One of the benefits of being on the autistic spectrum is that ideas tend to linger in my mind far longer than they probably should. As a result, I am still quite obsessed with The Stack article (https://www.thestack.technology/warren-buffetts-geico-repatriates-work-from-the-cloud-continues-ambitious-infrastructure-overhaul/) I read about a month ago, which discussed cloud repatriation. It provided an example from Geico, where they migrated workloads back on-premises from the cloud. Cybersecurity was not explicitly mentioned as a justification (compliance was, but this is, at least in my opinion, something different). However, as evidenced by my recent output, this has prompted me to think about other reasons why organisations might want to reconsider their cloud migration programmes or hosting strategies. One area that stood out to me was the integration (or lack thereof) of security in cloud migrations.
In my experience, a common theme is that security is often viewed as a barrier to innovation, a perspective I have also been guilty of holding in some of my previous roles.
However, I have come to realise that the absence of a consistent and holistic approach to security in cloud migration projects can, and often does, result in issues later on and, at the very least, may cause programme delays or, worse, lead to data breaches or other severe problems.
The Importance of Cybersecurity in Cloud Migrations
Migrating workloads to the cloud often involves transferring vast amounts of data and associated applications from on-premises systems to cloud environments. If not handled securely, this process can expose data to various cyber threats. Including a cybersecurity framework during cloud migrations helps to safeguard data integrity, ensure data privacy, and protect against data breaches and cyberattacks.
Some Best Practices for Cybersecurity in Cloud Migrations
Below are some considerations for inclusion in a cloud migration program; this list is not exhaustive, but hopefully covers the fundamentals.
Perform a Risk Assessment
Before migrating, the organisations should conduct a thorough risk assessment to identify potential vulnerabilities and threats. This assessment should include evaluating the security posture, identifying sensitive data, and analysing compliance requirements.
One less obvious advantage of performing this assessment is that it forces the organisation to engage with its security teams early. Hopefully, you will be surprised to learn that, in my experience, this has not always happened. If nothing else, this lack of engagement can lead to project delays, as the security teams tend to get engaged later on in the project, leading to rework, etc.
Implement Strong Access Controls
Compromised user credentials remain a primary means of attackers gaining unauthorised access to systems. So, ensuring that MFA is enabled at a minimum can mitigate most of the associated risks, but implementing strong RBAC, PIM, and PAM controls would further enhance identity security.
Encrypt Data
Possibly a no-brainer, but it is important to ensure that data is encrypted at rest (a default for the underlying storage in most cloud providers) and in transit to protect it from unauthorised access and interception.
Integrate into the Organisations Security Operations Processes (i.e. SOC, SIEM and SOAR tools/processes)
Ensure that when workloads are migrated, they are integrated into the existing security monitoring & detection solution. If this system cannot adequately monitor the cloud environment, consider using a cloud-native solution, such as Microsoft Sentinel and Microsoft Defender.
Again, including the security teams early can help to ensure that this process is implemented before the migrations, potentially reducing delays and security risks, during and after the migration.
There can be challenges with this level of integration, as a lot of larger organisations have a tendency to use different providers to manage the migrations to those that typically run the platforms. This is usually to reduce risks associated with having one provider manage all aspects of the organisation’s IT, but it does add complexity and sometimes friction when these (often competing) organisations need to effectively work together. A clear operating model and RACI can help mitigate these types of issues.
Compliance
Ensure that the cloud migration complies with relevant regulations and industry standards. Review compliance requirements regularly and update security processes as and when required.
User Adoption & Training
Provide cybersecurity training to employees to raise awareness about potential threats and best practices. Ensure employees understand their roles and responsibilities in maintaining a secure cloud environment. This can be doubly important when moving to SaaS or PaaS based systems as authentication mechanisms and experiences can differ significantly from those used to in a predominantly on-premises estate.
7. Develop an Incident Response Plan
Create a comprehensive incident response plan to address potential security incidents. This plan should outline steps for identifying, containing, and mitigating security breaches and procedures for communication and recovery.
Arguably, this is one of the key areas, It is surprising how little I have seen this included in the first draft of a migration plans, but it is essential to know who to contact and what the processes are for managing an incident, especially during the migration or early life support, as this tends to be the time when there are more moving parts and disparate teams involved, which at the best of times can lead to miscommunications, critical delays and lack of clarity as to the current status of the incident. Please do not keep the incident response plan in the environment that it is related to; surprisingly, I have seen this happen.
Resources for Microsoft Cloud
MCRA
I have always found the MCRA (Microsoft Cybersecurity Reference Architecture) an excellent starting point for considerations around securing your Microsoft and multi-cloud estates, the latest version of this can be found here https://learn.microsoft.com/en-us/security/adoption/mcra
Cloud Adoption / Well-Architected Framework
Anyone looking to leverage the Microsoft Cloud should be familiar with the Well-Architected Framework and the Cloud Adoption Framework, commonly shortened to CAF & WAF. These resources provide a wealth of guidance around how to plan, migrate, manage and architect workloads for the Microsoft Cloud, including sections on security.
CAF: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/
WAF https://learn.microsoft.com/en-us/azure/well-architected/
Enterprise Scale Landing Zones
Included as part of CAF, it is useful to understand the basic concepts of how to architect and implement a secure and scalable landing zone for Microsoft Azure. This resource not only includes guidance and architectural references but a series of scripts available on GitHub that can be used to build out your landing zones.
ESLZ: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/
In Conclusion
By fully integrating security into your migration design and implementation plans, and by doing this early into the programme, you can help to mitigate some common risks, that can cause issues to both the programme (i.e. delays, re-work, compliance issues etc.) and to the cloud estate, such as reducing the risk of data exfiltration, user credential compromises, and cybersecurity incidents in general.
Follow on LinkedIn
The Microsoft Cloud Blog 
Leave a comment