Secure cloud migration is possible if you dedicate resources to it from the start. A security-first approach in cloud migration assumes that everything you migrate, refactor, and re-architect produces a highly secure environment, minimizing the risks of a breach, loss of operations, and data leaks.
In the public cloud, security and compliance are shared responsibilities. That’s why it’s essential to identify the elements you need to take care of to ensure proper protection of your business data in the cloud.
Read on to learn more about building a security-first cloud strategy and the six elements that should be its cornerstones.
This is the second article in our series about cloud migration - check out the first one to learn more about networking.
What is a secure cloud migration?
Cloud environments can change rapidly, moving in and out of compliance dynamically.
A security-first approach to cloud computing focuses on ongoing monitoring and management of threats to ensure the organization stays on top of all potential risks. In addition, it involves understanding and acting on these dangers through automated policies, processes, and controls.
Achieving the state of continuous security-first compliance calls for a combination of modern tools, techniques, and processes. Here are the six key elements your cloud strategy should include to promote and improve your security posture.
6 components of a secure cloud migration
1. Cloud Security Posture Management (CSPM)
All cloud service providers (CSPs) share a minimum set of best practices required for the security and compliance of resources stored in the cloud.
Cloud Security Posture Management (CSPM) solutions help to compare cloud resource configurations against such best practices. In addition, they can spot any configuration drifts due to ad-hoc changes or malicious intent.
Microsoft Azure comes with a CSPM solution for its cloud resources, but also AWS and GCP have parts of related functionalities in place. If you prefer to remain cloud-neutral, you can choose a third-party CSPM tool, such as Palo Alto, ZScaler, Orca Security, Wiz Security, or Secberus.
CSPM solutions can read and check your cloud configurations, notify you of the issues in need of remediation, and provide detailed findings and recommendations. As a result, they help to ensure a high-level security score across all components.
So ideally, your cloud environments should include a CSPM tool and strive to achieve a minimum prescribed security and compliance score. As a rule of thumb, Level 3 (“Defined”) or higher of the NIST Cybersecurity Framework should be a good choice.
Endpoint Detection and Response
Endpoint Detection and Response (EDR) is a cybersecurity technology that continuously monitors end-user devices to detect and respond to threats like ransomware and malware.
Each Virtual Machine in your cloud deployment should have a properly installed and configured Endpoint Security solution.
Microsoft Azure provides Defender for Windows, but there is also a version for Linux. If you choose a vendor-agnostic approach, you still get a wide range of EDR products such as Crowd Strike, Sentinel One, Trend Micro, Broadcom, and many others.
Having an EDR tool installed for all deployed VMs should be a part of the strategy enforced through both CSPM tools and Policy as Code.
Key management and secrets management
Your cloud migration plan should include securing sensitive or secret configurations.
Ideally, you should store such data in a central location using a cloud-provided secret management service. Such tools allow companies to securely store, transmit, and manage data like passwords, encryption keys, SSH keys, API keys, database credentials, tokens, and certificates.
Key management and an appropriate FIPS 140.2 Hardware Security Module should support this setup.
All cloud providers have functionally equivalent services for secrets and key management; you can also choose from numerous third-party tools.
Policy-as-code
The idea of policy-as-code involves writing code in a high-level language to manage and automate policies. This form makes it easier to use best practices for software development, like version control and automated testing and deployment.
Examples of the rules your policy as-code could include are as follows:
Avoid using public IPs on Virtual Machines.
All storage must use provided encryption keys stored in your key management solution (KMS)
Public storage objects are not allowed.
Web application firewall must be used in front of all API and web applications.
When collating your list of best practices, you can draw on industry standards such as CIS Benchmarks or CISA/NSA Kubernetes Hardening Guide. Then, you can deploy such policies through IaC and test them for efficacy.
Logging and Security Information and Event Management (SIEM)
All cloud resources generate logging data. Security information and event management (SIEM) technology collects event log data from multiple sources, helping you identify unusual activity and take appropriate action quickly.
SIEM systems have different functions, but in general, they reduce cyber risks by keeping track of how users act, limiting access attempts, and making compliance reports.
Your cloud deployment should integrate an end-to-end SIEM solution and use it to analyze log data for all components. Alerted by notifications, you’ll be able to discover suspicious activities and address them on the spot.
Some of the recommended solutions in this category include IBM Security QRadar, Datadog Security Monitoring, AT&T Cybersecurity, FortiSIEM, and more.
Security assurance and compliance
All key cloud service providers can ensure compliance with popular standards such as SOC2 Type II, ISO127001, PCI DSS (Data Storage Solution), and many others. This certification can be a baseline for your Security Assurance and Compliance requirements.
When structuring your work in this area, focus on the two key deliverables:
Ensure you get a CIS Benchmark score for all infrastructure elements, with no best practice violations above “medium”. Aim for a minimum of 90% implemented checks with a passing score as measured by your selected CSPM solution.
Check your environment against the NIST 1.1 Cybersecure Framework, again aiming for a minimum maturity level of 3 (“Defined”), ideally expanding to Level 4 (“Managed”) or 5 (“Optimized”).
If you use Kubernetes, a useful tool here could be CAST AI’s container security report. By automatically scanning your cluster configurations, it checks your compliance with essential industry standards and best practices.
Once you check your compliance, you can establish a timeline for penetration testing. This cybersecurity exercise helps you find any weak spots in your system's defenses that hackers could use. Penetration testing should be internal and external—and ideally, guide your next steps thanks to issue prioritization.
Launch a secure cloud migration
Creating a security-first cloud strategy minimizes the odds of cyber attacks, protects your valuable assets, and improves your overall business agility.
You can build a solid security structure for your cloud deployment by combining the outlined types of solutions and techniques – the investment will certainly pay off.