Migration to the cloud is multi-faceted and a big project with plenty of risks for all companies. That is the case, and therefore all attempts to reduce the complexity that the new cloud-based environments bring with them are more than understandable. Unfortunately, IT security then often suffers, at the expense of which a hasty migration to the cloud is realized.
First the IT solution, then IT security - provisionally and/or expanded in stages
This approach based on "paving lipolitics" often bypassing compliance rules and policies, as often practiced for years with on-premises solutions, does not work when migrating to the cloud. There are several reasons for this:
- Even with on-premises solutions, a "Pflästerli approach" to IT security was and is not permissible and - in the worst case - not nice as a reaction to a security incident and actually embarrassing because too late.
- In the cloud, the measures in the area of IT security differ greatly from those in on-premises environments. Security measures in on-premises environments revolve primarily around the topic of identity and access management. These measures are less effective in the cloud because the underlying platform is fully controlled by the cloud provider.
- One of the major disadvantages of the cloud is that control of one's own data is limited. Once unsecured data has been stored in the cloud, subsequent security measures to protect the data stored in the cloud only have an ex ante effect, i.e. the current data view is protected at most. Backups, copies, etc. are not protected. Nor does the protection have any effect on data which has already been shared by the cloud provider.
When migrating to the cloud, IT security has to come first.
Always put cybersecurity first in the future
The "migration-first - security-later approach" therefore usually works more badly than well. Decision-makers are required to weigh up whether the supposed simplification of a cloud migration project outweighs the subsequent "clean-up work" or whether any incompliance can be accepted.
In the cloud, what is not explicitly protected is gone, potentially "lost" - at least to the provider, probably also to its partners, yes, depending on geography, possibly also to the country's data retention and, in the worst case, to the cybercrime community.
From our experience, it must be clearly stated that retroactive protection usually remains vulnerable because a patchwork of security measures will always have gaps. Companies are thus prepared to live with a supposedly compliant IT security provider. In the event of a loss, no one wants to be the victim, and top management is usually unaware of the actual risks.
We postulate the security-first approach to cloud. We would be happy to tell you personally how this works, what aspects need to be taken into account, and what solutions are available. Please get in touch with us.
