provide data
encryption and key management features for their
customers, however, for other IaaS and PaaS services
the overall data governance, data security
and key management should be owned by the tenant,
particularly where data loss is a great reputational
risk. The organization must look into classifying data
that is stored in the cloud in any form of IaaS, PaaS
or SaaS model, and based upon the confidentiality
and sensitivity level establish the requirements for
encryption. Another reason for encryption of data
might be legal and regulatory requirements in the
geographic location where the data is stored or
processed. Additionally, key management is vital
to provide data security. A lock doesn’t help protect
the asset if the key is left in the lock or if there are
multiple copies of the key laying around without proper
management of the ownership, access and permission.
Logging, auditing and monitoring capabilities are as
critical in cloud as on-premise. There are various
third party solutions that provide managed monitoring
and incident response services. The key deciding factors
in assessing and engaging such services for your cloud
environment are automation, auditing and reporting
capabilities, timeliness and accuracy. There are also
some challenges [23] that monitoring within the cloud
environment entails. One is visibility at various levels
across the cloud infrastructure. Similar to a layered
approach for security defense, there is a need for a
layered approach towards monitoring including IoT,
network layer, physical servers, virtual OS layer, identity
layer, access layer, etc. Another challenge is dynamicity
and virtualization of resources within cloud. One
must understand how do monitoring (SIEM) solutions
handle such technical challenges for monitoring when a
machine is spun down and back up at any instance.
There are various models for third-party (managed)
monitoring services. For example, you could choose
an on-premise MSSP that takes into account and
analyzes cloud SIEM reports, or you might prefer a fully
cloud-based SOC or, as a yet other option, you might
choose to go with a hybrid version.
These are the considerations one needs to make There
are various providers that offer different versions of
integration and MSS [24] as their delivery models. It is
important to understand which MSS model suits your
organizational and business needs the best.
10
11. Identity and Access Management (IAM) has been gaining more and more attention in the last years.
Access is the new logical perimeter and identity a critical and valuable asset. Amongst all the security
architecture considerations, in my opinion, IAM is one of the the most critical security areas and can be
complicated to implement correctly and securely. With cloud technology, we don’t only need to manage
identities, accounts and accesses but also:
1. manage the context and the logical relationships between them and
2. manage these across various platforms, infrastructure, third party integrations within the cloud
environment. IAM as a Service (IDaaS) [25] and Cloud Access Security Broker (CASB) [26] are the latest
trends. By 2020, use of IDaaS delivery model is predicted to increase from less than 20% up to 40% [16] .
Additionally, 60% of large enterprises will use a CASB to govern cloud services by 2020, up from less than
10% in 2017 [27] .
While IDaaS is a cloud service that provides management of identity and access including IAM
governance and monitoring, CASBs serve as an access broker between the cloud service provider and its
consumers, and provides more than just IAM and identity governance. A CASBs capabilities are spread
across four pillars: Visibility, Compliance, Data Security and Threat Management [27] . Different IDaaS and
CASB solutions from different vendors provide different capabilities.
As far as IAM is concerned, one should assess the vendors and design an architecture reference model,
in terms of capabilities such as:
While, IDaaS could be a lightweight and homogenous solution for your IAM, at the same time, CASBs can
provide a one-stop-shop for more security capabilities and get your money’s worth in a broader aspect.
However, this trend could very well change.
1. JML (Joiners, Movers, Leavers) cycle and access request management
- this is very basic and any average to good IAM tool should provide this
2. Access recertification and role-engineering
3. Identity governance, monitoring and auditing
4. Identity-based, conditional-based and behavior-based login and alerts
5. Approval workflows
6. Identity Analytics - analysis and discovery of access violations in order
to help reduce risk
7. Privileged Access Management
8. Identity and context awareness across your cloud environment, etc.
6. Access Management
7. Business Continuity and Disaster Recovery
What does your Business Continuity Plan (BCP)
and Disaster Recovery (DR) strategy look like?
What do you do in case the recovery sites also get
affected due to being located in same region or just
because multiple regions of the CSP get affected
by a cyberattack? Redundancy is still the key here.
One approach is to have separate providers, one
for BAU and a separate one for BC and DR sites.
Another option could be to still use a variant of a
hybrid model and use on-premise infrastructure in
case of a complete cloud service fail. The biggest
disadvantage of later is latency and continuously
incurring on-premise infrastructure costs even when
you are mostly operating in cloud, defeating one
of the objectives of migrating to cloud in the first
place. Another important aspect in determining the
cloud based DR strategy is the legal and regulatory
requirements of the DR region and geographic
location.
11
12. Management of and investment in information security almost always boils down to managing business risks
within the organization. One critical question that a CISO or CTO should ask is, ”how can I manage information
and IT risks to help the management achieve their business goals while keeping the risks below the acceptable
level”. Similarly, one question that the CEO, the management or the board should be invested in is, ”how can we
ensure that information and IT risks do not affect the overall business risk profile negatively, understand where
the enterprise risks could be business opportunities and ensure that the overall risks are kept below an acceptable
level”. The following are the key components of an efficient cloud migration risk management strategy. Please
note, the below aren’t components of risk management within cloud itself. However, they encapsulate the risk
management framework prior to or while migrating to cloud.
a) Management Support
Do you have the business case for migrating to
cloud? We discussed this briefly in Part 1 of this
blog series. There should ideally be a business case
that is approved by the management before your
start with the migration project and implemen-
tation. Similar to security projects in general,
management buy-in is the most important and
critical factors for success of a cloud migration
project and development of an efficient strategy.
It is vital that objectives of the cloud migration
project are aligned with the business goals. There
must be a business and project risk management
workshop prior to kick off the migration project,
to ensure the migration strategy and plan is
aligned with the business requirements.
b) Procurement and Vendor lock-in
Procurement can be a hassle particularly with
respect to time and compliance. Hence, it is a
smart idea to have procurement team on board,
and have the potential vendors fill out necessary
information relevant for the cloud migration that
is validated and approved by the procurement and
the legal department. This assessment, among
other things, should include verification towards:
1. Know your provider
2. Pricing and business objectives
3. Data governance and handling procedures
4. Standards and certifications adherence
5. SLAs, service terms and delivery
6. Security incident handling procedures
7. Reliability and disaster recovery
8. Support for migration to another CSP and
exit planning to prevent vendor lock-in
c) Business Disruptions during Migration
In order to ensure a smooth migration to cloud,
it is important that migration risks and business
disruption risks are assessed and prepared for. It is
important to manage and reduce risks due to changes
to the production infrastructure and ensure minimal
disruption to the business. The strategy used for
migration depends a lot on what kind of migration is
being done e.g. lift and shift, duplicating instances
in the cloud, hybrid infrastructure, or adding new
services to cloud, etc. In case of heavy migrations
there might be a need for disaster recovery in place to
spin up critical business services in case of a failure.
In other cases, it might be necessary to make sure
these migrations are done during non-operational
window and so on.
d) Application and Data Risk Assessment
In order to design a secure architecture with the right
controls in place for the business applications and
data that are to be moved to the cloud, it is necessary
that a risk assessment is done for each busines critical
application or any application that processes sensitive
PII or business critical data. Additionally, it is
important do a risk assessment on how the data will
be handled and processed by the third party service
providers in the cloud. The security baseline for these
application in the cloud should be at least as secure
as on premise and for the better part of it, hopefully
more securely configured. Other forms or security
assessments, reviews, pentesting, etc. could be part
of this phase. Business impact, security assessment
and risk assessment at this stage can also provide you
the facts and details on whether you can migrate to
public cloud or would you need a private or a hybrid
model. For example, some financial organizations
might require critical banking and transaction
systems to be migrated to private cloud only due
to the criticality of the system and to maintain the
confidentiality and integrity of the transactions.
8. Risk Assessment
12
13. Having invested a lot in security within your on-premise infrastructure, a vital question to consider might
be, how do I migrate not only the applications from an on-premise infrastructure to cloud but also the
critical security tools.
9. Change Management
10. Security-as-a-Service
Change management is vital before, during and
after migration. This factor cannot be emphasized
enough. Changes within cloud environment can
happen at a much granular level and in a much
faster cycle than on-premise. A good change
management process, consisting of what to
document, when and how to raise a Request For
Change (RFC), the role and responsibility of the
change management team, among other factors, is
extremely vital for good governance and security
within cloud. Additionally, it brings issues into
view at an earlier stage, making the transition
and adoption of cloud services a much smoother
experience for the organization.
There are pros and cons to each. Lift-and-shift of the
existing tools might be the fastest and cheapest
option but comes at the cost of the tools not being
efficient and effective as they aren’t tailored towards
the cloud environment. Added concern is that of
shadow IT systems. One needs to ask: Whether and
how do these tools cover these systems?
In certain cases, the vendors might be able to
provide you an upgrade and cloud compatible
(SaaS)
solutions for the same tool giving you the advantage
of tool familiarity however still providing coverage
towards all kinds of systems and applications
within cloud including IoT devices and shadow IT
systems. However, this would still mean managing
and maintaining numerous amounts of security
and monitoring tools within the cloud environment
along with managing and maintaining numerous
vendor relationships for different aspects of security
services that they offer. An alternative to this might
be deploying CASB solutions that provide multiple
security services suitable for and aligned to your
business needs.
There is a third option of utilizing Security-as-a-
Service (SECaaS) originating from the
Software-as-a-Service (SaaS) model. SECaaS
providers not only deliver security tools specifically
designed for the cloud environment but also provide
configuration, maintenance, management services
towards your risk appetite. According to the Cloud
Security Alliance there are 12 categories of SECaaS
[28] .
Apart from having a managed service in cloud,
SECaaS provides the added advantage that many
vendors provide multiple categories of SECaaS,
thereby, reducing investment & operational costs,
vendor relationship management whilst adding
coherent and unified governance of security for
your business. The downside, as with any form of
outsourcing, is that transfer of risk does not remove
the business’ liability and accountability.
There are three basic options, at least:
1. Do I run the existing security tools and do a lift-and-shift?
2. Do I procure a cloud version of the tool?
3. Do I use and deploy a Security-as-a-Service?
13
14. There isn’t a silver bullet to the security considerations and the
approach for your cloud migration strategy however, I hope,
this article will provide you a solid foundation for defining an
efficient strategy, a secure architecture design for your cloud
environment and help you tailor it towards your business
strategy and business needs.
No silver bullet
14