When they go wrong cloud migration projects can results in downtime and disruption. Matt Lock highlights a number of common challenges experienced during cloud migration and what measures can be taken to manage these.
In uncertain times, and with many businesses facing big decisions about the future of their operations, it can be tempting to put large-scale IT projects on hold. However, necessity is a driving force for change and the COVID crisis has compelled many businesses to accelerate cloud migration to accommodate the pressures on their IT infrastructure. This trend looks set to continue. Services such as Office 365 have provided companies a lifeline, enabling their employees to collaborate and access corporate data assets and applications regardless of their location.
Migration is a significant undertaking and moving legacy, on-premises, data to the cloud requires considerable planning. The right processes and safeguards must be in place to minimise risks and avoid any downtime or disruption that could prevent workers from accessing critical resources.
For anyone embarking on a cloud migration project the best foundation for success is a clearly defined strategy based on the security and protection of data.
Understanding the data estate
One of the biggest challenges for organizations plotting a path to cloud migration is gaining full visibility of their data estate. Businesses often have little idea of just how extensive this is. It is not unusual to discover old Exchange mailboxes and public folders that no one in the current IT or security team even knew existed.
Businesses must also deal with stale data – old assets that are no longer active. Often these data sets are stored or archived with a ‘just in case’ mentality but this also presents a potential security risk.
Cloud migration is an excellent opportunity to finally clear out stale data. Automated tools can assess and flag assets that can reasonably be excluded from the migration procedure. This process can also identify which data to prioritise, along with active data sets in an estate which will require some serious coordination to migrate, without causing disruption to the business.
Ensuring regulatory compliance
Once the scope of the migration is established, any sensitive data being transferred must be protected by the right security and access controls to prevent data breaches. Particular attention must be paid to data which falls under regulations, such as personally identifiable information (PII) covered by the GDPR and payment information that is covered by the industry standard PCI DSS. Depending on the scope of the business’s operations, this may also include international regulations such as the US’s HIPAA for healthcare data, and the recently introduced California Consumer Privacy Act.
Given the volume of data to sort through, this is another area where automation shines. Data can be classified as falling under different sets of regulation and the corresponding controls can be applied automatically. Business may also want to go a step further and invest in the ability to apply custom classification rules for their own unique data sets. This is also helpful for protecting intellectual property that does not necessarily fall under a regulation but is still extremely valuable to the company.
Implementing the right controls
A wide range of security policies can be applied to different data sets. Data security controls such as ‘no external sharing’ and ‘no download’ can be applied to confidential data that must be kept within the confines of the corporate network. Integrating automated classification tools with Microsoft Azure Information Protection (AIP) also enables the application of encryption and DRM (digital rights management) protection.
One of the most important aspects of data protection is to ensure that access is restricted to authorised users. Varonis’s 2019 Global Data Risk Report found that, on average, 22 percent of all company data is exposed to everyone in the organization. This means that sensitive data is vulnerable to misuse by unscrupulous employees. It also makes it much easier for an external threat actor to access and exfiltrate data.
Two of the most common issues to address are Global Access Groups (GAGs), where access defaults to any authenticated user, and Broken Access Control Lists (BACLs) where the permissions on a child folder don’t match the parent. These gaps need to be identified and resolved as part of the migration process.
Keeping the cloud secure
Cloud migration is a huge undertaking, one that doesn’t stop once the data transfer is complete. Businesses need to continually assess their controls to keep things secure.
Permissions and policies should be reviewed on a regular basis, as well as proactively whenever there are significant changes. This could be either within the organization as a result of M&A activity or expansion in new geographies, or external factors such as changes to regulations or the emergence of new threat intelligence. While automation and algorithms can take care of most of the heavy lifting, it is best practice to assign data owners to critical data sets to review access and controls as the situation changes.
With the right combination of expertise and automation, organizations can ensure their cloud migration is completed smoothly with minimal disruption to their operations. A successful migration will future-proof the business for remote working needs. The process will also tighten up controls, tidy the data estate and close any gaps, leaving operations more efficient and secure than ever before.
Matt Lock, UK Technical Director, Varonis.