Security a shared responsibility in successful cloud migration

Digital transformation and transitioning systems and applications to the cloud have been major business initiatives over the last few years. But the journey to success is littered with missteps and projects that have run overtime or over budget. When we strip away the noise and look at where those failures occur, it is rarely related to the technology.

Transitioning services to the cloud is not just a technical project, it’s about how you do business, and that requires buy-in and planning from across the organisation. Organisations that look at cloud transitions as a cost-saving exercise are missing the point. A cloud transition that complements your digital transformation strategy is a powerful business enabler. It allows you to become more agile and more competitive. Businesses need to think carefully about their security model. A security strategy that is designed around on-prem systems is unlikely to be suitable for the cloud. Cloud security is a shared responsibility.

The cloud is not a monolith

There are three broad categories of cloud services. Infrastructure as a service (IaaS) delivers organisations hypervisor and infrastructure services. It’s then up to the customer to install operating systems, database platforms and other essential tools that can then enable applications and services. In summary, anything installed by the customer is their responsibility. That means operating system, application patches, security and other essential services are the responsibility of the organisation purchasing the service.

Platform as a service delivers organisations cloud systems with their chosen operating systems and key platforms such as container system, database platforms and other foundational software. These platforms are installed, maintained and secured by the service provider. Specific applications and data that are provisioned are the responsibility of the organisation accessing the service.

At the other end of the continuum is software as a service (SaaS). The entire platform and application is provided as a service. All the purchasing organisation needs to do is create or federate user accounts and pay for the service. All software updates, security and other maintenance is the service provider’s responsibility.

When planning your digital transformation journey, it’s important to choose the right platform to achieve the requirements and meet the organisational security posture, while acknowledging your internal skills and capability. Choosing a cloud service doesn’t abdicate you from thinking about security. Cloud security is a shared responsibility. The nature of the cloud service determines which elements are your responsibility and which are the service provider’s concern. A simple way to think about this is to consider security of the cloud and security within the cloud. The former is typically the responsibility of the service provider while the organisation has responsibility for how the service is configured and used.

Get cloud security right

One of the key elements of transitioning to the cloud is understanding who has ownership of each security layer. All cloud services depend on a shared security model. With IaaS, while the physical and hypervisor environment is the service provider’s responsibility, all operating systems and software installed by the users is the customer’s responsibility.

With PaaS services, applications and data installed on the supplied platforms are managed and secured by the customer with operating platforms being the responsibility of the service provider. SaaS providers are responsible for almost the entire technology stack they provide. Users of the SaaS platform are responsible for securing accounts and taking advantage of tools such as multi-factor authentication to ensure system access is managed.

Research from Gartner found that many of the security issues faced by organisations using cloud services were the result of customer misconfigurations rather than specific vulnerabilities in the cloud platform. One of the keys for cloud migration success is understanding who is accountable for delivering each element of the service, with security being one of the major concerns.

Securing your data and systems in the cloud requires a different approach to security. Cloud security is a responsibility that is shared by you and the service provider. The specific responsibility for securing each element requires an understanding of which party is accountable. This will cover everything from data protection, the use of encryption, identity and access management, operating system and application patching, and ensuring which applications are whitelisted.

Working with a trusted and experienced partner ensures that everyone understands their specific responsibilities through the migration process to the platform becoming operational. A successful move to the cloud can deliver significant business benefits when the technology team and business units work together. Managing security implications must be factored from the very beginning and not be an afterthought.

Image credit: ©stock.adobe.com/au/dlyastokiv