How to Migrate to the Cloud? - A Security Architect's Thoughts on Enterprise Digital Transformation
Updated: Jul 22, 2020
Digital Transformation - It's the buzzword these days. Everyone is on the bandwagon. Everyone wants to move to the "Cloud", but like everything in life, there's a right way of doing it, and a wrong way. And in my years of working with various clients I have learnt a few good practices, a few bad, and a few outrageous. I also have been fortunate to work with a lot of brilliant minds and learnt a lot from them on my way. This post is not step-by-step manual to Digitally Transform your Enterprise or your Life, but I hope it helps as a high-level guide to what things you should bear in mind on your journey to and amongst the Clouds.
As I appreciate my time and yours, so I will keep this post succinct.
Let's start with things you shouldn't be doing:
Do not be in a rush to migrate to the Cloud – If you do, you will certainly make mistakes, skip best practices, and compromise. Take your time, have a plan, dot your I’s and cross your T’s. Business always want to rush to see ROI (Return on Investment) or cost-savings. “Turn it on, and we will put controls in place later” – that never happens soon enough.
Please do not give out individual access – This is a plea. It becomes an unmanageable nightmare; I can guarantee it. Instead tie access to groups/roles and then periodically certify the access using Identity Governance tools. More on this later.
Establish Ownership - Identify the owner of every entity you have in your Cloud infrastructure. Use tags religiously for this and enforce policies to enforce tagging. Once things are out there, it will be a huge ordeal chasing the owners. And business will never let you abruptly shut down resources or access not "owned" in fear of breaking things in Production.
Have an Identity Governance Model in place - Besides establishing ownership, you need to have a robust, repeatable and enforceable Identity Governance model in place. There are a lot of third-party tools out there besides what the Cloud Providers provide, pick one that suites your needs. Run access certifications cycles, more often for privileged accounts. You should always have almost real-time information as to who has access to what, why, when and by whom. Always follow the principle of least privilege. I usually take product or vendor documentation with a grain of salt, the permissions asked are almost always excessive. Question everything.
Implement a RACI Matrix - It's existential for your business's Cloud Infrastructure to have an associated RACI (Responsible, Accountable, Consulted and Informed) matrix. You can model based on your on-premise RACI matrix, but remember it’s not always an apples to apples comparison. Your Information Security and Audit teams should definitely play an active part in whatever is deployed. While InfoSec approval should be required, periodic audits by GRC should be enforced.
Infrastructure as Code - Implement everything you deploy to the Cloud as code, and I mean everything: groups, roles, policies, networks, virtual machines etc. Implement this as a part of your DevSecOps rollout. You will avoid making mistakes, skipping best practices, and instead have a defined, secure, reviewable process to create, update or delete infrastructure. AWS CloudFormation has its limitations, but it’s better than manual changes. Azure ARM templates are a bit too verbose for my taste, but they get the job done. I do like Terraform, but that's a personal preference. Your Infrastructure as Code implementation can be Declarative (Templates) or Imperative (Scripts), or a combination of both. A suggestion here, try to avoid having thousands of lines in declarative templates in a single file.
Defense in Depth - Besides the processes and controls, abide with the philosophy of Defense in Depth. White list IPs, put networks security rules in place, enforce Multi-Factor Authentication (MFA), conditional access. The list goes on and on but do note there's a thin line there. Too many security controls that lead to an inconvenient, if not terrible, user experience, will not only negatively impact your business productivity but also influence your users to make compromises and bad choices because they would not want to go through the hassle of jumping through the security hoops you have put in place. Cyber Security should be a business enabler, not a business hinderer.
Educate - I cannot stress this enough. Educate everyone in your enterprise on good security practices. Trainings, short videos, posters, banners, notices, etc. all help. Constantly, yet subtly, remind your users about the threats enterprises face in today's environment. Short educational videos or articles on recent security incidents, their impact and the modus operandi used is a great way of keeping your users interested and educated, broadcast these to everyone.