During the last decade, conversations about cloud migration and transformation, as well as cloud security, have been ubiquitous among business owners. With Gartner’s most recent forecast of an 18.4% increase in worldwide public spending on cloud services in 2021, totaling almost $305 billion, it is clear this trend is only heading upward. But what are the risks that come with this cloud transition?

Knowing the risks and mitigation strategies involved is essential. After all, it enables businesses to make informed decisions about their cloud journey. This article explores the risks that come with cloud migration. Whether your company is just starting its cloud journey or already operating within the cloud, IBM has road maps for both.

For Companies Starting Their Journey

Companies at the beginning of their cloud roadmap must consider the following challenges:

Providers’ Roles in Cloud Security

Moving data from on-premises to the cloud can be confusing and lead to misconfigured servers, opening the door to potential cyber threats. This was the case with the April 2019 Facebook Amazon Web Services server breach, resulting in over 540 million accounts being exposed. These instances are a stark reminder of how vulnerable data can be during cloud migration.

Solution: Leading cloud providers offer built-in security to the cloud environment. Since they own the cloud environment, it is both their duty and within their interests to ensure security of the cloud. However, the users of the service are responsible for the security in the cloud – therefore the responsibility is shared under the shared responsibility model.

Reskilling and Resourcing Teams

Vital changes in company strategy require a shift in its employees’ skill base. Cloud migration requires more management and training of employees using new cloud apps. In the interim, this may leave a company’s security posture at risk.

Solution: The journey to the cloud will require the inevitable upskilling of employees. Hiring a strong security team and more DevOps engineers will help bolster the transition. They can reconfigure the cloud environment and assure data security in the cloud long term, offsetting the short-term costs of retraining staff.

Creating a Clear Cloud Migration Strategy

Key decisions prior to moving to the cloud will lead to a smooth transition. Failure to do so could complicate the process and leave a company open to cyber threats. Choices include using one cloud provider or a mix, which can result in vendor lock-in or a costlier and more complex environment, respectively. Also, deciding which data will reside on-premises and which will reside in the cloud at an early stage will provide clarity from the offset. Ensuring governance and a target operating model are in place prior to migration will pay dividends down the line.

Solution: Planning and strategy. Begin by performing a cloud security assessment to create a stronger, more flexible roadmap for your cloud journey. Assessing which data will be moved to the cloud, and in what format, will result in a clear migration strategy destined to succeed. Furthermore, IBM’s use of open-source tools, such as the recent adoption of Kubernetes, allows cloud apps to work together seamlessly. This creates a cloud system that is both flexible and secure.

For Companies Already Running in the Cloud

Companies already residing in the cloud should be aware of the following safety concerns:

Lack of Insight and Control

What if you operate within another entity’s data center and share data ownership? You may run into trouble with a lack of visibility and control over your company’s own data. These ‘blurred lines’ can lead to confusion or doubt over who is supposed to take care of what. According to an IBM survey, 44% of respondents believed they could not rely on their cloud provider for even baseline security.

Solution: Implement security information and event management (SIEM) tools. Doing so will improve the visibility of your data by providing real-time updates of information security systems. Management of event logs will further streamline this outlook and provide the insight required to support a company’s cloud migration.

Cloud Security and Access

Application programming interfaces (APIs) provision, manage and implement assets across cloud applications. As these connect to the internet via the cloud, there’s more potential for attackers to infiltrate the environment. And if they do, all cloud assets are at risk. For example, according to IBM X-Force Incident Response and Intelligence Services (IRIS) in June 2020, 45% of cloud-related threats were via app exploitation. In this way, cyber criminals can amplify the impact of their access to the cloud, developing data theft into other areas such as cryptomining and ransomware.

Solution: Implement strong identity and access management protocols. Companies should deploy policies such as multi-factor authentication and minimum password standards to add safeguards against threats. Restricting access on a least-privileged basis limits the number of privileged accounts, which, in the hands of a malicious actor, could leave a company’s cloud infrastructure at risk.

Malware, Ransomware and Data Theft

Cyber criminals can infiltrate the cloud via phishing emails and poorly configured storage servers. Moreover, the constant movement of data to and from the cloud has increased the number of opportunities for cyber criminals to intercept data. Hence, there are more chances to attack not only the cloud but also client networks and linked devices.

Solution: Apply security measures. These include conducting training and awareness programs among employees, including phishing simulations. Implementing pre-emptive detection and response capabilities and data security solutions will actively seek out and eradicate threats before they develop into a serious issue.

Cloud Security Migration Tools for All

With most businesses only 20% of the way into their cloud adoption, the cloud migration journey continues to be relevant in client conversations across all industries. No matter what stage a business is in its cloud journey, IBM is on hand with specialist services tailored to your business need.

More from Application Security

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today