You should build security into every enterprise-to-cloud migration. But if you didn’t do that, here’s how to reduce the risk after the fact.
At the majority of enterprises that migrate applications to the cloud, security is an afterthought. This doesn’t mean it’s not important, but that they looking to address security requirements after the workloads and data have already settled in the cloud.
I do not recommend this approach. But the reality is that some enterprises take this approach by default and don’t realize their miscalculation until after the fact. If this happened with your cloud migration, here are two steps to at least reduce your risk.
First, encrypt your data
Although it goes without saying that encryption is the foundation of cloud security, you must figure out a way to integrate encryption in workloads and data. Most cloud encryption surrounds data, both in flight and at rest.
The easiest way to encrypt data is in the database. This provides an abstraction from the physical data and the application. So, it’s often possible to turn on encryption without having to update the applications.
Second, use identities
Identity and access management (IAM) can be retrofitted after a cloud migration without a lot of effort. While it depends on the IAM system you use, the native IAM systems found in clouds such as Amazon Web Services and Microsoft Azure are typically both a better choice and a quicker choice. At the end of the day, of course, it’s your particular requirements that will determine your choice of IAM.
Keep in mind that IAM systems depend on directory services to maintain identity and to provide the proper authorization to those identities. You must deploy one of those systems if you don’t already have one. Also, keep in mind that IAM is only of value if all applications and data are included in the system, both in the cloud and on-premises.
I’m not a fan of shortcuts when it comes to cloud computing security. However, reality sometimes makes these shortcuts a necessary evil. The result is not as good as if security were integrated from the start. However, if security was not implemented, most data and applications are at risk for hackery. So securing the after the fact is better than not securing them at all.
This after-the-fact approach is similar to forgetting to install proper locks when a house is built and then boarding up the doors afterward. The doors are now ugly and inconvenient, but at least no one can just walk in.