SlideShare a Scribd company logo

Migrating to Cloud? 5 motivations and 10 key security architecture considerations you should consider.

Y
Yew Weisin

1) The document discusses key considerations for developing a secure cloud migration strategy, including strategic alignment, security management and governance, access management, data classification and management, encryption, monitoring and reporting, and identity and access management. 2) It identifies 10 key security architecture considerations for cloud migration: division of responsibility, multi-tenancy, data classification and management, encryption and key management, monitoring and reporting, access management, business continuity, risk assessment, change management, and security as a service. 3) The document emphasizes that access management is one of the most critical security areas for cloud, and identity and access management as a service and cloud access security brokers are growing trends to help govern cloud services.

Technology
1 of 16
Download to read offline
Migrating to Cloud? Know, if you are ready? 5 motivations and 10 key security architecture considerations towards your cloud migration strategy
Content Abstract 3 Strategic Alignment 5 Security Management and Governance 5 Managed Business Continuity and Disaster Recovery 5 Access plane is the new logical perimeter 6 Automation 7 10 key security architecture considerations towards your cloud migration strategy: Division of Responsibility and SLAs.................................8 Multi-tenancy..................................................................9 Data classification and Management...............................8 Encryption and Key Management...................................9 Monitoring and Reporting...............................................9 Access Management......................................................10 Business Continuity and Disaster Recovery...................10 Risk Assessment.............................................................11 Change Management....................................................12 Security-as-a-Service.....................................................12 References 14 2
Migrating to cloud can be a daunting and an inevitable challenge that you may need to take on sooner rather than later or may already find yourself amidst. Whether you are an executive, in management or a leader, and are wondering • if your business strategy should include a cloud migration strategy or • how to embark upon the journey of migrating to cloud with security considerations in place, then this article will provide you with some insights and would hopefully serve as your companion through this journey. Monica Verma Senior Manager Risk Advisory Services - PwC Norway 3
By 2020, a Corporate “No-Cloud” Policy Will Be as Rare as a “No-Internet” Policy Is Today [1] . Gartner predicts the total cloud computing market to reach $411 billion by 2020 i.e. to nearly double from $219.6 billion in 2016 [2] . Forrester predicts that more than 50% of global enterprises will rely on at least one public cloud platform to drive digital transformation and delight customers [3] . The above predictions will not come across as a surprise to you. With the ever increasing adoption of cloud technologies, more and more organizations are modifying their business strategy to include and prioritize cloud migration and automation. Traditionally, some of the most important reasons for organizations to move to cloud have been: 1. Cost reduction 2. Scalability 3. Increased availability 5 motivations and 10 key security architecture considerations towards your cloud migration strategy As technology has advanced, the adoption of cloud has also expanded the cyber threat horizon. The inclusion of various heterogeneous components adds to the complexity and intricacy of managing information security within cloud. The following are a few examples of components that add heterogeneity to the cloud infrastructure: a) Various services (SaaS, PaaS, IaaS) from multiple vendors b) Various networked and interconnected devices, referred to as Internet of Things (IoTs) [4] c) Multiple identities spread across these heterogeneous services and devices 4
In this article, we will first look at the fundamental aspects that build a sound foundation and business case for migrating to cloud. Furthermore, we will go deeper into some of the best practices for an efficient cloud adoption and migration strategy, and a secure cloud architecture design. Before I go into details, let’s briefly look at these important questions: ”Why do we want to adopt cloud technology? Are there any other reasons apart from the traditional: cost reduction, scalability and increased availability? These are good but do they provide sufficient business case for our organization to change our business strategy?” With the expansion of the threat landscape, and with more stringent compliance, legal and regulatory (e.g. GDPR) requirements coming into play, we see an ever increasing number of considerations, now more than ever, that affect the decision to adopt and implement a cloud strategy. The following are some key points that must be considered and can drive a business strategy towards the cloud: Strategic Alignment As with any project initiative, one must ask, whether the project strategy is in alignment with the business strategy? What are the overall (security) objectives for migrating to cloud? Are they aligned with the business goals and business objectives/OKRs [5]? It is vital to establish the governing security objectives and principles for the migration. An exercise must be conducted in order to map these to business objectives. This supports not only the business case for the migration but also for investing into security when moving to cloud. Management approval and support has always been a key consideration for any security management program and this is no different for business-efficient and secure cloud migrations. Security Management and Governance With the adoption of cloud, security is a shared responsibility between the Cloud Service Providers (CSPs) and the consumers e.g. a business organization. Additionally, cloud vendors provide various options for security configuration for the consumers, along with a recommended best practice baseline to begin with. This is contrary to the way sales were done historically, where the default configuration for products or devices mostly entailed a disclaimer to have the settings changed and configuration hardened upon the first set-up e.g. change admin-admin combination on your router, software web shop, etc. Most of the big cloud service providers such as Microsoft, Amazon, Google provide detailed information on their respective shared responsibility model [6][7] . Managed Business Continuity and Disaster Recovery Although a 100% availability cannot be guaranteed, business continuity and operational uptime is critical to every business. Disaster recovery plays a key role in business continuity. Additionally, with the ever increasing threat of ransomware [8] , business as usual & always can come to a complete halt without proper disaster recovery plans in place. Not only are there financial risks associated with downtime, but there are added reputational risks and operational costs involved. Although, the underlying concept and process for designing Business Continuity Plans (BCPs) and Disaster Recovery Plans (DRPs) remain fundamentally the same (e.g. a risk-based and business-criticality-based approach to defining Recovery Point Objectives [9] and Recovery Time Objectives [10] ), cloud technology can provide a better and more scalable management of the business critical assets and operations. The disaster recovery delivery model by the CSPs can vary from a light-pilot recovery site to hot-standby infrastructures. Additionally, with adoption of cloud, cost effectiveness is another major advantage for business continuity, since the Total Cost of Ownership (TCO) is reduced. 1 2 3 5
We have seen evolution in network security products for over a decade. However, today, we see that the meaning of the term perimeter has become more fluid. Access is the new logical perimeter and forms a key concept with regards to defining and defending perimeter today, particularly in a cloud infrastructure due concepts such as shared data-usage or multi-tenancy. At the same time, we have seen a multitude of data breaches over the last decade [11] , e.g. Ashley Madison, Yahoo, Verizon, Equifax, to name a few. This is of particular importance, when the data extracted is sensitive personal data and can be used to steal or impersonate identity. With studies showing that corporate breaches increase the probability of identity theft [12] , the management of identity becomes more vital. Today, we see that identity is a critical component, and insufficient authentication or misconfigured access management one of the key factors for losing consumer trust [13] . Additionally, due to technological advancements such as Bring Your Own Device (BYOD) [14] , Internet of Things [4] , Blockchain [15] , etc. and adoption of cloud, it’s not only required to manage identity cross-functional within an organization, however, identity also needs to be managed cross-platform, cross-technology and cross-infrastructure. The good news is, although there are many IAM tools out there, we are seeing a shift in the adoption of IAM as a Service (IDaaS). By 2020, 40% of identity and access management (IAM) purchases will use the IDaaS delivery model - up from less than 20% in 2016 [16] . 4 Access plane is the new logical perimeter 6
To err is human. Humans have been one of the weakest links of the cyber security chain. Automation 5 To err is human. Humans have been one of the weakest links of the cyber security chain. Although automation is relevant for on-premise architectures as well, however, cloud technology requires and demands deployment and changes within the infrastructure and production cycle to be more rapid, agile and granular, making automation all the more critical. There is also the added factor of DevOps. The DevOps team are constantly looking into more agile development models whilst ensuring security, accuracy and shorter development cycles [17] . DevOps teams are increasingly adopting cloud services for the above reasons. Whether DevOps, infrastructure or architectural changes, automation ensures that concept, functionality and changes are deployed without affecting speed, accuracy and security. 7
1. Division of Responsibility and SLAs What is your responsibility and what is the provider’s? What are the responsibilities that your cloud service provider offers to manage for you? This pertains not only to the division in terms of managing the OSI ISO layers but also and more importantly in terms of security and privacy respon- sibilities at various layers. It is vital that there is a clear understanding of the division of responsibi- lities and the cloud service provider security model. Additionally, it is important to understand and document, what Service Level Agreements (SLAs) would exist with the cloud service providers in case of a cyberattack affecting availability, integrity and confidentiality (loss of data). This is also particularly relevant in case of managed security services such as incident handling, vulnerability management, threat and risk monitoring, etc. It is vital that there are proper contractual clauses in place for the SLAs and the cloud service provider’s management of risks. All major cloud service providers such as Microsoft, Amazon and Google provide detailed information on their shared responsibilities and security models [6] [7] . 10 key security architecture considerations towards your cloud migration strategy So far we looked into some important factors that provide motivations and business case for adopting cloud technology. Let’s say, we now understand the fundamentals, and have a business case in place, for our organization and the business to benefit from going to cloud. Based on the factors discussed above, your organization and decision makers need to ask, ”We have a business case but are we ready to migrate into public cloud, whether partially or completely? What are the vital steps of the migration strategy?” We will now build upon the above key deciding factors and look into the top 10 key areas for designing a security architecture for cloud migration. Below are key considerations and some of the security best practices towards your cloud migration strategy, and helping you design a secure architecture for your cloud environment: 8
What risks does multi-tenancy pose for your organization and how would it affect your cloud architecture? Multi-tenancy can exist in any cloud service model. A SaaS, a PaaS or equaivalently an IaaS service could be shared between multiple tenants. Multi-tenancy, although a key cost benefactor, introduces various security issues such as inadequate logical segrations between various tenants, data leakage, insufficient data separation, single point of failure of services for all tenants, etc. Different CSPs might be multi-tenant at different layers [18] e.g. one CSP might be multi-tenant at the hardware level and share a virtual machine with its subscribers and another might be multi-tenant at the database level and share the a database between its subscribers. Hence, it is vital to understand, before you go to cloud, how does your service provider handle multi-tenancy [19][20][21] . 2. Multi-tenancy Data management is another key deciding factor for the migration strategy you adopt. What kind of data will be handled and processed in the cloud, has the data already been classified e.g. Sensitive PII, PII, confidential, etc., where will it be stored (geo-lo- cation of the servers), how is the data flowing, how is it handled both when stored and when in transit, where is your DC actually located? You need to think about data management in terms of critical business processes, security, compliance, performance/ latency, repercussions in case of data loss, and other risks involved e.g. how would you ensure privacy of customer data, and compliance to legal and regulatory requirements. Is there a data lifecycle management process within the organization? Will there be a Data Loss Prevention (DLP) solution in your cloud infrastructure? With new and more stringent regulations such as GDPR and the recent Cambridge Analytica (CA) scandal [22] , transparency on data processing policies and data management lifecycle is all the more critical to business and operations. A transparent understanding and processes in place for data flow, data handling and seamless data integration in cloud can go a long way to prevent reputational loss or in case of a data leak, severe financial penalties. 3. Data classification and Management 9
4. Encryption and Key Management 5. Monitoring and Reporting There are various reasons why encryption and key management might play an important role in your cloud strategy such as key vaults for managing secrets and keys, encryption of specific data, encryption of entire virtual machines, etc. Furthermore, you must consider, where and how will the keys be stored? How will they be managed? Data segregation, and secure storage and management of data is critical to a public cloud environment especially due to multi-tenancy and particularly for the organizations where data breach is not only one of the biggest operational risks, but could also significantly damage the reputation and customer trust. Majority of the multi-tenant cloud applications provide data encryption and key management features for their customers, however, for other IaaS and PaaS services the overall data governance, data security and key management should be owned by the tenant, particularly where data loss is a great reputational risk. The organization must look into classifying data that is stored in the cloud in any form of IaaS, PaaS or SaaS model, and based upon the confidentiality and sensitivity level establish the requirements for encryption. Another reason for encryption of data might be legal and regulatory requirements in the geographic location where the data is stored or processed. Additionally, key management is vital to provide data security. A lock doesn’t help protect the asset if the key is left in the lock or if there are multiple copies of the key laying around without proper management of the ownership, access and permission. Logging, auditing and monitoring capabilities are as critical in cloud as on-premise. There are various third party solutions that provide managed monitoring and incident response services. The key deciding factors in assessing and engaging such services for your cloud environment are automation, auditing and reporting capabilities, timeliness and accuracy. There are also some challenges [23] that monitoring within the cloud environment entails. One is visibility at various levels across the cloud infrastructure. Similar to a layered approach for security defense, there is a need for a layered approach towards monitoring including IoT, network layer, physical servers, virtual OS layer, identity layer, access layer, etc. Another challenge is dynamicity and virtualization of resources within cloud. One must understand how do monitoring (SIEM) solutions handle such technical challenges for monitoring when a machine is spun down and back up at any instance. There are various models for third-party (managed) monitoring services. For example, you could choose an on-premise MSSP that takes into account and analyzes cloud SIEM reports, or you might prefer a fully cloud-based SOC or, as a yet other option, you might choose to go with a hybrid version. These are the considerations one needs to make There are various providers that offer different versions of integration and MSS [24] as their delivery models. It is important to understand which MSS model suits your organizational and business needs the best. 10
Identity and Access Management (IAM) has been gaining more and more attention in the last years. Access is the new logical perimeter and identity a critical and valuable asset. Amongst all the security architecture considerations, in my opinion, IAM is one of the the most critical security areas and can be complicated to implement correctly and securely. With cloud technology, we don’t only need to manage identities, accounts and accesses but also: 1. manage the context and the logical relationships between them and 2. manage these across various platforms, infrastructure, third party integrations within the cloud environment. IAM as a Service (IDaaS) [25] and Cloud Access Security Broker (CASB) [26] are the latest trends. By 2020, use of IDaaS delivery model is predicted to increase from less than 20% up to 40% [16] . Additionally, 60% of large enterprises will use a CASB to govern cloud services by 2020, up from less than 10% in 2017 [27] . While IDaaS is a cloud service that provides management of identity and access including IAM governance and monitoring, CASBs serve as an access broker between the cloud service provider and its consumers, and provides more than just IAM and identity governance. A CASBs capabilities are spread across four pillars: Visibility, Compliance, Data Security and Threat Management [27] . Different IDaaS and CASB solutions from different vendors provide different capabilities. As far as IAM is concerned, one should assess the vendors and design an architecture reference model, in terms of capabilities such as: While, IDaaS could be a lightweight and homogenous solution for your IAM, at the same time, CASBs can provide a one-stop-shop for more security capabilities and get your money’s worth in a broader aspect. However, this trend could very well change. 1. JML (Joiners, Movers, Leavers) cycle and access request management - this is very basic and any average to good IAM tool should provide this 2. Access recertification and role-engineering 3. Identity governance, monitoring and auditing 4. Identity-based, conditional-based and behavior-based login and alerts 5. Approval workflows 6. Identity Analytics - analysis and discovery of access violations in order to help reduce risk 7. Privileged Access Management 8. Identity and context awareness across your cloud environment, etc. 6. Access Management 7. Business Continuity and Disaster Recovery What does your Business Continuity Plan (BCP) and Disaster Recovery (DR) strategy look like? What do you do in case the recovery sites also get affected due to being located in same region or just because multiple regions of the CSP get affected by a cyberattack? Redundancy is still the key here. One approach is to have separate providers, one for BAU and a separate one for BC and DR sites. Another option could be to still use a variant of a hybrid model and use on-premise infrastructure in case of a complete cloud service fail. The biggest disadvantage of later is latency and continuously incurring on-premise infrastructure costs even when you are mostly operating in cloud, defeating one of the objectives of migrating to cloud in the first place. Another important aspect in determining the cloud based DR strategy is the legal and regulatory requirements of the DR region and geographic location. 11
Management of and investment in information security almost always boils down to managing business risks within the organization. One critical question that a CISO or CTO should ask is, ”how can I manage information and IT risks to help the management achieve their business goals while keeping the risks below the acceptable level”. Similarly, one question that the CEO, the management or the board should be invested in is, ”how can we ensure that information and IT risks do not affect the overall business risk profile negatively, understand where the enterprise risks could be business opportunities and ensure that the overall risks are kept below an acceptable level”. The following are the key components of an efficient cloud migration risk management strategy. Please note, the below aren’t components of risk management within cloud itself. However, they encapsulate the risk management framework prior to or while migrating to cloud. a) Management Support Do you have the business case for migrating to cloud? We discussed this briefly in Part 1 of this blog series. There should ideally be a business case that is approved by the management before your start with the migration project and implemen- tation. Similar to security projects in general, management buy-in is the most important and critical factors for success of a cloud migration project and development of an efficient strategy. It is vital that objectives of the cloud migration project are aligned with the business goals. There must be a business and project risk management workshop prior to kick off the migration project, to ensure the migration strategy and plan is aligned with the business requirements. b) Procurement and Vendor lock-in Procurement can be a hassle particularly with respect to time and compliance. Hence, it is a smart idea to have procurement team on board, and have the potential vendors fill out necessary information relevant for the cloud migration that is validated and approved by the procurement and the legal department. This assessment, among other things, should include verification towards: 1. Know your provider 2. Pricing and business objectives 3. Data governance and handling procedures 4. Standards and certifications adherence 5. SLAs, service terms and delivery 6. Security incident handling procedures 7. Reliability and disaster recovery 8. Support for migration to another CSP and exit planning to prevent vendor lock-in c) Business Disruptions during Migration In order to ensure a smooth migration to cloud, it is important that migration risks and business disruption risks are assessed and prepared for. It is important to manage and reduce risks due to changes to the production infrastructure and ensure minimal disruption to the business. The strategy used for migration depends a lot on what kind of migration is being done e.g. lift and shift, duplicating instances in the cloud, hybrid infrastructure, or adding new services to cloud, etc. In case of heavy migrations there might be a need for disaster recovery in place to spin up critical business services in case of a failure. In other cases, it might be necessary to make sure these migrations are done during non-operational window and so on. d) Application and Data Risk Assessment In order to design a secure architecture with the right controls in place for the business applications and data that are to be moved to the cloud, it is necessary that a risk assessment is done for each busines critical application or any application that processes sensitive PII or business critical data. Additionally, it is important do a risk assessment on how the data will be handled and processed by the third party service providers in the cloud. The security baseline for these application in the cloud should be at least as secure as on premise and for the better part of it, hopefully more securely configured. Other forms or security assessments, reviews, pentesting, etc. could be part of this phase. Business impact, security assessment and risk assessment at this stage can also provide you the facts and details on whether you can migrate to public cloud or would you need a private or a hybrid model. For example, some financial organizations might require critical banking and transaction systems to be migrated to private cloud only due to the criticality of the system and to maintain the confidentiality and integrity of the transactions. 8. Risk Assessment 12
Having invested a lot in security within your on-premise infrastructure, a vital question to consider might be, how do I migrate not only the applications from an on-premise infrastructure to cloud but also the critical security tools. 9. Change Management 10. Security-as-a-Service Change management is vital before, during and after migration. This factor cannot be emphasized enough. Changes within cloud environment can happen at a much granular level and in a much faster cycle than on-premise. A good change management process, consisting of what to document, when and how to raise a Request For Change (RFC), the role and responsibility of the change management team, among other factors, is extremely vital for good governance and security within cloud. Additionally, it brings issues into view at an earlier stage, making the transition and adoption of cloud services a much smoother experience for the organization. There are pros and cons to each. Lift-and-shift of the existing tools might be the fastest and cheapest option but comes at the cost of the tools not being efficient and effective as they aren’t tailored towards the cloud environment. Added concern is that of shadow IT systems. One needs to ask: Whether and how do these tools cover these systems? In certain cases, the vendors might be able to provide you an upgrade and cloud compatible (SaaS) solutions for the same tool giving you the advantage of tool familiarity however still providing coverage towards all kinds of systems and applications within cloud including IoT devices and shadow IT systems. However, this would still mean managing and maintaining numerous amounts of security and monitoring tools within the cloud environment along with managing and maintaining numerous vendor relationships for different aspects of security services that they offer. An alternative to this might be deploying CASB solutions that provide multiple security services suitable for and aligned to your business needs. There is a third option of utilizing Security-as-a- Service (SECaaS) originating from the Software-as-a-Service (SaaS) model. SECaaS providers not only deliver security tools specifically designed for the cloud environment but also provide configuration, maintenance, management services towards your risk appetite. According to the Cloud Security Alliance there are 12 categories of SECaaS [28] . Apart from having a managed service in cloud, SECaaS provides the added advantage that many vendors provide multiple categories of SECaaS, thereby, reducing investment & operational costs, vendor relationship management whilst adding coherent and unified governance of security for your business. The downside, as with any form of outsourcing, is that transfer of risk does not remove the business’ liability and accountability. There are three basic options, at least: 1. Do I run the existing security tools and do a lift-and-shift? 2. Do I procure a cloud version of the tool? 3. Do I use and deploy a Security-as-a-Service? 13
There isn’t a silver bullet to the security considerations and the approach for your cloud migration strategy however, I hope, this article will provide you a solid foundation for defining an efficient strategy, a secure architecture design for your cloud environment and help you tailor it towards your business strategy and business needs. No silver bullet 14
[1] https://www.gartner.com/newsroom/id/3354117 [2] https://www.gartner.com/newsroom/id/3815165 [3] https://www.forbes.com/sites/louiscolumbus/2017/11/07 forresters-10-cloud-computing-predictions-for-20 18/#9e7ee104ae18 [4] https://en.wikipedia.org/wiki/Internet_of_things [5] https://en.wikipedia.org/wiki/OKR [6] Microsoft’s Shared Responsibilities for Cloud Computing, April 2017, v2.0 [7] https://cloudacademy.com/blog/aws-shared-responsibility-model-security/ [8] https://www.csoonline.com/article/3262972/ransomware/8-hot-cyber-security-trends-and-4-going-cold.html [9] https://en.wikipedia.org/wiki/Recovery_point_objective [10] https://en.wikipedia.org/wiki/Recovery_time_objective [11] https://www.asecurelife.com/the-worst-data-breaches-of-the-last-10-years/ [12] https://www.darkreading.com/risk/corporate-breaches-increase-chances-of-consumer-id-theft-study-says/ d/d-id/1132275 [13] https://www.pwc.com/us/en/cybersecurity/assets/revitalizing-privacy-trust-in-data-driven-world.pdf [14] https://www.veracode.com/security/byod-security [15] https://www.ibm.com/blockchain/identity/ [16] Gartner, Magic Quadrant for Identity and Access Management as a Service, Worldwide [17] https://blogs.oracle.com/futurestate/why-do-you-need-to-think-devops-if-you-are-adopting-cloud [18] https://www.gartner.com/doc/2058722?ref=g_sitelink [19] https://www.ibm.com/developerworks/cloud/library/cl-publictoprivatecloud/index.html [20] https://aws.amazon.com/ec2/dedicated-hosts/ [21] https://www.ibm.com/developerworks/cloud/library/cl-multitenantcloud/index.html [22] http://fortune.com/2018/04/10/facebook-cambridge-analytica-what-happened/ [23] https://searchcloudsecurity.techtarget.com/tip/Cloud-security-monitoring-Challenges-and-guidance [24] https://www.fortinet.com/content/dam/fortinet/assets/solution-guides/sg-mssp-cloud-security-solution.pdf [25] https://securityintelligence.com/what-is-idaas-a-ciso-clears-up-confusion-around-the-definition-of-cloud-iam/ [26] https://www.gartner.com/it-glossary/cloud-access-security-brokers-casbs/ [27] Gartner: Magic Quadrant for Cloud Access Security Brokers [28] https://downloads.cloudsecurityalliance.org/assets/research/security-as-a-service/csa-categories-securitie s-prep.pdf References: 15
© 2018 PwC. Med enerett. I denne sammenheng refererer «PwC» seg til PricewaterhouseCoopers AS, Advokatfirmaet PricewaterhouseCoopers AS, PricewaterhouseCoopers Accounting AS og PricewaterhouseCoopers Skatterådgivere AS som alle er separate juridiske enheter og uavhengige medlemsfirmaer i PricewaterhouseCoopers International Limited.

Recommended

Research On Preserving User Confidentiality In Cloud Computing – Design Of A ...
Research On Preserving User Confidentiality In Cloud Computing – Design Of A ...Research On Preserving User Confidentiality In Cloud Computing – Design Of A ...
Research On Preserving User Confidentiality In Cloud Computing – Design Of A ...IJERA Editor
 
Wp esg-5-considerations-hybrid-clouds
Wp esg-5-considerations-hybrid-cloudsWp esg-5-considerations-hybrid-clouds
Wp esg-5-considerations-hybrid-cloudsFaisal Farooq
 
AgilePath WhitePaper Cloud Gov Lifecycle
AgilePath WhitePaper Cloud Gov LifecycleAgilePath WhitePaper Cloud Gov Lifecycle
AgilePath WhitePaper Cloud Gov LifecycleAgilePath Corporation
 
Today's Need To Manage The Storage Polymorphism
Today's Need To Manage The Storage PolymorphismToday's Need To Manage The Storage Polymorphism
Today's Need To Manage The Storage PolymorphismNetmagic Solutions Pvt. Ltd.
 
What the future holds for the hybrid cloud
What the future holds for the hybrid cloudWhat the future holds for the hybrid cloud
What the future holds for the hybrid cloudNetmagic Solutions Pvt. Ltd.
 
Host your Cloud – Netmagic Solutions
Host your Cloud – Netmagic SolutionsHost your Cloud – Netmagic Solutions
Host your Cloud – Netmagic SolutionsNetmagic Solutions Pvt. Ltd.
 
Benefits of a Virtual Private Cloud (VPC) – Netmagic
Benefits of a Virtual Private Cloud (VPC) – NetmagicBenefits of a Virtual Private Cloud (VPC) – Netmagic
Benefits of a Virtual Private Cloud (VPC) – NetmagicNetmagic Solutions Pvt. Ltd.
 
QuickView #5 - Cloud
QuickView #5 - CloudQuickView #5 - Cloud
QuickView #5 - CloudSonovate
 

Recommended

Research On Preserving User Confidentiality In Cloud Computing – Design Of A ...
Research On Preserving User Confidentiality In Cloud Computing – Design Of A ...Research On Preserving User Confidentiality In Cloud Computing – Design Of A ...
Research On Preserving User Confidentiality In Cloud Computing – Design Of A ...IJERA Editor
 
Wp esg-5-considerations-hybrid-clouds
Wp esg-5-considerations-hybrid-cloudsWp esg-5-considerations-hybrid-clouds
Wp esg-5-considerations-hybrid-cloudsFaisal Farooq
 
AgilePath WhitePaper Cloud Gov Lifecycle
AgilePath WhitePaper Cloud Gov LifecycleAgilePath WhitePaper Cloud Gov Lifecycle
AgilePath WhitePaper Cloud Gov LifecycleAgilePath Corporation
 
Today's Need To Manage The Storage Polymorphism
Today's Need To Manage The Storage PolymorphismToday's Need To Manage The Storage Polymorphism
Today's Need To Manage The Storage PolymorphismNetmagic Solutions Pvt. Ltd.
 
What the future holds for the hybrid cloud
What the future holds for the hybrid cloudWhat the future holds for the hybrid cloud
What the future holds for the hybrid cloudNetmagic Solutions Pvt. Ltd.
 
Host your Cloud – Netmagic Solutions
Host your Cloud – Netmagic SolutionsHost your Cloud – Netmagic Solutions
Host your Cloud – Netmagic SolutionsNetmagic Solutions Pvt. Ltd.
 
Benefits of a Virtual Private Cloud (VPC) – Netmagic
Benefits of a Virtual Private Cloud (VPC) – NetmagicBenefits of a Virtual Private Cloud (VPC) – Netmagic
Benefits of a Virtual Private Cloud (VPC) – NetmagicNetmagic Solutions Pvt. Ltd.
 
QuickView #5 - Cloud
QuickView #5 - CloudQuickView #5 - Cloud
QuickView #5 - CloudSonovate
 
Cloud Infrastructure for Your Data Center
Cloud Infrastructure for Your Data CenterCloud Infrastructure for Your Data Center
Cloud Infrastructure for Your Data CenterDataCore Software
 
DAM 2018 Review, What's next 2019 ?
DAM 2018 Review, What's next 2019 ?DAM 2018 Review, What's next 2019 ?
DAM 2018 Review, What's next 2019 ?Activo Consulting
 
Cisco Cloud Computing White Paper
Cisco Cloud Computing White PaperCisco Cloud Computing White Paper
Cisco Cloud Computing White Paperlamcindoe
 
Cloud Brokering Brochure
Cloud Brokering BrochureCloud Brokering Brochure
Cloud Brokering BrochureBooz Allen Hamilton
 
Netmagic the-storage-matrix
Netmagic the-storage-matrixNetmagic the-storage-matrix
Netmagic the-storage-matrixNetmagic Solutions Pvt. Ltd.
 
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...Veritas Technologies LLC
 
Improve network safety through better visibility – Netmagic
Improve network safety through better visibility – NetmagicImprove network safety through better visibility – Netmagic
Improve network safety through better visibility – NetmagicNetmagic Solutions Pvt. Ltd.
 
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityShared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityAndy Powell
 
Strategic business challenges in cloud
Strategic business challenges in cloudStrategic business challenges in cloud
Strategic business challenges in cloudijccsa
 
Cloudonomics: The Economics of Cloud Computing
Cloudonomics: The Economics of Cloud ComputingCloudonomics: The Economics of Cloud Computing
Cloudonomics: The Economics of Cloud ComputingRackspace
 
Hybrid cloud-for-flexible-accelerated-and-sustainable-it16-10-051475673810
Hybrid cloud-for-flexible-accelerated-and-sustainable-it16-10-051475673810Hybrid cloud-for-flexible-accelerated-and-sustainable-it16-10-051475673810
Hybrid cloud-for-flexible-accelerated-and-sustainable-it16-10-051475673810Netmagic Solutions Pvt. Ltd.
 
IT Solutions for 3 Common Small Business Problems
IT Solutions for 3 Common Small Business ProblemsIT Solutions for 3 Common Small Business Problems
IT Solutions for 3 Common Small Business ProblemsBrooke Bordelon
 
Veritas Solution Day 2017, France, keynote by Mike Palmer
Veritas Solution Day 2017, France, keynote by Mike PalmerVeritas Solution Day 2017, France, keynote by Mike Palmer
Veritas Solution Day 2017, France, keynote by Mike PalmerVeritas Technologies LLC
 
Demystifying The Cloud-iON Cloud ERP
Demystifying The Cloud-iON Cloud ERPDemystifying The Cloud-iON Cloud ERP
Demystifying The Cloud-iON Cloud ERPChirantan Ghosh
 
Software defined networking
Software defined networkingSoftware defined networking
Software defined networkingNetmagic Solutions Pvt. Ltd.
 
Secure Computing in Enterprise Cloud Environments
Secure Computing in Enterprise Cloud EnvironmentsSecure Computing in Enterprise Cloud Environments
Secure Computing in Enterprise Cloud EnvironmentsShaun Thomas
 
Ieeepro techno solutions 2014 ieee java project - assessing collaboration f...
Ieeepro techno solutions 2014 ieee java project - assessing collaboration f...Ieeepro techno solutions 2014 ieee java project - assessing collaboration f...
Ieeepro techno solutions 2014 ieee java project - assessing collaboration f...hemanthbbc
 
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...ijcnes
 
FINAL PRINTED VER - 29102014
FINAL PRINTED VER - 29102014FINAL PRINTED VER - 29102014
FINAL PRINTED VER - 29102014Jesper Nielsen, MBA
 
Cloud-Migration-Methodology v1.0
Cloud-Migration-Methodology v1.0Cloud-Migration-Methodology v1.0
Cloud-Migration-Methodology v1.0b3535840
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsDr. Sunil Kr. Pandey
 
Cloud migration risks and challenges
Cloud migration risks and challengesCloud migration risks and challenges
Cloud migration risks and challengesPolestarsolutions
 

More Related Content

What's hot

Cloud Infrastructure for Your Data Center
Cloud Infrastructure for Your Data CenterCloud Infrastructure for Your Data Center
Cloud Infrastructure for Your Data CenterDataCore Software
 
DAM 2018 Review, What's next 2019 ?
DAM 2018 Review, What's next 2019 ?DAM 2018 Review, What's next 2019 ?
DAM 2018 Review, What's next 2019 ?Activo Consulting
 
Cisco Cloud Computing White Paper
Cisco Cloud Computing White PaperCisco Cloud Computing White Paper
Cisco Cloud Computing White Paperlamcindoe
 
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...Veritas Technologies LLC
 
Improve network safety through better visibility – Netmagic
Improve network safety through better visibility – NetmagicImprove network safety through better visibility – Netmagic
Improve network safety through better visibility – NetmagicNetmagic Solutions Pvt. Ltd.
 
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityShared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityAndy Powell
 
Strategic business challenges in cloud
Strategic business challenges in cloudStrategic business challenges in cloud
Strategic business challenges in cloudijccsa
 
Cloudonomics: The Economics of Cloud Computing
Cloudonomics: The Economics of Cloud ComputingCloudonomics: The Economics of Cloud Computing
Cloudonomics: The Economics of Cloud ComputingRackspace
 
Hybrid cloud-for-flexible-accelerated-and-sustainable-it16-10-051475673810
Hybrid cloud-for-flexible-accelerated-and-sustainable-it16-10-051475673810Hybrid cloud-for-flexible-accelerated-and-sustainable-it16-10-051475673810
Hybrid cloud-for-flexible-accelerated-and-sustainable-it16-10-051475673810Netmagic Solutions Pvt. Ltd.
 
IT Solutions for 3 Common Small Business Problems
IT Solutions for 3 Common Small Business ProblemsIT Solutions for 3 Common Small Business Problems
IT Solutions for 3 Common Small Business ProblemsBrooke Bordelon
 
Veritas Solution Day 2017, France, keynote by Mike Palmer
Veritas Solution Day 2017, France, keynote by Mike PalmerVeritas Solution Day 2017, France, keynote by Mike Palmer
Veritas Solution Day 2017, France, keynote by Mike PalmerVeritas Technologies LLC
 
Demystifying The Cloud-iON Cloud ERP
Demystifying The Cloud-iON Cloud ERPDemystifying The Cloud-iON Cloud ERP
Demystifying The Cloud-iON Cloud ERPChirantan Ghosh
 
Secure Computing in Enterprise Cloud Environments
Secure Computing in Enterprise Cloud EnvironmentsSecure Computing in Enterprise Cloud Environments
Secure Computing in Enterprise Cloud EnvironmentsShaun Thomas
 
Ieeepro techno solutions 2014 ieee java project - assessing collaboration f...
Ieeepro techno solutions 2014 ieee java project - assessing collaboration f...Ieeepro techno solutions 2014 ieee java project - assessing collaboration f...
Ieeepro techno solutions 2014 ieee java project - assessing collaboration f...hemanthbbc
 

What's hot (17)

Cloud Infrastructure for Your Data Center
Cloud Infrastructure for Your Data CenterCloud Infrastructure for Your Data Center
Cloud Infrastructure for Your Data Center
 
DAM 2018 Review, What's next 2019 ?
DAM 2018 Review, What's next 2019 ?DAM 2018 Review, What's next 2019 ?
DAM 2018 Review, What's next 2019 ?
 
Cisco Cloud Computing White Paper
Cisco Cloud Computing White PaperCisco Cloud Computing White Paper
Cisco Cloud Computing White Paper
 
Cloud Brokering Brochure
Cloud Brokering BrochureCloud Brokering Brochure
Cloud Brokering Brochure
 
Netmagic the-storage-matrix
Netmagic the-storage-matrixNetmagic the-storage-matrix
Netmagic the-storage-matrix
 
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
 
Improve network safety through better visibility – Netmagic
Improve network safety through better visibility – NetmagicImprove network safety through better visibility – Netmagic
Improve network safety through better visibility – Netmagic
 
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityShared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud security
 
Strategic business challenges in cloud
Strategic business challenges in cloudStrategic business challenges in cloud
Strategic business challenges in cloud
 
Cloudonomics: The Economics of Cloud Computing
Cloudonomics: The Economics of Cloud ComputingCloudonomics: The Economics of Cloud Computing
Cloudonomics: The Economics of Cloud Computing
 
Hybrid cloud-for-flexible-accelerated-and-sustainable-it16-10-051475673810
Hybrid cloud-for-flexible-accelerated-and-sustainable-it16-10-051475673810Hybrid cloud-for-flexible-accelerated-and-sustainable-it16-10-051475673810
Hybrid cloud-for-flexible-accelerated-and-sustainable-it16-10-051475673810
 
IT Solutions for 3 Common Small Business Problems
IT Solutions for 3 Common Small Business ProblemsIT Solutions for 3 Common Small Business Problems
IT Solutions for 3 Common Small Business Problems
 
Veritas Solution Day 2017, France, keynote by Mike Palmer
Veritas Solution Day 2017, France, keynote by Mike PalmerVeritas Solution Day 2017, France, keynote by Mike Palmer
Veritas Solution Day 2017, France, keynote by Mike Palmer
 
Demystifying The Cloud-iON Cloud ERP
Demystifying The Cloud-iON Cloud ERPDemystifying The Cloud-iON Cloud ERP
Demystifying The Cloud-iON Cloud ERP
 
Software defined networking
Software defined networkingSoftware defined networking
Software defined networking
 
Secure Computing in Enterprise Cloud Environments
Secure Computing in Enterprise Cloud EnvironmentsSecure Computing in Enterprise Cloud Environments
Secure Computing in Enterprise Cloud Environments
 
Ieeepro techno solutions 2014 ieee java project - assessing collaboration f...
Ieeepro techno solutions 2014 ieee java project - assessing collaboration f...Ieeepro techno solutions 2014 ieee java project - assessing collaboration f...
Ieeepro techno solutions 2014 ieee java project - assessing collaboration f...
 

Similar to Migrating to Cloud? 5 motivations and 10 key security architecture considerations you should consider.

Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...ijcnes
 
Cloud-Migration-Methodology v1.0
Cloud-Migration-Methodology v1.0Cloud-Migration-Methodology v1.0
Cloud-Migration-Methodology v1.0b3535840
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsDr. Sunil Kr. Pandey
 
Cloud migration risks and challenges
Cloud migration risks and challengesCloud migration risks and challenges
Cloud migration risks and challengesPolestarsolutions
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
 
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...Security in Cloud Computing For Service Delivery Models: Challenges and Solut...
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...IJERA Editor
 
Top 7 value propositions of a Multi Cloud strategy
Top 7 value propositions of a Multi Cloud strategyTop 7 value propositions of a Multi Cloud strategy
Top 7 value propositions of a Multi Cloud strategyVincy Ko
 
The Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValue
The Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValueThe Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValue
The Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValueRapidValue
 
Migrating apps-to-the-cloud-final
Migrating apps-to-the-cloud-finalMigrating apps-to-the-cloud-final
Migrating apps-to-the-cloud-finaleng999
 
Azure cloud migration simplified
Azure cloud migration simplifiedAzure cloud migration simplified
Azure cloud migration simplifiedGirlo
 
Strategic Business Challenges in Cloud Systems
Strategic Business Challenges in Cloud SystemsStrategic Business Challenges in Cloud Systems
Strategic Business Challenges in Cloud Systemsneirew J
 
2014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v012014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v01promediakw
 
Cloud Computing
Cloud Computing Cloud Computing
Cloud ComputingAbdul Aslam
 
Architecting your Cloud Strategy - Part One.vsdx
Architecting your Cloud Strategy - Part One.vsdxArchitecting your Cloud Strategy - Part One.vsdx
Architecting your Cloud Strategy - Part One.vsdxGareth Llewellyn
 
Cloud Adaption and Migration - Raghvendra Prabhu
Cloud Adaption and Migration - Raghvendra PrabhuCloud Adaption and Migration - Raghvendra Prabhu
Cloud Adaption and Migration - Raghvendra PrabhuRaghavendra Prabhu
 
A Practical Guide to Cloud Migration
A Practical Guide to Cloud MigrationA Practical Guide to Cloud Migration
A Practical Guide to Cloud MigrationMarianne Harness
 

Similar to Migrating to Cloud? 5 motivations and 10 key security architecture considerations you should consider. (20)

Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
 
FINAL PRINTED VER - 29102014
FINAL PRINTED VER - 29102014FINAL PRINTED VER - 29102014
FINAL PRINTED VER - 29102014
 
Cloud-Migration-Methodology v1.0
Cloud-Migration-Methodology v1.0Cloud-Migration-Methodology v1.0
Cloud-Migration-Methodology v1.0
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and Applications
 
Cloud migration risks and challenges
Cloud migration risks and challengesCloud migration risks and challenges
Cloud migration risks and challenges
 
Epaper
EpaperEpaper
Epaper
 
ETCA_5
ETCA_5ETCA_5
ETCA_5
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
 
Cc unit 4 updated version
Cc unit 4 updated versionCc unit 4 updated version
Cc unit 4 updated version
 
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...Security in Cloud Computing For Service Delivery Models: Challenges and Solut...
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...
 
Top 7 value propositions of a Multi Cloud strategy
Top 7 value propositions of a Multi Cloud strategyTop 7 value propositions of a Multi Cloud strategy
Top 7 value propositions of a Multi Cloud strategy
 
The Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValue
The Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValueThe Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValue
The Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValue
 
Migrating apps-to-the-cloud-final
Migrating apps-to-the-cloud-finalMigrating apps-to-the-cloud-final
Migrating apps-to-the-cloud-final
 
Azure cloud migration simplified
Azure cloud migration simplifiedAzure cloud migration simplified
Azure cloud migration simplified
 
Strategic Business Challenges in Cloud Systems
Strategic Business Challenges in Cloud SystemsStrategic Business Challenges in Cloud Systems
Strategic Business Challenges in Cloud Systems
 
2014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v012014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v01
 
Cloud Computing
Cloud Computing Cloud Computing
Cloud Computing
 
Architecting your Cloud Strategy - Part One.vsdx
Architecting your Cloud Strategy - Part One.vsdxArchitecting your Cloud Strategy - Part One.vsdx
Architecting your Cloud Strategy - Part One.vsdx
 
Cloud Adaption and Migration - Raghvendra Prabhu
Cloud Adaption and Migration - Raghvendra PrabhuCloud Adaption and Migration - Raghvendra Prabhu
Cloud Adaption and Migration - Raghvendra Prabhu
 
A Practical Guide to Cloud Migration
A Practical Guide to Cloud MigrationA Practical Guide to Cloud Migration
A Practical Guide to Cloud Migration
 

Recently uploaded

Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Recently uploaded (20)

Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

Migrating to Cloud? 5 motivations and 10 key security architecture considerations you should consider.

  • 1. Migrating to Cloud? Know, if you are ready? 5 motivations and 10 key security architecture considerations towards your cloud migration strategy
  • 2. Content Abstract 3 Strategic Alignment 5 Security Management and Governance 5 Managed Business Continuity and Disaster Recovery 5 Access plane is the new logical perimeter 6 Automation 7 10 key security architecture considerations towards your cloud migration strategy: Division of Responsibility and SLAs.................................8 Multi-tenancy..................................................................9 Data classification and Management...............................8 Encryption and Key Management...................................9 Monitoring and Reporting...............................................9 Access Management......................................................10 Business Continuity and Disaster Recovery...................10 Risk Assessment.............................................................11 Change Management....................................................12 Security-as-a-Service.....................................................12 References 14 2
  • 3. Migrating to cloud can be a daunting and an inevitable challenge that you may need to take on sooner rather than later or may already find yourself amidst. Whether you are an executive, in management or a leader, and are wondering • if your business strategy should include a cloud migration strategy or • how to embark upon the journey of migrating to cloud with security considerations in place, then this article will provide you with some insights and would hopefully serve as your companion through this journey. Monica Verma Senior Manager Risk Advisory Services - PwC Norway 3
  • 4. By 2020, a Corporate “No-Cloud” Policy Will Be as Rare as a “No-Internet” Policy Is Today [1] . Gartner predicts the total cloud computing market to reach $411 billion by 2020 i.e. to nearly double from $219.6 billion in 2016 [2] . Forrester predicts that more than 50% of global enterprises will rely on at least one public cloud platform to drive digital transformation and delight customers [3] . The above predictions will not come across as a surprise to you. With the ever increasing adoption of cloud technologies, more and more organizations are modifying their business strategy to include and prioritize cloud migration and automation. Traditionally, some of the most important reasons for organizations to move to cloud have been: 1. Cost reduction 2. Scalability 3. Increased availability 5 motivations and 10 key security architecture considerations towards your cloud migration strategy As technology has advanced, the adoption of cloud has also expanded the cyber threat horizon. The inclusion of various heterogeneous components adds to the complexity and intricacy of managing information security within cloud. The following are a few examples of components that add heterogeneity to the cloud infrastructure: a) Various services (SaaS, PaaS, IaaS) from multiple vendors b) Various networked and interconnected devices, referred to as Internet of Things (IoTs) [4] c) Multiple identities spread across these heterogeneous services and devices 4
  • 5. In this article, we will first look at the fundamental aspects that build a sound foundation and business case for migrating to cloud. Furthermore, we will go deeper into some of the best practices for an efficient cloud adoption and migration strategy, and a secure cloud architecture design. Before I go into details, let’s briefly look at these important questions: ”Why do we want to adopt cloud technology? Are there any other reasons apart from the traditional: cost reduction, scalability and increased availability? These are good but do they provide sufficient business case for our organization to change our business strategy?” With the expansion of the threat landscape, and with more stringent compliance, legal and regulatory (e.g. GDPR) requirements coming into play, we see an ever increasing number of considerations, now more than ever, that affect the decision to adopt and implement a cloud strategy. The following are some key points that must be considered and can drive a business strategy towards the cloud: Strategic Alignment As with any project initiative, one must ask, whether the project strategy is in alignment with the business strategy? What are the overall (security) objectives for migrating to cloud? Are they aligned with the business goals and business objectives/OKRs [5]? It is vital to establish the governing security objectives and principles for the migration. An exercise must be conducted in order to map these to business objectives. This supports not only the business case for the migration but also for investing into security when moving to cloud. Management approval and support has always been a key consideration for any security management program and this is no different for business-efficient and secure cloud migrations. Security Management and Governance With the adoption of cloud, security is a shared responsibility between the Cloud Service Providers (CSPs) and the consumers e.g. a business organization. Additionally, cloud vendors provide various options for security configuration for the consumers, along with a recommended best practice baseline to begin with. This is contrary to the way sales were done historically, where the default configuration for products or devices mostly entailed a disclaimer to have the settings changed and configuration hardened upon the first set-up e.g. change admin-admin combination on your router, software web shop, etc. Most of the big cloud service providers such as Microsoft, Amazon, Google provide detailed information on their respective shared responsibility model [6][7] . Managed Business Continuity and Disaster Recovery Although a 100% availability cannot be guaranteed, business continuity and operational uptime is critical to every business. Disaster recovery plays a key role in business continuity. Additionally, with the ever increasing threat of ransomware [8] , business as usual & always can come to a complete halt without proper disaster recovery plans in place. Not only are there financial risks associated with downtime, but there are added reputational risks and operational costs involved. Although, the underlying concept and process for designing Business Continuity Plans (BCPs) and Disaster Recovery Plans (DRPs) remain fundamentally the same (e.g. a risk-based and business-criticality-based approach to defining Recovery Point Objectives [9] and Recovery Time Objectives [10] ), cloud technology can provide a better and more scalable management of the business critical assets and operations. The disaster recovery delivery model by the CSPs can vary from a light-pilot recovery site to hot-standby infrastructures. Additionally, with adoption of cloud, cost effectiveness is another major advantage for business continuity, since the Total Cost of Ownership (TCO) is reduced. 1 2 3 5
  • 6. We have seen evolution in network security products for over a decade. However, today, we see that the meaning of the term perimeter has become more fluid. Access is the new logical perimeter and forms a key concept with regards to defining and defending perimeter today, particularly in a cloud infrastructure due concepts such as shared data-usage or multi-tenancy. At the same time, we have seen a multitude of data breaches over the last decade [11] , e.g. Ashley Madison, Yahoo, Verizon, Equifax, to name a few. This is of particular importance, when the data extracted is sensitive personal data and can be used to steal or impersonate identity. With studies showing that corporate breaches increase the probability of identity theft [12] , the management of identity becomes more vital. Today, we see that identity is a critical component, and insufficient authentication or misconfigured access management one of the key factors for losing consumer trust [13] . Additionally, due to technological advancements such as Bring Your Own Device (BYOD) [14] , Internet of Things [4] , Blockchain [15] , etc. and adoption of cloud, it’s not only required to manage identity cross-functional within an organization, however, identity also needs to be managed cross-platform, cross-technology and cross-infrastructure. The good news is, although there are many IAM tools out there, we are seeing a shift in the adoption of IAM as a Service (IDaaS). By 2020, 40% of identity and access management (IAM) purchases will use the IDaaS delivery model - up from less than 20% in 2016 [16] . 4 Access plane is the new logical perimeter 6
  • 7. To err is human. Humans have been one of the weakest links of the cyber security chain. Automation 5 To err is human. Humans have been one of the weakest links of the cyber security chain. Although automation is relevant for on-premise architectures as well, however, cloud technology requires and demands deployment and changes within the infrastructure and production cycle to be more rapid, agile and granular, making automation all the more critical. There is also the added factor of DevOps. The DevOps team are constantly looking into more agile development models whilst ensuring security, accuracy and shorter development cycles [17] . DevOps teams are increasingly adopting cloud services for the above reasons. Whether DevOps, infrastructure or architectural changes, automation ensures that concept, functionality and changes are deployed without affecting speed, accuracy and security. 7
  • 8. 1. Division of Responsibility and SLAs What is your responsibility and what is the provider’s? What are the responsibilities that your cloud service provider offers to manage for you? This pertains not only to the division in terms of managing the OSI ISO layers but also and more importantly in terms of security and privacy respon- sibilities at various layers. It is vital that there is a clear understanding of the division of responsibi- lities and the cloud service provider security model. Additionally, it is important to understand and document, what Service Level Agreements (SLAs) would exist with the cloud service providers in case of a cyberattack affecting availability, integrity and confidentiality (loss of data). This is also particularly relevant in case of managed security services such as incident handling, vulnerability management, threat and risk monitoring, etc. It is vital that there are proper contractual clauses in place for the SLAs and the cloud service provider’s management of risks. All major cloud service providers such as Microsoft, Amazon and Google provide detailed information on their shared responsibilities and security models [6] [7] . 10 key security architecture considerations towards your cloud migration strategy So far we looked into some important factors that provide motivations and business case for adopting cloud technology. Let’s say, we now understand the fundamentals, and have a business case in place, for our organization and the business to benefit from going to cloud. Based on the factors discussed above, your organization and decision makers need to ask, ”We have a business case but are we ready to migrate into public cloud, whether partially or completely? What are the vital steps of the migration strategy?” We will now build upon the above key deciding factors and look into the top 10 key areas for designing a security architecture for cloud migration. Below are key considerations and some of the security best practices towards your cloud migration strategy, and helping you design a secure architecture for your cloud environment: 8
  • 9. What risks does multi-tenancy pose for your organization and how would it affect your cloud architecture? Multi-tenancy can exist in any cloud service model. A SaaS, a PaaS or equaivalently an IaaS service could be shared between multiple tenants. Multi-tenancy, although a key cost benefactor, introduces various security issues such as inadequate logical segrations between various tenants, data leakage, insufficient data separation, single point of failure of services for all tenants, etc. Different CSPs might be multi-tenant at different layers [18] e.g. one CSP might be multi-tenant at the hardware level and share a virtual machine with its subscribers and another might be multi-tenant at the database level and share the a database between its subscribers. Hence, it is vital to understand, before you go to cloud, how does your service provider handle multi-tenancy [19][20][21] . 2. Multi-tenancy Data management is another key deciding factor for the migration strategy you adopt. What kind of data will be handled and processed in the cloud, has the data already been classified e.g. Sensitive PII, PII, confidential, etc., where will it be stored (geo-lo- cation of the servers), how is the data flowing, how is it handled both when stored and when in transit, where is your DC actually located? You need to think about data management in terms of critical business processes, security, compliance, performance/ latency, repercussions in case of data loss, and other risks involved e.g. how would you ensure privacy of customer data, and compliance to legal and regulatory requirements. Is there a data lifecycle management process within the organization? Will there be a Data Loss Prevention (DLP) solution in your cloud infrastructure? With new and more stringent regulations such as GDPR and the recent Cambridge Analytica (CA) scandal [22] , transparency on data processing policies and data management lifecycle is all the more critical to business and operations. A transparent understanding and processes in place for data flow, data handling and seamless data integration in cloud can go a long way to prevent reputational loss or in case of a data leak, severe financial penalties. 3. Data classification and Management 9
  • 10. 4. Encryption and Key Management 5. Monitoring and Reporting There are various reasons why encryption and key management might play an important role in your cloud strategy such as key vaults for managing secrets and keys, encryption of specific data, encryption of entire virtual machines, etc. Furthermore, you must consider, where and how will the keys be stored? How will they be managed? Data segregation, and secure storage and management of data is critical to a public cloud environment especially due to multi-tenancy and particularly for the organizations where data breach is not only one of the biggest operational risks, but could also significantly damage the reputation and customer trust. Majority of the multi-tenant cloud applications provide data encryption and key management features for their customers, however, for other IaaS and PaaS services the overall data governance, data security and key management should be owned by the tenant, particularly where data loss is a great reputational risk. The organization must look into classifying data that is stored in the cloud in any form of IaaS, PaaS or SaaS model, and based upon the confidentiality and sensitivity level establish the requirements for encryption. Another reason for encryption of data might be legal and regulatory requirements in the geographic location where the data is stored or processed. Additionally, key management is vital to provide data security. A lock doesn’t help protect the asset if the key is left in the lock or if there are multiple copies of the key laying around without proper management of the ownership, access and permission. Logging, auditing and monitoring capabilities are as critical in cloud as on-premise. There are various third party solutions that provide managed monitoring and incident response services. The key deciding factors in assessing and engaging such services for your cloud environment are automation, auditing and reporting capabilities, timeliness and accuracy. There are also some challenges [23] that monitoring within the cloud environment entails. One is visibility at various levels across the cloud infrastructure. Similar to a layered approach for security defense, there is a need for a layered approach towards monitoring including IoT, network layer, physical servers, virtual OS layer, identity layer, access layer, etc. Another challenge is dynamicity and virtualization of resources within cloud. One must understand how do monitoring (SIEM) solutions handle such technical challenges for monitoring when a machine is spun down and back up at any instance. There are various models for third-party (managed) monitoring services. For example, you could choose an on-premise MSSP that takes into account and analyzes cloud SIEM reports, or you might prefer a fully cloud-based SOC or, as a yet other option, you might choose to go with a hybrid version. These are the considerations one needs to make There are various providers that offer different versions of integration and MSS [24] as their delivery models. It is important to understand which MSS model suits your organizational and business needs the best. 10
  • 11. Identity and Access Management (IAM) has been gaining more and more attention in the last years. Access is the new logical perimeter and identity a critical and valuable asset. Amongst all the security architecture considerations, in my opinion, IAM is one of the the most critical security areas and can be complicated to implement correctly and securely. With cloud technology, we don’t only need to manage identities, accounts and accesses but also: 1. manage the context and the logical relationships between them and 2. manage these across various platforms, infrastructure, third party integrations within the cloud environment. IAM as a Service (IDaaS) [25] and Cloud Access Security Broker (CASB) [26] are the latest trends. By 2020, use of IDaaS delivery model is predicted to increase from less than 20% up to 40% [16] . Additionally, 60% of large enterprises will use a CASB to govern cloud services by 2020, up from less than 10% in 2017 [27] . While IDaaS is a cloud service that provides management of identity and access including IAM governance and monitoring, CASBs serve as an access broker between the cloud service provider and its consumers, and provides more than just IAM and identity governance. A CASBs capabilities are spread across four pillars: Visibility, Compliance, Data Security and Threat Management [27] . Different IDaaS and CASB solutions from different vendors provide different capabilities. As far as IAM is concerned, one should assess the vendors and design an architecture reference model, in terms of capabilities such as: While, IDaaS could be a lightweight and homogenous solution for your IAM, at the same time, CASBs can provide a one-stop-shop for more security capabilities and get your money’s worth in a broader aspect. However, this trend could very well change. 1. JML (Joiners, Movers, Leavers) cycle and access request management - this is very basic and any average to good IAM tool should provide this 2. Access recertification and role-engineering 3. Identity governance, monitoring and auditing 4. Identity-based, conditional-based and behavior-based login and alerts 5. Approval workflows 6. Identity Analytics - analysis and discovery of access violations in order to help reduce risk 7. Privileged Access Management 8. Identity and context awareness across your cloud environment, etc. 6. Access Management 7. Business Continuity and Disaster Recovery What does your Business Continuity Plan (BCP) and Disaster Recovery (DR) strategy look like? What do you do in case the recovery sites also get affected due to being located in same region or just because multiple regions of the CSP get affected by a cyberattack? Redundancy is still the key here. One approach is to have separate providers, one for BAU and a separate one for BC and DR sites. Another option could be to still use a variant of a hybrid model and use on-premise infrastructure in case of a complete cloud service fail. The biggest disadvantage of later is latency and continuously incurring on-premise infrastructure costs even when you are mostly operating in cloud, defeating one of the objectives of migrating to cloud in the first place. Another important aspect in determining the cloud based DR strategy is the legal and regulatory requirements of the DR region and geographic location. 11
  • 12. Management of and investment in information security almost always boils down to managing business risks within the organization. One critical question that a CISO or CTO should ask is, ”how can I manage information and IT risks to help the management achieve their business goals while keeping the risks below the acceptable level”. Similarly, one question that the CEO, the management or the board should be invested in is, ”how can we ensure that information and IT risks do not affect the overall business risk profile negatively, understand where the enterprise risks could be business opportunities and ensure that the overall risks are kept below an acceptable level”. The following are the key components of an efficient cloud migration risk management strategy. Please note, the below aren’t components of risk management within cloud itself. However, they encapsulate the risk management framework prior to or while migrating to cloud. a) Management Support Do you have the business case for migrating to cloud? We discussed this briefly in Part 1 of this blog series. There should ideally be a business case that is approved by the management before your start with the migration project and implemen- tation. Similar to security projects in general, management buy-in is the most important and critical factors for success of a cloud migration project and development of an efficient strategy. It is vital that objectives of the cloud migration project are aligned with the business goals. There must be a business and project risk management workshop prior to kick off the migration project, to ensure the migration strategy and plan is aligned with the business requirements. b) Procurement and Vendor lock-in Procurement can be a hassle particularly with respect to time and compliance. Hence, it is a smart idea to have procurement team on board, and have the potential vendors fill out necessary information relevant for the cloud migration that is validated and approved by the procurement and the legal department. This assessment, among other things, should include verification towards: 1. Know your provider 2. Pricing and business objectives 3. Data governance and handling procedures 4. Standards and certifications adherence 5. SLAs, service terms and delivery 6. Security incident handling procedures 7. Reliability and disaster recovery 8. Support for migration to another CSP and exit planning to prevent vendor lock-in c) Business Disruptions during Migration In order to ensure a smooth migration to cloud, it is important that migration risks and business disruption risks are assessed and prepared for. It is important to manage and reduce risks due to changes to the production infrastructure and ensure minimal disruption to the business. The strategy used for migration depends a lot on what kind of migration is being done e.g. lift and shift, duplicating instances in the cloud, hybrid infrastructure, or adding new services to cloud, etc. In case of heavy migrations there might be a need for disaster recovery in place to spin up critical business services in case of a failure. In other cases, it might be necessary to make sure these migrations are done during non-operational window and so on. d) Application and Data Risk Assessment In order to design a secure architecture with the right controls in place for the business applications and data that are to be moved to the cloud, it is necessary that a risk assessment is done for each busines critical application or any application that processes sensitive PII or business critical data. Additionally, it is important do a risk assessment on how the data will be handled and processed by the third party service providers in the cloud. The security baseline for these application in the cloud should be at least as secure as on premise and for the better part of it, hopefully more securely configured. Other forms or security assessments, reviews, pentesting, etc. could be part of this phase. Business impact, security assessment and risk assessment at this stage can also provide you the facts and details on whether you can migrate to public cloud or would you need a private or a hybrid model. For example, some financial organizations might require critical banking and transaction systems to be migrated to private cloud only due to the criticality of the system and to maintain the confidentiality and integrity of the transactions. 8. Risk Assessment 12
  • 13. Having invested a lot in security within your on-premise infrastructure, a vital question to consider might be, how do I migrate not only the applications from an on-premise infrastructure to cloud but also the critical security tools. 9. Change Management 10. Security-as-a-Service Change management is vital before, during and after migration. This factor cannot be emphasized enough. Changes within cloud environment can happen at a much granular level and in a much faster cycle than on-premise. A good change management process, consisting of what to document, when and how to raise a Request For Change (RFC), the role and responsibility of the change management team, among other factors, is extremely vital for good governance and security within cloud. Additionally, it brings issues into view at an earlier stage, making the transition and adoption of cloud services a much smoother experience for the organization. There are pros and cons to each. Lift-and-shift of the existing tools might be the fastest and cheapest option but comes at the cost of the tools not being efficient and effective as they aren’t tailored towards the cloud environment. Added concern is that of shadow IT systems. One needs to ask: Whether and how do these tools cover these systems? In certain cases, the vendors might be able to provide you an upgrade and cloud compatible (SaaS) solutions for the same tool giving you the advantage of tool familiarity however still providing coverage towards all kinds of systems and applications within cloud including IoT devices and shadow IT systems. However, this would still mean managing and maintaining numerous amounts of security and monitoring tools within the cloud environment along with managing and maintaining numerous vendor relationships for different aspects of security services that they offer. An alternative to this might be deploying CASB solutions that provide multiple security services suitable for and aligned to your business needs. There is a third option of utilizing Security-as-a- Service (SECaaS) originating from the Software-as-a-Service (SaaS) model. SECaaS providers not only deliver security tools specifically designed for the cloud environment but also provide configuration, maintenance, management services towards your risk appetite. According to the Cloud Security Alliance there are 12 categories of SECaaS [28] . Apart from having a managed service in cloud, SECaaS provides the added advantage that many vendors provide multiple categories of SECaaS, thereby, reducing investment & operational costs, vendor relationship management whilst adding coherent and unified governance of security for your business. The downside, as with any form of outsourcing, is that transfer of risk does not remove the business’ liability and accountability. There are three basic options, at least: 1. Do I run the existing security tools and do a lift-and-shift? 2. Do I procure a cloud version of the tool? 3. Do I use and deploy a Security-as-a-Service? 13
  • 14. There isn’t a silver bullet to the security considerations and the approach for your cloud migration strategy however, I hope, this article will provide you a solid foundation for defining an efficient strategy, a secure architecture design for your cloud environment and help you tailor it towards your business strategy and business needs. No silver bullet 14
  • 15. [1] https://www.gartner.com/newsroom/id/3354117 [2] https://www.gartner.com/newsroom/id/3815165 [3] https://www.forbes.com/sites/louiscolumbus/2017/11/07 forresters-10-cloud-computing-predictions-for-20 18/#9e7ee104ae18 [4] https://en.wikipedia.org/wiki/Internet_of_things [5] https://en.wikipedia.org/wiki/OKR [6] Microsoft’s Shared Responsibilities for Cloud Computing, April 2017, v2.0 [7] https://cloudacademy.com/blog/aws-shared-responsibility-model-security/ [8] https://www.csoonline.com/article/3262972/ransomware/8-hot-cyber-security-trends-and-4-going-cold.html [9] https://en.wikipedia.org/wiki/Recovery_point_objective [10] https://en.wikipedia.org/wiki/Recovery_time_objective [11] https://www.asecurelife.com/the-worst-data-breaches-of-the-last-10-years/ [12] https://www.darkreading.com/risk/corporate-breaches-increase-chances-of-consumer-id-theft-study-says/ d/d-id/1132275 [13] https://www.pwc.com/us/en/cybersecurity/assets/revitalizing-privacy-trust-in-data-driven-world.pdf [14] https://www.veracode.com/security/byod-security [15] https://www.ibm.com/blockchain/identity/ [16] Gartner, Magic Quadrant for Identity and Access Management as a Service, Worldwide [17] https://blogs.oracle.com/futurestate/why-do-you-need-to-think-devops-if-you-are-adopting-cloud [18] https://www.gartner.com/doc/2058722?ref=g_sitelink [19] https://www.ibm.com/developerworks/cloud/library/cl-publictoprivatecloud/index.html [20] https://aws.amazon.com/ec2/dedicated-hosts/ [21] https://www.ibm.com/developerworks/cloud/library/cl-multitenantcloud/index.html [22] http://fortune.com/2018/04/10/facebook-cambridge-analytica-what-happened/ [23] https://searchcloudsecurity.techtarget.com/tip/Cloud-security-monitoring-Challenges-and-guidance [24] https://www.fortinet.com/content/dam/fortinet/assets/solution-guides/sg-mssp-cloud-security-solution.pdf [25] https://securityintelligence.com/what-is-idaas-a-ciso-clears-up-confusion-around-the-definition-of-cloud-iam/ [26] https://www.gartner.com/it-glossary/cloud-access-security-brokers-casbs/ [27] Gartner: Magic Quadrant for Cloud Access Security Brokers [28] https://downloads.cloudsecurityalliance.org/assets/research/security-as-a-service/csa-categories-securitie s-prep.pdf References: 15
  • 16. © 2018 PwC. Med enerett. I denne sammenheng refererer «PwC» seg til PricewaterhouseCoopers AS, Advokatfirmaet PricewaterhouseCoopers AS, PricewaterhouseCoopers Accounting AS og PricewaterhouseCoopers Skatterådgivere AS som alle er separate juridiske enheter og uavhengige medlemsfirmaer i PricewaterhouseCoopers International Limited.