Migrating IT workloads can be challenging. Challenges can compound when the migration includes mission-critical data, infrastructure and moving to the cloud. While, to date, there is no single method for all sizes and types of cloud migration, you can significantly bolster your chances of cloud security success by leveraging best practices and a well-executed plan.
Once your organization has reached internal alignment and is committed to moving to the cloud, it will then likely need a defined action plan to move forward. Whether your organization is moving to the cloud because it wants to build more scalability and flexibility into its systems or has embraced a cloud-first approach overall to new product acquisition, you will want to quickly realize these benefits. To get to this state, you must also be successful in completing the transition to this new environment. At a minimum, the following five considerations should be considered part of any successful cloud migration strategy.
Establish a Baseline
In scope for a baseline of your current environment should be all of your business rules, content policies, configurations and any applications that you may be running or plan on running in your environment. This inventory should also provide a map of current roles and responsibilities, including the individuals required to operate as well as migrate your systems.
As roles, systems and processes will likely change, you should also view your migration as an inflection point; the opportunity for your organization to redesign controls and align to industry standards and cloud security best practices. As an added benefit, this baseline can help force the organization to articulate its desired end state goals, their vision of what a successful cloud migration looks like and how success will be measured.
Hire a Professional Services Organization
While software-as-a-service (SaaS) is an excellent way to run applications with lower overall internal overhead, a different set of skills is required to manage the change over from an on-premises to a cloud environment. If you are already facing issues accessing skilled resources to run your existing environments, you likely will be challenged in finding the skills necessary to also plan for and execute a successful cloud migration.
A product-focused professional services engagement can help accelerate your transition and ensure that your cloud security deployment is a success. Professional services teams typically bring established industry frameworks, capabilities and maturity to engagements. In conjunction, you can define a particular scope of work and set an agreed-upon timeline tied to a particular set of deliverables — you agree in advance what will be delivered and when.
Migrate Your Data
Before determining how to physically migrate your data, you should determine the amount of data and the time period of data in scope for your migration. You should answer, for example, whether you will cutover all data at once or ramp up your new environment over time while you transition from on-premises to cloud. Or, does your envisioned future state involve maintaining on-premises and cloud environments in a hybrid model?
The answers to these questions will ultimately drive your approach and should be tailored to your particular industry or line of business. In general, a longer cloud migration window — in other words, adding more time to your migration — can help lower risks typically associated with large-scale cloud migrations, including the potential for data loss or issues with service continuity.
Once you have determined the subset (or superset) of data to be transitioned, you can then determine the means of transporting this data. For smaller datasets, you may be able to get away with securely streaming data over the public internet or dedicated private networks. For larger data migrations, you may choose to employ a secure disk migration strategy whereby terabytes or even petabytes can be securely migrated at scale to your new environment.
Validate Success on Day One
All of your planning will eventually come to the moment of execution. With your baseline firmly established and your success criteria defined, you need to deploy your cloud security plan. As plans turn into actions, one of the best ways to codify your run book and ensure that you have operational readiness is through the clear delineation and documentation of roles and responsibilities. If you have a RACI document in place, you can understand clearly, for all activities or decisions associated with the new environment, who will be responsible, accountable, consulted or informed.
Once you validate the project has met the success criteria for the migration, you can move to steady-state operations and perform project close-out activities, including capturing any lessons learned and identifying subsequent activity that may need to be tracked as part of a subsequent phase. Beyond a successful launch, establishing periodic check-ins either monthly or quarterly can help ensure that you stay on track and continue to meet goals that you initially set out to accomplish with your migration.
Create a Cloud Security Plan for the Future
A complete cloud security plan should also include a strategy to ensure portability and future extensibility. A plan that effectively future proofs your solution can help build resiliency into your business model and increase your chances of a successful cloud migration overall. As a part of ensuring future interoperability and data portability, demand the adoption of open standards and protocols. Open standards — for example, STIX, TAXII and Parquet — can help ensure the future extensibility of your solution and safeguard you from creating data islands or facing vendor lock-in. Ultimately, it can give you the confidence that your data will remain usable and interoperable into the foreseeable future.
Are you ready now?
With the right planning and execution, you can accelerate the migration of even complex on-premises workloads and use cases to the cloud. With a well-structured plan, the right resources and the right oversight, you will be on your way to realizing the clear and tangible benefits that can be achieved with SaaS cloud security.
Listen to the Defense in Depth podcast on securing hybrid cloud
Program Director for QRadar Cloud, SaaS and MSSP, IBM Security