How Security by Design Helped Manage Risk in a Cloud Migration
When a company migrated to the cloud, security issues arose due to difficulties in onboarding stakeholders and involving security from the start. Integrating security assessments as part of the ongoing cloud DevOps process and adopting an agile security risk management strategy throughout the project lifecycle helped strengthen security governance during the migration.
Archana Puri spoke about security dilemmas when migrating to the cloud at The Diana 2021 Initiative.
Puri mentioned that after evaluating Gartner’s 6Rs migration approaches, the company adopted three migration approaches as part of the organization’s cloud migration roadmap:
The goal was to first migrate legacy systems supporting critical customer services using the “Lift and Shift” migration approach. To support the legacy application, other dependent applications had to be “replatformed” using cloud-native features (such as RDS for an Oracle on prim database) and “refactored” by replacing the migrated applications at over time and automating cloud workloads and workflows as you go. part of the roadmap.
The main challenge of migrating to the cloud was engaging with the right stakeholders and establishing governance over the migration processes, Puri said. Cloud migration was seen as a technical issue and therefore the project was delegated to the IT team without involving other stakeholders such as customer services and application teams impacted by the migration. she declared.
The security team was often hired at the end of the project to perform ad hoc security reviews and provide assurance to project teams, Puri said. End-to-end security engagement became a major roadblock for the project as the approach and outcome of the security assessment did not align with business objectives, resulting in a disconnect between the business teams, from projects and security to get the effective result of cloud migration. .
The most important lessons learned from the project were to involve relevant stakeholders in all organisations. Ensuring security throughout the project and solution lifecycle involves proper security training and awareness among DevOps and other relevant teams to build a resilient security infrastructure based on ongoing risk.
InfoQ interviewed Archana Puri on security management in cloud migrations.
InfoQ: What was the reason for moving to the cloud? What expectations did the company have?
Archana Puri: The main reasons for migrating to the cloud were:
- Modernize application platforms as part of technology improvement initiatives
- Upgrade legacy infrastructure to scale and improve its performance to meet growing customer demands and the organization’s service portfolio; and
- Optimize costs and effectively use IT budget to adopt more agile and automated capabilities
InfoQ: What have been the main security challenges of moving to the cloud?
Puri: In security engagements, there were dependencies on the traditional way of performing security risk assessments as a one-time activity to assess risk. However, with cloud migration being an ongoing process, security had to adapt to agile ways of working and incorporate security assessments as part of the cloud DevOps process.
A lack of understanding and adequate technical capabilities within IT and security resources regarding cloud technologies, threat profile, risk exposure and controls was also a significant impediment.
InfoQ: How did you deal with these challenges?
Puri: Security by design and the integration of security as part of the agile project methodology have been adopted as a strategy for managing security risks throughout the project lifecycle and as a mechanism for development and operation continued. This included engaging and aligning security teams from the migration conceptualization. This allowed for clear communication and understanding of goals and intentions, enabling the company to make the decision to migrate.
The key is to clearly understand the drivers and goals of the migration, and to align the cloud security strategy and policy with the organization’s overall security strategy and policy.