In this article, originally published by InfoSecurity, Robert A. Clyde outlines how to take a critical inventory of existing data and operational requirements before migrating workloads to the cloud.
It wasn’t too long ago when the question many enterprises wrestled with was whether migrating to the cloud was a worthwhile endeavor. Aside from a few stray server-huggers, enterprises have resoundingly answered in the affirmative and moved beyond that basic question.
Now, though, as the COVID-19 pandemic and resulting widespread transitioning to remote workforces hasten organizations’ embrace of the cloud and SaaS applications, new questions are arising. Let’s examine some of the questions that organizations should be asking to make their cloud migrations successful:
How can we accelerate our move to the cloud?
There is a reason the cloud services market is expected to exceed US $660bn by 2024, according to GlobalData – the cloud brings great potential for organizations to become more efficient, flexible and secure, among other benefits. So, why not be bold in making the move? As enterprises plan their migrations, they should consider going beyond the usual budgetary investments. If the management team had more resources to invest in the cloud transition, what could they accomplish? It might be better to invest more up front and move faster.
What percentage of our business-critical applications are currently running on the cloud?
Even IT leaders who are aware of the cloud’s upside can be deterred from acting if bogged down by existing technologies and processes. That is why it is important to swiftly transition business-critical applications to the cloud. After determining the percentage of business-critical apps that are running on the cloud, a logical follow-up question for cloud champions is whether there are plans to make that total 100%. If not, why? If so, when will the last server be turned off?
Did we include a third-party supplier risk assessment in our cloud risk assessment?
Many organizations have not done so, and the massive SolarWinds hack surely has caught the attention of enterprise leaders. Third-party supplier risk needs to be specifically accounted for as part of the risk assessment. Organizations can automatically assess some third-party risks by using tools that block, report and warn about such risks in the CI/CD pipeline. Any major transition done on an aggressive timeframe poses new risks. Further, there should be a way for management to show the board of directors that all major cloud-related risks have been assessed and the appropriate mitigations have been put in place. It is important to call out which risks, if any, might exceed the organization’s risk appetite.
Have we identified sensitive data and protected it in the cloud?
The risk assessment should identify sensitive data stored in the cloud and how well it is protected. Has the organization implemented appropriate and effective data protection solutions like encryption, obfuscation, or microsharding? Does the way the data is stored, used and protected comply with company policy, industry standards and regulations?
Have we implemented DevSecOps to develop and deploy cloud applications?
This should be a firm “yes.” To put it plainly, migrating to the cloud without DevSecOps doesn’t make sense. DevSecOps is the way to successfully implement cloud applications from the standpoints of both security and quality. For organizations on this path, cloud champions should ask what percentage of our CI/CD pipeline is fully automated? Does it include automated unit tests, third-party risk checks, integration tests, security tests, security checks and audit artifacts, and can security leaders show a simple chart reflecting the DevSecOps capability progress over time?
Do we have knowledgeable cloud practitioners in place?
Migrating from on-premise servers and infrastructure to the cloud might require existing employees to be re-skilled and trained for the organization’s intended cloud uses. Independent reviews are critical, and cloud audits performed by credentialed auditors will typically surface significant security and/or compliance risks, particularly given the fast-evolving regulatory landscape for data governance and data privacy.
The questions above are just a starting point for making cloud migrations a success. In today’s business climate, forward-thinking boards should want to know what their organizations are doing to stay ahead of the curve. Cloud changes rapidly with new capabilities, and management and board directors should be curious about what their teams are doing to keep up on an ongoing basis.
The business landscape will benefit from the large volume of cloud migrations that are taking place, but organizations need to be mindful that just because they are transitioning to the cloud does not guarantee success. Related security, risk and regulatory considerations need to be accounted for to ensure the intended business benefits are realized.