Cloud migration: mitigating misconceptions and genuine security risk

Sometimes it seems like the whole world is migrating their critical data and applications to the cloud. The latest Gartner forecast estimates spending globally on public cloud services will hit $592bn by the end of 2023 – a near 21% year-on-year rise. Yet security is a persistent concern. Research reveals that it is a barrier to migration for 45% of global organisations.

Some of these concerns are born out of misunderstandings about what cloud migration entails, and how security solutions can help. Others can be addressed by investing in the right kind of platform-based approach and baking security into projects from the very start.

Sharing responsibility for security

Our survey finds that 88% of organisations accelerated their cloud migration during the pandemic. That’s an understandable reaction to a unique set of circumstances which forced businesses to become more agile in supporting their workforce and reaching customers digitally. However, the pandemic surge in migration is unlikely to have slowed since, as organisations look to carve out competitive advantage and mitigate the worst impacts of a looming downturn. 

In this context, it’s of some concern that many still don’t fully understand the concept of shared responsibility – whereby cloud providers take care of security of their infrastructure but customers must protect data, apps and other assets. Although nearly all (92%) respondents said they’re confident they understand their cloud security responsibility, even more (97%) claim their cloud service provider (CSP) offers sufficient data protection – which is not usually the CSP’s job.

The boundary lines for responsibility may be particularly difficult for organisations to define when they are running a mix of IaaS, PaaS and SaaS environments. 

Legitimate concerns

The bottom line is that cloud migration can increase the corporate attack surface significantly. Just think of all those new containers, virtual machines and serverless assets. Managing these often ephemeral, highly dynamic assets alongside traditional on-premises environments can be extremely challenging, as they demand a different type of approach. It’s perhaps not surprising that nearly three-quarters (73%) of global organisations are concerned about their growing attack surface.

Organisations must also understand that CSPs can’t be independently audited. You have to take them at their word on security to a great extent – which makes due diligence processes more important, and trusted industry names a safer bet. Visibility and control can also be a challenge for security teams operating in the cloud without the right tools.  

Security by design

However, there are things that can be done from the start to mitigate cyber risk when migrating data to the cloud. First, follow security by design principles. That means getting the IT leader or CISO sitting in on digital transformation projects from the very start. Some organisations leave them out, believing the function will only slow things down. In fact, good security will help you go faster but safer, like seatbelts on a car. 

Next, it’s time to consider what security tools to invest in. Point solutions are a major challenge for security teams. They can create data silos that lead to coverage gaps, cost extra money in unnecessary licences, and stretch IT teams to the limit from an administrative perspective.

By consolidating on a single platform for protection, detection and response across cloud and on-premises, organisations can instead gain full insight into and then manage risk across their entire attack surface holistically. It saves money on licences and optimises limited IT resources.

Of those organisations we surveyed, only 55% said they use third-party tools to secure their cloud environments. This needs to change. The first rule of cloud security is the CSP will not handle everything themselves.