The following story illustrates the struggles IT and security leaders encounter when undergoing cloud transformation. While Shira Sutton is fictitious, many real-life firms face similar pressure to fast-track cloud adoption. Selecting the right approach to cloud migration is not easy, but what can be even more difficult are the unanticipated hurdles that arise around compliance, resilience, data governance and identity management. Follow Shira’s decision-making process throughout her company’s cloud transformation journey, and consider what you may have done differently.

Shira Sutton had been handed the daunting task of cloud transformation.

“Do you think you can handle it?” Wendy Nguyen, the retail organization’s chief information officer (CIO), had asked several weeks prior.

As her organization’s IT director, Shira was no stranger to the cloud — or its cost reduction and operational efficiency potential. However, she was not looking forward to the enormous task ahead.

“Of course,” Shira said confidently. “I’m ready for whatever comes next.” While she wasn’t surprised to receive the directive from Wendy, she knew the move to the cloud would be riddled with challenges.

After a considerable amount of work, Shira was finally presenting a cloud transformation framework to the organization’s leadership team. She was looking forward to the flexibility and scalability benefits of the cloud, but she also had many concerns about how the shift would affect security.

Designing the ‘Right’ Type of Cloud

Shira and Wendy had a brief discussion about the “right” cloud approaches for the organization during their last meeting. Shira knew Wendy’s proposal of using a public cloud wasn’t necessarily the best option for their organization. She was worried about how a public cloud would impact her company’s legacy applications, critical workloads and sensitive data.

A multi-tenant environment could lead to diminished performance — and they certainly couldn’t afford to be the next highly publicized retail data breach. Shira also knew her organization was at risk of falling behind the curve when it came to cloud adoption, considering 83 percent of workloads will be cloud-based by 2020. She wondered if there were a way to hit fast forward on migration and achieve the digital transformation benefits of cloud now.

Shira presented the pros and cons of a multi-tenant public cloud strategy and private cloud to the leadership team, making a case for her preferred solution: a hybrid cloud that would allow the company to maintain control over its cloud workloads in a managed environment.

As adoption of cloud apps and services explodes worldwide, the number of options is also increasing at an overwhelming rate.

In fact, infrastructure-as-a-service (IaaS), just one aspect of the cloud, is currently experiencing 38.1 percent year-over-year growth. As adoption of cloud apps and services explodes worldwide, the number of options is also increasing at an overwhelming rate.

Taking a Vertical Approach to Cloud Migration

The leadership team asked Shira about many issues, including the commonness of hybrid clouds in enterprise settings and how they were trending compared to public clouds. She knew they shared her concerns about security risks, but she also realized their top priority (as business-minded executives) was cutting costs while preserving uptime and minimizing latency.

Shira explained cloud adoption had dropped slightly in the past year but was still at 51 percent in 2018. While the team agreed, Shira wanted to be sure the hybrid cloud was secure enough.

Scaling Governance to the Cloud

After the leadership team gave her recommendation the green light, Shira assembled a task force for vendor selection and spent weeks researching options. With the help of Wendy and other colleagues, she made her final selection and was deep in discussion with a representative from the newly hired vendor.

Armed with a list of questions, Shira sought to understand how her organization’s governance methods would scale to the cloud. Most importantly: Would her cloud workloads be compliant with industry regulations and regulatory requirements?

Assessing Cloud Vendor Security

Shira felt assuaged by the vendor’s explanation of its approach to security and controls. The conversation addressed her concerns about data compliance and encryption. It also helped her understand the company’s well-defined approach to scaling private cloud to hybrid cloud deployments.

While Shira wasn’t fully sold on the vendor’s promise of seamless policy management during the cloud migration, she felt confident in its commitment to availability and data protection. At the end of the conversation, the provider sent up-to-date copies of its certifications.

After she received those documents, Shira followed up with the compliance team about regulatory requirements. She wasn’t entirely sure how she’d achieve always-on compliance in the cloud.

Resilience and Incident Response Planning

Over the next few weeks, Shira turned her attention to resilience planning. With her organization’s workload primed for residency in a more diverse environment, Shira was aware the organization’s strategy for availability and risk response was about to evolve significantly. The purpose of this evolution was to accommodate her customers’ and employees’ need for always-on availability and on-demand access.

Shira carefully outlined the importance of a comprehensive resilience and response plan to the leadership team. While the executives were aware of the crushing cost of a data breach, they agreed with Shira’s assertion that even a 15-minute period of downtime was intolerable.

Shira felt overwhelmed by the simple fact that cloud adoption required a more complex approach to infrastructure, which meant more business risks to manage.

The retailer’s current response and resilience approach weren’t anywhere near industry standards. Its existing data backups and failover solutions certainly weren’t foolproof. However, Shira felt overwhelmed by the simple fact that cloud adoption required a more complex approach to infrastructure, which meant more business risks to manage.

Choosing Rapid Recovery

Business resilience and incident response planning was no joke. Shira used the cloud transformation as a long-overdue opportunity to create a stable plan for potential breaches, failover and disaster recovery. However, that was easier said than done.

Shira chose to focus on rapid recovery. She felt confident that vendor-recommended solutions for high-speed recovery could mitigate risks during downtime, failover or other incidents. Risk tolerance is complex, but Shira knew her team needed to be able to respond to the unexpected and recover quickly.

While Shira was careful to emphasize the realities of security and resilience risks, both she and Wendy agreed response-based resilience planning was the right approach. They decided to invest in regularly verified cloud backups to cover all the bases. Ideally, Shira hoped the organization wouldn’t have to face an unplanned outage or service interruption.

Migrating Identity and Access Management

As she finalized her retail organization’s move to the hybrid cloud, Shira faced the need to scale another mountain: issues of identity and access management (IAM) in the cloud. She also wasn’t the only one worried about this side of cloud risks. Wendy had recently dug into some research on security risks that revealed that compromised or stolen credentials were behind a massive proportion of data breaches.

Like many other organizations in retail, Shira understood her organization’s IAM challenges were immense. There were always remote access challenges, such as the organization’s distributed workforce and high employee turnover in the industry.

The organization faced an ongoing need to protect customers’ online data and mitigate fraud while providing a seamless omnichannel retail experience.

Existing governance at Shira’s organization was far from automated — and best described as a patchwork of policy-based administration across many different legacy apps and services. Internal IAM challenges also weren’t as tough as external ones. The organization faced an ongoing need to protect customers’ online data and mitigate fraud while providing a seamless omnichannel retail experience.

The impending move to the hybrid cloud was the perfect opportunity to reevaluate the company’s existing systems and policies for identity and access governance. But Shira wasn’t even sure where to start when it came to creating a more straightforward mode of managing users and their access to data.

Performing Manual IAM Review

Shira worked to tackle a post-migration plan for reviewing identity and access for each component of the organization post-cloud adoption, including the retailer’s customer-facing apps, internal apps and systems infrastructure.

She also tackled the long-overdue task of updating her organization’s current IAM processes, policies and controls. Shira worked closely with the cloud vendor during this process to understand how current policy-based administration efforts would scale to the cloud. Based on the provider’s recommendations, she began to document testing policies for IAM migration post-deployment.

Preparation Is Key to Cloud Success

Shira knew moving to the cloud would be simpler if the organization had a solid groundwork for managing data, risks people and policies. However, she didn’t have time to redesign its governance strategy from the ground up before migration day.

By the time the go-live date finally rolls around, would Shira feel confident her organization is entering a new era of cloud computing? Or would she instead continue to worry about security, continuity and access risks?

This type of cloud experience isn’t rare: Many organizations struggle to keep their cloud transformation goals on track when they encounter unanticipated obstacles around regulatory compliance, resilience, data governance and identity management.

Shira constantly worried about her options throughout the cloud transformation experience. What if she’d made the wrong recommendations around cloud adoption? Would her organization absorb new security risks, compromise resilience or discover massive issues during deployment testing because legacy systems weren’t functioning correctly or securely in the cloud?

A Smarter Approach to Cloud Transformation

Shira didn’t need to worry about missed opportunities on the road to cloud transformation or risk realization. To overcome the barriers to cloud success, she could have enlisted expert assistance to create a multiyear plan for cloud migration. She also could have invested in managed hybrid could services to unlock an easy-to-manage, centralized infrastructure instead of increased complexity.

In addition, Shira’s team could’ve taken a proactive stance on incident response and intelligence services for resilience planning. Finally, IAM and cloud identity services could have helped Shira create a seamless bridge between on-premises and cloud infrastructure.

With expert guidance and best-of-breed solutions for secure cloud adoption, it’s possible to confidently bridge secure operations in any combination of on-premises, private, public or hybrid cloud deployment.

Cloud adoption may be necessary to help organizations achieve an agile advantage — but it certainly isn’t simple. As Shira discovered, the journey to the cloud is filled with challenges and potential detours. Fortunately, with expert guidance and best-of-breed solutions for secure cloud adoption, it’s possible to confidently bridge secure operations in any combination of on-premises, private, public or hybrid cloud deployment.

 

Read more articles about Cloud Security

More from Cloud Security

How I got started: Cloud security engineer

3 min read - In today’s increasingly cloud-focused business environment, cloud security engineers are pivotal in protecting an organization’s critical data and infrastructure. As experts in cloud security, they leverage their expertise to ensure that the ever-expanding amount of cloud data is safe from emerging threats and vulnerabilities. Cloud security professionals combine their passion for technology with a deep understanding of security principles to design and implement robust cloud security strategies. What experience do these security experts have, and what led them to the…

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Lessons learned from the Microsoft Cloud breach

3 min read - In early July, the news broke that threat actors in China used a Microsoft security flaw to execute highly targeted and sophisticated espionage against dozens of entities. Victims included the U.S. Commerce Secretary, several U.S. State Department officials and other organizations not yet publicly named. Officials and researchers alike are concerned that Microsoft products were again used to pull off an intelligence coup, such as during the SolarWinds incident. In the wake of the breach, the Department of Homeland Security…

What you need to know about protecting your data across the hybrid cloud

6 min read - The adoption of hybrid cloud environments driving business operations has become an ever-increasing trend for organizations. The hybrid cloud combines the best of both worlds, offering the flexibility of public cloud services and the security of private on-premises infrastructure. We also see an explosion of SaaS platforms and applications, such as Salesforce or Slack, where users input data, send and download files and access data stored with cloud providers. However, with this fusion of cloud resources, the risk of data…