AdobeStock_168245762.jpeg

CLOUD MIGRATION 101

Migrating to the cloud offers multiple benefits including:

 

  • Broad Network Access: Cloud services are device agnostic. It doesn’t matter if your tech is a mobile phone, a tablet, a laptop or a PC. It doesn’t matter if it’s rammed with high performing hardware or stripped down to the bare essentials - as long as the device has internet capability, you can most likely connect.  This makes mobile working, employing a diverse workforce, and increased collaboration not only possible, but entirely practical.

 

  • Rapid Elasticity:  It is also possible to quickly add IT infrastructure such as data storage, data processing and memory at a click of a button.  Ditto the number of users that can access critical applications. IT resources, therefore, are closely aligned to business requirements – including seasonal fluctuations, peaks and troughs.

 

  • Metered Service: One of the biggest benefits of moving to the Cloud is that you only pay for what you use. This reduces the chances of heavy overheads and under-utilised infrastructure during relatively quiet periods. Additionally, most Cloud Service Providers (CSPs) provide a simple web portal to track key metrics regarding usage and compliance with service level agreements.

 

  • Pooled Resources: Most CSPs own vast pools of computing resources, helping many businesses to benefit from economies of scale - not only reducing energy bills but investment in hardware, IT maintenance and security services.

 

Clearly, there are more benefits to the cloud then there is space here to talk about them. However, the senior leadership team must be ready to articulate these in a way that everyone within the organization can understand and support if they wish to move operations to the cloud.

 

Services Available in the Cloud:

 

There are 3 key types of services:

  • Software as a Service (SaaS): Provides applications you need. These are accessible through your browser or software client and usually requires licenses. SaaS gives the cloud customer the least amount of administrative work to do. Most organisations already run their own mailing systems based on such a model.

  • Platform as a Service (PaaS): Allows organizations to build, run and manage apps without using any IT infrastructure.  This is a popular option for software development companies.

 

  • Infrastructure as a Service (IaaS): Delivers IT infrastructure over the cloud.  This gives you the most control over your network and greatest visibility into what’s happening. By the same token, however, the cloud customer has to be much more involved in the management of these IT systems.

AdobeStock_159912258.jpeg

Finally, we have public cloud computing and private cloud computing. The latter is exactly that – the organisation owns or has exclusive use of the technology. Whilst this often results in better oversight of IT systems and the handling of sensitive data, the expense can be entirely prohibitive.  Public clouds, on the other hand, are cost effective because the underlying infrastructure is shared with others. It is the security issues and lack of oversight that make them unpalatable for some.

 

These days, most businesses operate a hybrid model, believing that this will provide the organisation with the right balance of risk and opportunity or sometimes because this is the only feasible solution available. Not all applications can be moved to the cloud, for example, necessitating some form of internal network.  In any event, you should seriously consider hiring a Cloud Access Security Broker (CASB) if you wish to combine more than one vendor or service types.

 

Transitioning To The Cloud Successfully Requires:

 

PHASE 1: Preparation

Migrating to the cloud can often exceed budgets and deadlines and even cause unexpected business disruptions if not well handled.  One way to avoid this is to ensure that senior leaders and heads of departments participate early in the planning process and to make sure that the move to the cloud aligns with long term business goals.

AdobeStock_114161848.jpeg
  • You should be asking:

  • What business problem will the cloud be solving?

  • Who are the intended internal and external users?

  • When, where and how will the cloud be accessed?

  • Will use of the cloud become mission critical?

  • What will happen if the service goes down?

  • How could our use of the cloud change over time?

You might also want to ask

  • What legal, regulatory or contractual standards do we have to maintain?

  • What internal regulations should be considered?

 

Cloud Readiness Assessment (CRA)

Some organisations will write a CRA to consider

  • People: Moving to the cloud affects human resources in service, support and operations.  Will there be unemployment, redeployment or recruitment?  Are there skill gaps that must be filled?

 

  • Technology: You cannot migrate systems if you don’t understand what those systems are and how they work. For example,

    • What format is the data in?

    • How much storage do you need?

    • Which servers run which business applications and what condition are they in?

    • How many users are there on your network?

    • Can we determine cost / benefit?

 

  • Processes: Migration will impact on business operations, processes and work flows, are we able to manage this change?

 

At this point, we are slowly developing our sense of what is and what is not feasible.

  • What are we moving?

  • Why are we moving it?

  • Is the business culture and skill set aligned with this move?

  • What will a successful move look like?

  • Which compliance and security guidelines need to be followed?

  • Who will own the applications and supporting infrastructure once moved?

 

Performing a cloud readiness assessment will provide a holistic review of your current business and IT environments, with a key focus on culture, compliance, resources and strategic goals.

 

Testing the Waters

The next step is to consider running a small pilot to identify the pitfalls when moving to the cloud. For example, you could just move your backups to the cloud or a low risk application - making sure you have the capability to roll back systems if things go wrong.

Making the Business Case

Now we report our learning experiences. We:

  • Identify our desired outcomes and metrics.

  • Identify our desired cloud operating model.

  • Identify and prioritize the applications we wish to move.

  • Estimate our timeline and budget.

  • Identify our roll back capabilities and disaster recovery plan.

  • Identify our security and our compliance requirements.

AdobeStock_326319922.jpeg

PHASE 2: Research

The SLA is a critical document as you go to market. It will:

  • Describes the specific metrics associated with each service.

  • Describe what will happen if the metrics are not achieved.

  • Describe caveats such as planned outages.

  • Details the ownership of data and rights of access, destruction or to have it returned to you.

  • Describes the security standards maintained by the CSP, along with your rights to audit compliance.

  • Describes your right to continue or terminate the service, as well as the associated costs of doing so.

  • Details the roles and responsibilities of your organisation as well as those of the CSP.

 

A critically important footnote:

If regulated data is exposed or suffers any form of harm in the cloud, regulatory bodies will knock on your door in the first instance to demand answers.  This is because no matter how much you ask the CSP to take on in terms of managing the technology or in terms of processing the data, you will always be ultimately responsible for what happens to it. As such, you must interrogate the CSPs cyber security posture to make sure it meets your requirements.

 

Information Security Management System (ISMS)

Most CSPs worth their salt, will explain the security standards their systems or products align to. These standards will invariably help the CSP to:

  • Identify cyber security risks that will affect the organisation

  • Apply technical, administrative or physical controls to mitigate risks that pose an unacceptable threat

  • Develop ongoing metrics to monitor the success of such controls

  • Develop procedures for dealing with security failures.

AdobeStock_226340948.jpeg

Cloud vendors, therefore may offer:

ISO 27001:2013: certification

Demonstrating that there is a holistic approach to managing enterprise risk and security.

 

NIST SP 800-53r5 Security & Privacy Controls for Federal Information Systems

A freely available framework from NIST. Like ISO, this ensures a risk based approach to security and the implementation of controls to protect operations; assets, individuals and supply chain.

 

The Service Organization Control (SOC) audits:

For our purposes, there are 3 different types of reports that we are most interested in:

  • SOC 2 Type II:  Evaluates the design and operating effectiveness of multiple security controls. Type II reports are hard to get your hands on, however, because they discuss the internal architecture of the CSP’s systems.

  • SOC 3:  A publicly available summary of the vendor’s SOC 2 report, providing the AICPA SysTrust Security Seal. The report includes

    • The external auditor’s opinion of the operation of controls (based on the Soc2 report)

    • The assertion from the vendor’s management regarding the effectiveness of controls

    • An overview of the vendor’s infrastructure and services.

  • SOC for Cybersecurity: Provides an independent entity-wide assessment of an organization’s cybersecurity risk management program to meet the needs of a broad range of stakeholders. 

The Information Technology Security Evaluation Criteria (ITSEC)

Are European-developed criteria designed to assure customers that the products they buy have been evaluated by a neutral 3rd party. Are the security claims made by the cloud vendor accurate?

A Note on Architecture: ISO 17789 Cloud Computing Reference Architecture (CCRA)

An architectural design will explain how a cloud environment is designed - such as what hardware and software has been used and how everything is integrated to form a complete system. You have zero chance of ever seeing such documentation, but it is comforting to know that industry standards have been followed.

AdobeStock_192261204.jpeg

Security Concerns Worthy of More Than a Passing Reference

1. The customer should check that in a public cloud environment, one’s data is reliably isolated from other tenants sharing the same resources.  This isolation must be present throughout all infrastructure components including: host, virtual machine, compute, memory, network, and storage. Encrypting data is prudent if you have concerns here.

 

2. Most cloud services use what is called ‘software defined networking’.  Think of this as a means to control every facet of the IT infrastructure programmatically. Of course, the administrators who have these capabilities are extremely desirable targets for cyber criminals.  A lapse in security here puts every customer at risk.  This is why an adherence to a security framework is critically important.

 

3. Hypervisors are at the heart of every cloud. They contain the systems used by customers’ day in, day out.  Therefore, are they:

  • Based on a ‘hardened’ template?

  • Is this template tamper proof?

  • Is the hypervisor Type I or Type II (The former is considered more secure because of the absence of a potentially vulnerable operating system)?

  • Is the management of these systems securely locked down?

PHASE 3: Planning

Before moving to the Cloud it is important to make sure you have classified every type of data your company uses based on its sensitivity and criticality.  Doing so will help to ensure that the right levels of protection are put into place, such as:

AdobeStock_189781897.jpeg
  • Strong Authentication Systems:  In other words, only authorised individuals can access systems and data and they do so in a manner that protects their login credentials. Just as important here is the provisioning and de-provisioning of access rights. An employee, for example, may change role, function or department and it’s critically important that they do not retain privileges which are not necessary to fulfil the current job role.

  • Encryption technologies: To preserve the confidentiality of data as it travels from point A to B; when it is stored on disk or removable media or when it is being processed by any form of tech. You also have to realise that decryption will require the safe storage and management of encryption keys. Where these keys are stored is critical point.  Best practice usually dictates that they are stored separately from the vendor – perhaps on your own network or another trusted 3rd party, despite the latency this causes.

 

  • Data Masking, Anonymization or Tokenisation: This is to avoid any form of unauthorised disclosure by ‘de-identifying’ the data. For example, any information that helps to identify an individual might be removed or replaced with a senseless value.

 

  • Logical Segmentation: We have already noted that in most Cloud environments, resources are shared with other tenants. As such, our data must be isolated from others or even those within our organisation who do not have the necessary security clearance.  It is possible for the CSP to achieve such segmentation programmatically.

  • Data loss prevention systems (DLP). These systems will examine what is trying to leave the cloud environment and decide whether or not this should be the case. Of course, this decision is based on scanning the data or labels associated with it and applying rules created by an administrator or the software vendor. For example, if the data contains a credit card number, it will not be allowed to leave the network.

AdobeStock_178567554.jpeg

DLP solutions are usually found on exit points or perimeter technologies. Whilst popular, they have some thorny problems:

  1. Data in the cloud tends to move around and replicate this presents many challenges for any DLP implementation. Where are the end points? How do we find the data and label it?

  2. The scanning of data creates latency.

  3. There will be many ‘false positives’. In other words, the system will often block access to files because it thought there was a problem when there wasn’t. This is exacerbated when the data is not properly classified or segmented into specific repositories.

  4. Once the data has left the network, the DLP system has no control over what happens to it.

 

Information Rights Management (IRM): Enables an organisation to control what happens to a file even when it has left the network. Unlike DLP, IRM offers persistent protection. It is possible to monitor who accesses the files, when they do so, and whether anybody tries to access them without permission. IRM will also tell you whether the files are inside or outside the organization and will enable you to set up granular permissions such as who can read, edit, print, copy and paste files. You can even revoke access to files in real time if you don’t want certain people to access them again. IRM is obviously a game changer in cloud computing.

 

Device Security: The biggest challenge here is that employees may use a wide range of different personal devices to access company data - which is a security nightmare.  You must think carefully about how to protect your information on these 3rd party systems. Read our BYOD video here for more information.

AdobeStock_108526980.jpeg
  • Staff Training: Not only should you be teaching you staff basic cyber hygiene (good password management, using multi-factor authentication, updating devices as soon as possible, recognising social engineering from a mile away) you must also address security concerns specifically related to mobile working (theft of devices, the dangers of public Wi-Fi, the importance of using a VPN, or a privacy screen to prevent ‘shoulder surfing’).

In summary, the design of data security strategies requires an understanding of the key technologies at play, and collaborating closely with your cloud partners. How will data be encrypted? How will masking preserve the formatting of data? What sort of tunnelling is available? What backup arrangements do they have in place? And so on.

 

In Short: Be Choosey

An organisation will want to engage with multiple CSPs and carefully evaluate their services, processes and support models to fit with their business requirements. For example, a fully managed CSP model may provide end to end implementation and be more convenient, but it will also be more expensive and won’t provide complete visibility and control of the cloud environment.

Finally, never forget that where the data is stored and whether the vendor is GDPR compliant could mean the difference between using them and continuing your search.

 

PHASE 4: Execution

While moving to your cloud, you must always keep in your back pocket your business continuity plan (BCP) and your disaster recovery plan (DRP). The former is about keeping operations going when the IT resources you depend upon are not available and the latter is about getting these resources back up and running as quickly and as securely as possible.

 

Business Continuity Plan

The key ingredients of a successful BCP include:

  • A Business Impact Assessment: This identifies:

  • Mission Critical Functions (MCFs:) These are the things your business must achieve to survive.

  • The identification and prioritisation of activities that contribute to these bigger goals.

  • An assessment of what resources these activities depend upon (such as hardware, software, data and facilities).

AdobeStock_209531017.jpeg
  • An estimate of how long the business can survive without these activities before irreparable harm is done (known as the Maximum Tolerable Downtime (MTD)).

  • An estimate of how much data must be preserved to carry out these functions (known as the RPO).

  • The methodology used to determine criticality.

  • A Statement Of Importance: Why the plan has the backing of the CEO and Board of Directors.

  • Guidelines: On how and when to use the plan.

  • Contact List: Of key personnel and 3rd party support as well as a description of responsibilities.

  • Communication Strategy: To disseminate important messaging and updates horizontally and vertically across the enterprise as well as to external agencies and partners. The strategy usually requires close collaboration between legal teams, public relations and senior management.

  • Step By Step Procedures: To implement workarounds. This is the ‘who’ does ‘what’ and by ‘when’.

  • A Schedule: For reviewing, testing and updating the plan.

A Disaster Recovery Plan

AdobeStock_212242365.jpeg

Can be similar and will also include:

  • The Scope Of The Plan: To determine when the plan is relevant and necessary.

  • Roles And Responsibilities: Of the Disaster Recovery Team

  • Step By Step Strategies, Processes & Procedures: To recover prioritised services.

  • This means for each critical business function you outline:

    • Preventative/Recovery Actions: that should be taken to back up or restore the CBF

    • Resources/Equipment required to facilitate those actions

    • Recovery time objective (So you know how you quickly actions must happen)

    • Responsibility (Who is in charge of making sure the actions happen)

  • A Checklist: That is used to assess the extent of the damage after a disaster and monitor the recovery process

  • The Communication Plan: To facilitate the reporting of accurate information to the right people (which often depends on the type of disaster experienced)

  • A Schedule: For reviewing, testing and updating the plan.

 

PHASE 5 Operations & Maintenance

Cloud governance embraces a number of different areas. For example:

 

Risk Monitoring

Operating in the cloud requires the ongoing monitoring of risk.

A risk assessment usually involves the careful analysis of threats and vulnerabilities to determine the impact of a negative event on the business as well as the likelihood of such an event occurring.  Unfortunately, lacking access to the CSP’s security implementation strategy will make this difficult.

 

To mitigate the problem, a number of organisations adopt a cloud security standard, which provides detailed guidance regarding top security risks and the selection of controls. In no particular order we have, for example,

  • ENISA: Which covers risks such as vendor lock-in, compliance challenges, shared technology risks, and even hostile state actors.

  • The Open Web Application Security Project (OWASP):  Offers the top 10 cloud security risks derived from open source intelligence

  • NIST Cloud Computing Synopsis & Recommendations: SP 800-146. Which is exceptionally comprehensive.

 

Shadow IT

Employees will often turn to shadow IT when they are prevented from accessing resources deemed necessary to do their job.  Given that most cloud vendors make self-servicing quick and painless, it is essential that senior leaders introduce a framework for managing requests from the get-go. Good governance will require the implementation of a transparent process enabling the approval or rejection of requests based on compliance, cost-benefit and alignment with business goals and priorities.

AdobeStock_264612042.jpeg

Base Lining

It is the responsibility of the cloud consumer to monitor cloud delivery. Typical metrics include:

 

  • Uptime: Interestingly, an uptime of 99.9% translates into 42 minutes of downtime per month, during which you cannot provide a service to your customers.  The Uptime Institute defines 4 tiers, each more stringent then the next to provide reliable, redundant systems for security, connectivity and fault tolerance. A Tier 4 certificate would be used by organisation who cannot tolerate any form of downtime.

 

  • Reliability: The Mean Time Between Failures (MTBF) is the average time a service runs before failing. Meanwhile, the Mean Time To Repair (MTR) is the average time required to fix a failed service and return it to full functionality.  Operational performance improves the more you know about these two key metrics, their causes and how to mitigate their risks. Paying attention to MTBF and MTTR will help you reduce overall cost of cloud services and increase overall efficacy.

 

  • Response Time: Response time is the time it takes for any workload request to be completed. This metric leads to better performance and has an impact on application performance and availability.

 

  • Security: Cloud computing security refers to the set of controls based technologies and policies

 

You should try to document such baselines and confirm that they are consistent with the performance specified in the Service Level of Agreement (SLA).

See something not quite right? Email: EMSOUCyberProtect@leicestershire.pnn.police.uk