When a company migrated to the cloud, security issues arose due to difficulties in getting stakeholders on board and involving security from the start. Embedding security assessments as part of the continuous cloud DevOps process and adopting an agile strategy for security risk management throughout the lifecycle of the project helped to increase the governance of security during the migration.
Archana Puri spoke about security dilemmas when migrating to the cloud at The Diana Initiative 2021.
Puri mentioned that after evaluating migration approaches from Gartner’s 6R approach, the company adopted three migration approaches as part of the organisation’s cloud migration roadmap:
The focus was to first migrate legacy systems supporting critical customer services using "Lift and Shift" migration approach. To support the legacy application, other dependent applications were planned to be "Replatformed" using cloud native capabilities (such as RDS for an on prim oracle database) and "Refactored" by replacing the migrated applications over time and automating the cloud workloads and workflows as part of the roadmap.
The main challenge with the cloud migration was to engage with the right stakeholders and establish governance over the migration processes, Puri said. Cloud migration was considered a technical issue and hence the project was delegated to the IT team without engaging other stakeholders such as customers services and applications teams impacted by the migration, she mentioned.
The security team was often engaged during the end of the project to perform point in time security reviews and provide assurance to the project teams, Puri said. Engaging the security at the end became a major showstopper for the project because, the security assessment approach and outcome didn’t align with the business objectives resulting in a disconnect between the business, projects and security teams in achieving the effective outcome from the cloud migration.
The most important learnings drawn from the project were to engage relevant stakeholders across organisations. Ensuring security across the project and solution life cycle involves adequate security training and awareness among DevOps and other relevant teams to build a continuous risk based security resilient infrastructure.
InfoQ interviewed Archana Puri about dealing with security in cloud migrations.
InfoQ: What was the reason for moving to the cloud? What expectations did the company have?
Archana Puri: The key reasons for cloud migration were:
- To modernise the application platforms as part of the technology improvement initiatives
- To upgrade the legacy infrastructure in order to scale and enhance its performance to cater to the growing customer demands and service portfolio of the organisation; and
- To optimise costs and effectively utilise the IT budget to adopt more agile and automated capabilities
InfoQ: What were the main security challenges in moving towards the cloud?
Puri: Within the security engagements, there were dependencies on the traditional way of performing security risk assessments as a point in time activity to assess risks. However, cloud migration is a continuous process, hence security had to adapt to the agile ways of working and embed security assessments as part of the cloud DevOps process.
A lack of adequate understanding and technical capabilities within the IT and security resources about cloud technologies, threat profile, risk exposure, and controls was also a significant show stopper.
InfoQ: How did you deal with these challenges?
Puri: Security by design and embedding security as part of the agile project methodology were adopted as a strategy for security risk management throughout the lifecycle of the project and as a continuous development and operations mechanism. This included engaging and aligning security teams from the conceptualisation of the migration. This enabled clear communication and an understanding around the objectives and intentions, allowing the business to make the decision for migration.
The key is to clearly understand the migration drivers and objectives, and align the cloud security strategy and policy with the overall organisation security strategy and policy.