During the last decade, conversations about cloud migration and transformation, as well as cloud security, have been ubiquitous among business owners. With Gartner’s most recent forecast of an 18.4% increase in worldwide public spending on cloud services in 2021, totaling almost $305 billion, it is clear this trend is only heading upward. But what are the risks that come with this cloud transition?

Knowing the risks and mitigation strategies involved is essential. After all, it enables businesses to make informed decisions about their cloud journey. This article explores the risks that come with cloud migration. Whether your company is just starting its cloud journey or already operating within the cloud, IBM has road maps for both.

For Companies Starting Their Journey

Companies at the beginning of their cloud roadmap must consider the following challenges:

Providers’ Roles in Cloud Security

Moving data from on-premises to the cloud can be confusing and lead to misconfigured servers, opening the door to potential cyber threats. This was the case with the April 2019 Facebook Amazon Web Services server breach, resulting in over 540 million accounts being exposed. These instances are a stark reminder of how vulnerable data can be during cloud migration.

Solution: Leading cloud providers offer built-in security to the cloud environment. Since they own the cloud environment, it is both their duty and within their interests to ensure security of the cloud. However, the users of the service are responsible for the security in the cloud – therefore the responsibility is shared under the shared responsibility model.

Reskilling and Resourcing Teams

Vital changes in company strategy require a shift in its employees’ skill base. Cloud migration requires more management and training of employees using new cloud apps. In the interim, this may leave a company’s security posture at risk.

Solution: The journey to the cloud will require the inevitable upskilling of employees. Hiring a strong security team and more DevOps engineers will help bolster the transition. They can reconfigure the cloud environment and assure data security in the cloud long term, offsetting the short-term costs of retraining staff.

Creating a Clear Cloud Migration Strategy

Key decisions prior to moving to the cloud will lead to a smooth transition. Failure to do so could complicate the process and leave a company open to cyber threats. Choices include using one cloud provider or a mix, which can result in vendor lock-in or a costlier and more complex environment, respectively. Also, deciding which data will reside on-premises and which will reside in the cloud at an early stage will provide clarity from the offset. Ensuring governance and a target operating model are in place prior to migration will pay dividends down the line.

Solution: Planning and strategy. Begin by performing a cloud security assessment to create a stronger, more flexible roadmap for your cloud journey. Assessing which data will be moved to the cloud, and in what format, will result in a clear migration strategy destined to succeed. Furthermore, IBM’s use of open-source tools, such as the recent adoption of Kubernetes, allows cloud apps to work together seamlessly. This creates a cloud system that is both flexible and secure.

For Companies Already Running in the Cloud

Companies already residing in the cloud should be aware of the following safety concerns:

Lack of Insight and Control

What if you operate within another entity’s data center and share data ownership? You may run into trouble with a lack of visibility and control over your company’s own data. These ‘blurred lines’ can lead to confusion or doubt over who is supposed to take care of what. According to an IBM survey, 44% of respondents believed they could not rely on their cloud provider for even baseline security.

Solution: Implement security information and event management (SIEM) tools. Doing so will improve the visibility of your data by providing real-time updates of information security systems. Management of event logs will further streamline this outlook and provide the insight required to support a company’s cloud migration.

Cloud Security and Access

Application programming interfaces (APIs) provision, manage and implement assets across cloud applications. As these connect to the internet via the cloud, there’s more potential for attackers to infiltrate the environment. And if they do, all cloud assets are at risk. For example, according to IBM X-Force Incident Response and Intelligence Services (IRIS) in June 2020, 45% of cloud-related threats were via app exploitation. In this way, cyber criminals can amplify the impact of their access to the cloud, developing data theft into other areas such as cryptomining and ransomware.

Solution: Implement strong identity and access management protocols. Companies should deploy policies such as multi-factor authentication and minimum password standards to add safeguards against threats. Restricting access on a least-privileged basis limits the number of privileged accounts, which, in the hands of a malicious actor, could leave a company’s cloud infrastructure at risk.

Malware, Ransomware and Data Theft

Cyber criminals can infiltrate the cloud via phishing emails and poorly configured storage servers. Moreover, the constant movement of data to and from the cloud has increased the number of opportunities for cyber criminals to intercept data. Hence, there are more chances to attack not only the cloud but also client networks and linked devices.

Solution: Apply security measures. These include conducting training and awareness programs among employees, including phishing simulations. Implementing pre-emptive detection and response capabilities and data security solutions will actively seek out and eradicate threats before they develop into a serious issue.

Cloud Security Migration Tools for All

With most businesses only 20% of the way into their cloud adoption, the cloud migration journey continues to be relevant in client conversations across all industries. No matter what stage a business is in its cloud journey, IBM is on hand with specialist services tailored to your business need.

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…