Migration In Cloud First. Security Later?

Migration to the cloud is complex and a major project with plenty of risks for all companies. That is why all attempts to reduce the complexity that the new cloud-based environments entail are more than understandable. Unfortunately, IT security often suffers as a result, at the expense of which a hasty migration to the cloud is realized.

First the IT solution, then the IT security - provisionally and/or in stages

This approach, which is often based on a "plaster lipolitics" approach that circumvents compliance rules and guidelines, as has often been practiced for years with on-premises solutions, does not work when migrating to the cloud. There are several reasons for this:

1. Even in the case of on-premises solutions, a "plaster on the wall" approach to IT security was and is not permissible and - in the worst-case scenario - is not a nice way to react to a security incident and is actually embarrassing because it is too late.

2. In the cloud, IT security measures differ greatly from those in on-premises environments. Security measures in on-premises environments primarily revolve around identity and access management. These measures are less effective in the cloud because the underlying platform is fully controlled by the cloud provider.

3. One of the major disadvantages of the cloud is that you have limited control over your own data. Once unsecured data has been stored in the cloud, subsequent security measures to protect the data stored in the cloud only have an ex ante effect, i.e. the current data view is protected at most. Backups, copies etc. are not protected. Protection also has no effect on data that has already been shared by the cloud provider.

Always put cybersecurity first in the future

The "migration-first - security-later approach" therefore generally works more poorly than well. Decision-makers are required to weigh up whether the supposed simplification of a cloud migration project outweighs the subsequent "clean-up work" or whether possible non-compliance can be accepted.

In the cloud, anything that is not explicitly protected is gone, potentially "lost" - at least to the provider, probably also to its partner, and depending on the geography, possibly also to the country's data retention authorities and, in the worst case, to the cybercrime community.

From our experience, it must be clearly stated that retrospective protection generally remains vulnerable because a patchwork of security measures will always have gaps. Companies are therefore prepared to live with a supposedly compliant IT security provider. No one wants to be responsible in the event of a loss, and top management is usually unaware of the actual risks.

We postulate the Security-First Approach to Cloud. We will be happy to tell you personally how this works, what aspects need to be taken into account and what solutions are available. Please get in touch with us.