The Three Questions to Ask Before Migrating to the Cloud

While cloud migration and adoption becomes commonplace in the enterprise, many companies in highly regulated industries have remained skeptical despite the fanfare. They’re cautious to dive into the unknown because of the perceived risks of making the switch from on-premise deployments to the cloud.

On-premise is often associated with control. It’s on their servers where they control their data. When that data is moved from on-premise to a cloud service provider, the concern is how to maintain high levels of control and transparency. To address this barrier to adoption, here are three questions you should ask your cloud provider to ensure that control and transparency are at the forefront of your cloud migration. 

1. How much control does the cloud give me?
Organizations tend to equate physical proximity to data with the degree of control that they have. This is especially true for on-premise versus cloud where organizations may instinctively feel that they have more control of their data when it is on servers they own.

To help alleviate this misconception, cloud providers must be able to clearly demonstrate that their product’s self-service features permit the organization to fully manage all aspects of its business securely in the cloud. This should include full logical access controls and data separation, as well as having a comprehensive authentication and role-based management program that can meet the organization’s internal business needs.

The cloud provider must allow the organization to technically control what level of access, if any, it should have to the organization’s data in the cloud. Of key importance is that the organization must be able to validate that that cloud provider is a good cultural fit. Many organizations are subjected to a high degree of regulations and are regularly audited by auditors and regulators.

The cloud provider must be able to demonstrate to the organization that they have a strong proven track record of managing highly controlled and regulated data, and have an audit or trust program in place that will help organizations pass third party audits, when their data is stored in the cloud

2. How much data visibility does the cloud provide?
Organizations leveraging on-premise services are used to having full visibility into how their data is managed locally. In the cloud, organizations don’t own the service or the data centers. Many organizations ask that in the event of a security breach, what if the cloud provider doesn’t disclose the breach right away? Organizations can’t afford to find out about a breach weeks, months or years later. They need to know as soon as possible, and certainly within the first forty-eight hours.

Because of this, it is important that the organization continues to have full visibility into how its data is being stored, processed, accessed and transmitted in the cloud. The service agreements with the cloud provider should clearly describe how the organization’s data is to be managed and protected in the cloud. Apart from strong contractual controls, the organization must have near real-time visibility into how its data is managed by the cloud provider.

As such, the cloud provider should expose strong logging and alerting capabilities, which would empower an organization to see in near real time, almost ever interaction with their data, including all data access and changes.

3. How do I keep up with the increased rate of change?
Organizations relying on traditional on-premise deployments are often used for software updates that are shipped infrequently. This is due to the fact that the internal teams need to do painstaking work to ensure the updates do not break the service. This ‘slow to upgrade on-premise model’ often results in increased security risk for the company, as security patches can be delayed.

Cloud, on the other hand, is agile with changes occuring weekly or even daily. While this continuous cloud security deployment model is highly beneficial to an organization, it does also mean that the organization must be able to update its internal processes to support this always-on, ever-changing cloud. 

Though the cloud is newer and more open across the board, any organization should be cautious about moving to a new service model. For cloud providers to alleviate the concerns of regulated industries, they need to set expectations on control and transparency from the start.

Organizations must ensure that they address any and all concerns in the contract, not just in conversations. By asking the right questions, organizations can alleviate fears of data control, transparency and security, and open up to the efficiencies of the cloud.

What’s Hot on Infosecurity Magazine?