- Why are you moving to the cloud? It seems almost foolish to ask this simple question, but have you considered the benefits and challenges honestly? Consider such things as the skillsets of your in-house or outsourced maintenance and operations teams. Are they equipped to transition to different workflows, and do they understand the new challenges and possible risks associated with cloud environments? Do you need to provide any upskilling?
- Once you know why you’re migrating, identify which data is suitable to be hosted externally. Remember that the cloud isn’t on-premises, so once this data is transferred over, you have lost control of it. Because there is no simple ‘take it offline’ button, data classification is vital to effective cloud solutions; once it’s live, it’s online.
- Where do responsibilities lie? Once data has moved to the cloud, who will be the data owner, and are they confident in their abilities to maintain said data? Which systems owners will now need to transition to cloud environments, and are they prepared and ready?
- Roles and Responsibilities. Fully understand the roles and responsibilities not just of the purchased vendors but also the data owners, system owners, and security operations teams. When putting data in the cloud, your organization does not hand off the responsibility for this data. Essentially, migration adds a data processor within the chain, but the handling remains within the organization’s area of responsibility. An explicit identification of what this entails for the organization is needed, so don’t forget to update your risk register accordingly.
- Incident response. Remember the Target breach of 2013? The operations teams did identify and escalate alerts, but no one took these forward so the process failed. Your team needs to consider the ‘worst case’ scenarios, identify who is responsible for what, who will make up the incident response team and what roles they will play.
- Retention. Historically data storage was pricey, but nowadays this is less of a concern. It’s now simple and relatively inexpensive to collect data, but failing to establish appropriate measures of review, validation and removal leads to expensive audits. Instead of developing a sense of ease with data storage, organizations have become a bit unkempt with their data storage practices. Embedding a policy and procedure from the beginning can allow for a massive reduction in headaches later on - especially for GDPR compliance.
- Disaster recovery and backups. It may seem a little strange to discuss the backup of data whilst it is being held within a high availability environment. However, when disaster strikes, how the data is backed-up is critical. For instance, if hit with ransomware, is it readily available to recover? Consider the NotPetya ransomware that hit Maersk, knocking out all data centers except an offline one in Ghana. If there’s a disruption, whether a DDoS against the cloud provider or a small, localized internet outage, will your organization be able to continue to work whilst offline, or do you require constant access to the data? It could be that having a hybrid approach, where data replicated across both on-premises and in the cloud works better due to the potential cost of an outage.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.