Migrating to the cloud is complex and a major project with plenty of risks for all companies. That's the case, and that's why any attempts to reduce the complexity that the new cloud-based environments bring with them are more than understandable. Unfortunately, IT security often suffers as a result, at the expense of a hasty migration to the cloud.
First the IT solution, then the IT security – provisionally and/or expanded in stages
This approach, which is based on a “plaster policy” that often circumvents compliance rules and guidelines, as has often been practiced for years with on-premises solutions, does not work when migrating to the cloud. There are several reasons for this:
- Even with on-premises solutions, a “flagship approach” to IT security was and is not permitted and – in the worst case – as a reaction to a security incident, it is not nice and actually embarrassing because it is too late.
- In the cloud, IT security measures differ greatly from those in on-premises environments. Security measures in on-premises environments primarily revolve around the topic of identity and access management. These measures are less effective in the cloud because the underlying platform is completely controlled by the cloud provider.
- One of the big disadvantages of the cloud: the control of your own data is limited. Once unsecured data has been stored in the cloud, subsequent security measures to protect the data stored in the cloud only have an ex ante effect, i.e. at most the current data view is protected. Backups, copies, etc. are not protected. The protection also has no effect on data that has already been shared by the cloud provider.
When migrating to the cloud, IT security must be the top priority.
Always put cybersecurity first in the future
The “Migration-First – Security-Later Approach” therefore usually works poorly. Decision-makers are required to weigh up whether the supposed simplification of a cloud migration project outweighs the subsequent “clean-up work” or whether any incompliance can be accepted.
In the cloud, anything that is not explicitly protected is gone, potentially “lost” – at least to the provider, probably also to its partner, depending on the geography, possibly also to the country’s data storage system and, in the worst case scenario, to the cybercrime community .
From our experience, it must be clearly stated that subsequent protection usually remains vulnerable because a patchwork of security measures will always have gaps. Companies are preparing to live with a supposedly compliant IT security provision. Nobody wants to have been the one to blame in the event of a loss, and top management is usually not aware of the actual risks.
We postulate that Security-First Approach to Cloud. We would be happy to inform you personally about how this works, what aspects need to be taken into account and what solutions are available. Feel free to contact us.
