The following story illustrates the struggles IT and security leaders encounter when undergoing cloud transformation. While Shira Sutton is fictitious, many real-life firms face similar pressure to fast-track cloud adoption. Selecting the right approach to cloud migration is not easy, but what can be even more difficult are the unanticipated hurdles that arise around compliance, resilience, data governance and identity management. Follow Shira’s decision-making process throughout her company’s cloud transformation journey, and consider what you may have done differently.
Shira Sutton had been handed the daunting task of cloud transformation.
“Do you think you can handle it?” Wendy Nguyen, the retail organization’s chief information officer (CIO), had asked several weeks prior.
As her organization’s IT director, Shira was no stranger to the cloud — or its cost reduction and operational efficiency potential. However, she was not looking forward to the enormous task ahead.
“Of course,” Shira said confidently. “I’m ready for whatever comes next.” While she wasn’t surprised to receive the directive from Wendy, she knew the move to the cloud would be riddled with challenges.
After a considerable amount of work, Shira was finally presenting a cloud transformation framework to the organization’s leadership team. She was looking forward to the flexibility and scalability benefits of the cloud, but she also had many concerns about how the shift would affect security.
Designing the ‘Right’ Type of Cloud
Shira and Wendy had a brief discussion about the “right” cloud approaches for the organization during their last meeting. Shira knew Wendy’s proposal of using a public cloud wasn’t necessarily the best option for their organization. She was worried about how a public cloud would impact her company’s legacy applications, critical workloads and sensitive data.
A multi-tenant environment could lead to diminished performance — and they certainly couldn’t afford to be the next highly publicized retail data breach. Shira also knew her organization was at risk of falling behind the curve when it came to cloud adoption, considering 83 percent of workloads will be cloud-based by 2020. She wondered if there were a way to hit fast forward on migration and achieve the digital transformation benefits of cloud now.
Shira presented the pros and cons of a multi-tenant public cloud strategy and private cloud to the leadership team, making a case for her preferred solution: a hybrid cloud that would allow the company to maintain control over its cloud workloads in a managed environment.
As adoption of cloud apps and services explodes worldwide, the number of options is also increasing at an overwhelming rate.
In fact, infrastructure-as-a-service (IaaS), just one aspect of the cloud, is currently experiencing 38.1 percent year-over-year growth. As adoption of cloud apps and services explodes worldwide, the number of options is also increasing at an overwhelming rate.
Taking a Vertical Approach to Cloud Migration
The leadership team asked Shira about many issues, including the commonness of hybrid clouds in enterprise settings and how they were trending compared to public clouds. She knew they shared her concerns about security risks, but she also realized their top priority (as business-minded executives) was cutting costs while preserving uptime and minimizing latency.
Shira explained cloud adoption had dropped slightly in the past year but was still at 51 percent in 2018. While the team agreed, Shira wanted to be sure the hybrid cloud was secure enough.
Scaling Governance to the Cloud
After the leadership team gave her recommendation the green light, Shira assembled a task force for vendor selection and spent weeks researching options. With the help of Wendy and other colleagues, she made her final selection and was deep in discussion with a representative from the newly hired vendor.
Armed with a list of questions, Shira sought to understand how her organization’s governance methods would scale to the cloud. Most importantly: Would her cloud workloads be compliant with industry regulations and regulatory requirements?
Assessing Cloud Vendor Security
Shira felt assuaged by the vendor’s explanation of its approach to security and controls. The conversation addressed her concerns about data compliance and encryption. It also helped her understand the company’s well-defined approach to scaling private cloud to hybrid cloud deployments.
While Shira wasn’t fully sold on the vendor’s promise of seamless policy management during the cloud migration, she felt confident in its commitment to availability and data protection. At the end of the conversation, the provider sent up-to-date copies of its certifications.
After she received those documents, Shira followed up with the compliance team about regulatory requirements. She wasn’t entirely sure how she’d achieve always-on compliance in the cloud.
Resilience and Incident Response Planning
Over the next few weeks, Shira turned her attention to resilience planning. With her organization’s workload primed for residency in a more diverse environment, Shira was aware the organization’s strategy for availability and risk response was about to evolve significantly. The purpose of this evolution was to accommodate her customers’ and employees’ need for always-on availability and on-demand access.
Shira carefully outlined the importance of a comprehensive resilience and response plan to the leadership team. While the executives were aware of the crushing cost of a data breach, they agreed with Shira’s assertion that even a 15-minute period of downtime was intolerable.
Shira felt overwhelmed by the simple fact that cloud adoption required a more complex approach to infrastructure, which meant more business risks to manage.
The retailer’s current response and resilience approach weren’t anywhere near industry standards. Its existing data backups and failover solutions certainly weren’t foolproof. However, Shira felt overwhelmed by the simple fact that cloud adoption required a more complex approach to infrastructure, which meant more business risks to manage.
Choosing Rapid Recovery
Business resilience and incident response planning was no joke. Shira used the cloud transformation as a long-overdue opportunity to create a stable plan for potential breaches, failover and disaster recovery. However, that was easier said than done.
Shira chose to focus on rapid recovery. She felt confident that vendor-recommended solutions for high-speed recovery could mitigate risks during downtime, failover or other incidents. Risk tolerance is complex, but Shira knew her team needed to be able to respond to the unexpected and recover quickly.
While Shira was careful to emphasize the realities of security and resilience risks, both she and Wendy agreed response-based resilience planning was the right approach. They decided to invest in regularly verified cloud backups to cover all the bases. Ideally, Shira hoped the organization wouldn’t have to face an unplanned outage or service interruption.
Migrating Identity and Access Management
As she finalized her retail organization’s move to the hybrid cloud, Shira faced the need to scale another mountain: issues of identity and access management (IAM) in the cloud. She also wasn’t the only one worried about this side of cloud risks. Wendy had recently dug into some research on security risks that revealed that compromised or stolen credentials were behind a massive proportion of data breaches.
Like many other organizations in retail, Shira understood her organization’s IAM challenges were immense. There were always remote access challenges, such as the organization’s distributed workforce and high employee turnover in the industry.
The organization faced an ongoing need to protect customers’ online data and mitigate fraud while providing a seamless omnichannel retail experience.
Existing governance at Shira’s organization was far from automated — and best described as a patchwork of policy-based administration across many different legacy apps and services. Internal IAM challenges also weren’t as tough as external ones. The organization faced an ongoing need to protect customers’ online data and mitigate fraud while providing a seamless omnichannel retail experience.
The impending move to the hybrid cloud was the perfect opportunity to reevaluate the company’s existing systems and policies for identity and access governance. But Shira wasn’t even sure where to start when it came to creating a more straightforward mode of managing users and their access to data.
Performing Manual IAM Review
Shira worked to tackle a post-migration plan for reviewing identity and access for each component of the organization post-cloud adoption, including the retailer’s customer-facing apps, internal apps and systems infrastructure.
She also tackled the long-overdue task of updating her organization’s current IAM processes, policies and controls. Shira worked closely with the cloud vendor during this process to understand how current policy-based administration efforts would scale to the cloud. Based on the provider’s recommendations, she began to document testing policies for IAM migration post-deployment.
Preparation Is Key to Cloud Success
Shira knew moving to the cloud would be simpler if the organization had a solid groundwork for managing data, risks people and policies. However, she didn’t have time to redesign its governance strategy from the ground up before migration day.
By the time the go-live date finally rolls around, would Shira feel confident her organization is entering a new era of cloud computing? Or would she instead continue to worry about security, continuity and access risks?
This type of cloud experience isn’t rare: Many organizations struggle to keep their cloud transformation goals on track when they encounter unanticipated obstacles around regulatory compliance, resilience, data governance and identity management.
Shira constantly worried about her options throughout the cloud transformation experience. What if she’d made the wrong recommendations around cloud adoption? Would her organization absorb new security risks, compromise resilience or discover massive issues during deployment testing because legacy systems weren’t functioning correctly or securely in the cloud?
A Smarter Approach to Cloud Transformation
Shira didn’t need to worry about missed opportunities on the road to cloud transformation or risk realization. To overcome the barriers to cloud success, she could have enlisted expert assistance to create a multiyear plan for cloud migration. She also could have invested in managed hybrid could services to unlock an easy-to-manage, centralized infrastructure instead of increased complexity.
In addition, Shira’s team could’ve taken a proactive stance on incident response and intelligence services for resilience planning. Finally, IAM and cloud identity services could have helped Shira create a seamless bridge between on-premises and cloud infrastructure.
With expert guidance and best-of-breed solutions for secure cloud adoption, it’s possible to confidently bridge secure operations in any combination of on-premises, private, public or hybrid cloud deployment.
Cloud adoption may be necessary to help organizations achieve an agile advantage — but it certainly isn’t simple. As Shira discovered, the journey to the cloud is filled with challenges and potential detours. Fortunately, with expert guidance and best-of-breed solutions for secure cloud adoption, it’s possible to confidently bridge secure operations in any combination of on-premises, private, public or hybrid cloud deployment.
Read more articles about Cloud Security
Market Segment Manager, IBM X-Force and Security Intelligence