A Tricky Transition: Why Organizations Struggle with Secure, Multi-Cloud Migrations

A decade ago and beyond, companies were asking themselves, “Should we start using the cloud?” Today, they’re more likely to ask, “How many clouds should we use?” In fact, 84 percent of organizations have a multi-cloud strategy, up from 81 percent in 2018, according to research from Flexera.

On average, they are leveraging nearly five clouds. They’re also embracing the hybrid cloud in increasing numbers, with 58% committing to a hybrid strategy, up from 51% in 2018.

With this, migration appears to be a constant, universal work-in-progress, as nearly seven of ten global organizations are currently moving business-critical applications to the cloud, according to survey research from the Cloud Security Alliance (CSA).

Yet, as they make this transition, do they stay ahead of cloud-based cyber threats by putting security first, across all environments? Or do they treat it like an afterthought – something to “deal with later” after the big move is made? A migration is like moving to a different nation, with so many adjustments that must be made to accommodate systems impacting business strategies, sales teams, inventory tracking, employee benefits, etc.

Frankly, it’s complicated, to the point where most data center managers suffer with sleepless nights until it’s over. So it’s understandable if they take the position of thinking, “Migration first. Security later.” Understandable, that is, but not advisable.

Why? Because foreboding questions about the protection of data remain unresolved, as more than nine of ten surveyed cybersecurity and IT professionals are concerned about cloud security, according to the most recent Cloud Security Spotlight report from Alert Logic and Cybersecurity Insiders. The biggest concerns are data loss/leakage (as cited by 67% of survey respondents), data privacy (61%), confidentiality (53%) and accidental exposure (47%).

When asked what they thought were the biggest threats in public clouds, 62% of respondents cited misconfigurations of the cloud platform/wrong set-ups, followed by unauthorized access (55%), insecure interfaces/APIs (50%) and the hijacking of accounts, services or traffic (47%).

The potential for significant damage is high: to cite just one recent example, a reported breach in July of more than 100 million US and six million Canadian Capital One customers’ accounts and credit card applications was tied to workloads hosted on Amazon Web Services (AWS), when a bad actor allegedly exploited a misconfigured web application firewall to break into a Capital One server and access 140,000 Social Security numbers and 80,000 bank account numbers, as well as customer credit scores, balances, contact information and other data, according to a statement from the bank. 

While the incident stands out as one of the biggest in history, the hacker’s exploit methodology is common. Web application attacks, in fact, account for 75% of all cybersecurity incidents, according to the most recent Cloud Security Report from Alert Logic. In its 2019 Data Breach Investigations Report, Verizon reports that 62 percent of breaches occur at the web application layer.

Companies are clearly still investing in multi-cloud migrations given the wealth of business benefits, which include reduced costs, increased efficiencies, shorter timelines for projects, etc.

Yet, the multi-cloud environment brings unique risks due to its complexity. There are major public cloud providers along with an ecosystem of smaller “as a service” vendors. Hackers will trigger breaches in both, with no rhyme or reason to help security teams anticipate when trouble is coming. Indeed, predicting threats in a multi-cloud environment is like predicting the stock market – except for the adversaries.

In addition, the environment requires that customers take a “shared responsibility” approach to protecting assets in the cloud. With this approach, the various providers are responsible for defending the individual clouds in play for the customer organization. The customer organization is responsible for what’s in the cloud, so it must maintain and safeguard the servers, applications and data that it migrates and runs.

Even within an effectively secured shared responsibility structure, a customer organization will still run into “gotcha” issues, such as the combining of complex multiple cloud environments after a merger or challenges created by new, regulatory legislation.

Given this, it’s critical to adopt best practices before any migration even begins – and commit to them throughout. Here are three to strongly consider:

  • “Envelope” the migration in security so cloud-destined assets are protected from the start and security is built around the migration at every phase.
  • Think beyond “tools” and more about how and where your cloud provider will deploy them, and whether the provider can scale resources up and down as you progress through different stages of migration.
  • Use security proven in multi-cloud environments.

The current state of relentless tech innovation is changing our world every day, and that includes constant shifts in the cloud … Ten years ago, would we ever have imagined what makes for the “cloud playbook” today? Probably not. Likewise, the hacker playbook continues to shift.

We need to recognize this, and respond accordingly by thinking security first, second and last – no matter how many clouds we are using, and what kind of clouds they are.

What’s Hot on Infosecurity Magazine?