Tips for the CISO: 6 Secure Cloud Migration Myths
Every cloud migration is different, because every organization faces different requirements as it migrates to the cloud. However, all cloud migrations should adhere to the same core security principles – and unfortunately, some basic principles are not always well understood. Cloud architects, engineers and security teams can too easily fall victim to myths that lead to less than optimal security practices, or that cause them to miss important opportunities for maximizing cloud security.
To address this issue, this article walks through six common cloud migration security myths, including insights from two senior cloud security professionals, Saul Schwartz, Information Security Lead at Zinnia and TJ Gonen, VP Cloud Security at Check Point. The talking points were covered during an in-depth webinar held in June 2023, “What CISOs need to consider in their cloud migration“, and in discussions with Check Point cloud security architects with extensive hands-on experience securing workloads during and after cloud migration.
The basics of secure cloud migrations
Before diving into a discussion of cloud migration security myths, let’s take a look at the fundamentals of cloud migration security.
Cloud migration is the process of shifting workloads that are hosted on-premises partially or fully into a cloud environment. Since 94 percent of companies now use cloud services, cloud migration is a familiar process to many security teams.
“The 6 Rs of Cloud Migration“ is a popular methodology, while some experts believe that a different way of framing your approach is more helpful and provides better results.
Crawling stage: Typically, cloud migrations follow a “crawl-walk-run” approach. They start slowly, with businesses “crawling” into the cloud via a lift-and-shift that moves workloads into the cloud without overhauling them. This is the easiest way to migrate, but it often means missing out on opportunities to optimize workload performance and cost-effectiveness.
Walking stage: For that reason, many organizations proceed onto the second stage of migration – the “walk” phase. Here, they refactor workloads (which means making changes to their design or architecture, such as converting a monolithic application to run as microservices) so that they can take advantage of more sophisticated types of cloud solutions, such as Platform-as-a-Service (PaaS) offerings. This leads to greater efficiency, but it also raises new security challenges due to the added complexity of workloads.
As a result, businesses typically deploy new types of security tools, such as Cloud Security Posture Management (CSPM) and runtime security software. Firewalls and other basic cloud security solutions aren’t enough once you’re “walking” in the cloud.
Running stage: As cloud strategies mature further, businesses reach the “run” stage. Here, they take full advantage of cloud-native architectures and services – such as serverless functions, containers – along with the automation strategies and tooling (like Kubernetes-based orchestration and Infrastructure-as-Code) that complement them. At this point, cloud environments are truly complex, and businesses need truly sophisticated security strategies to protect them.
Because cloud migrations can take diverse forms and lead to cloud strategies that evolve over time, there is no one-size-fits-all approach to cloud migration security. On the contrary, as TJ Gonen explains in the CISO webinar, cloud migration security boils down to “stepping back, taking a look at what risk you’re trying to mitigate or eliminate, and then working backwards from there.” In other words, you have to assess the unique requirements of your cloud environment and workloads, then plan your cloud migration security strategy accordingly. You can’t just run through a generic security checklist and expect that it will cover all possible scenarios and meet all your business requirements.
That said, as you assess your unique security needs, you should strive to adhere to what we call the “three Cs” of best security by devising a strategy that is:
- Comprehensive: Your security tools and processes should allow you to protect every resource in every part of your cloud environment.
- Consolidated: You should be able to manage security operations using a consolidated, centralized set of tools, rather than toggling between different solutions for different parts of your environment.
- Collaborative: Your approach to cloud security should enable seamless collaboration between all stakeholders – your security team, your developers, your IT engineers, business decision-makers and anyone else impacted by cloud security outcomes.
When you proceed according to these principles, you’ve established a strong foundation for a secure cloud migration, regardless of the exact form that your cloud migration takes.
Top cloud migration security myths
Now that we’ve talked about what you should do to secure your cloud migration, let’s discuss common cloud migration security myths that you should avoid.
Myth 1: On-prem security tools don’t work in the cloud
To be sure, the security tools that you use to protect cloud environments may look somewhat different from those that you leverage on-prem. But to a very large extent, it’s possible to adapt on-prem tools to work in the cloud.
For example, firewalls play an important role both on-prem and in the cloud. Cloud firewalls are a bit different because they need to integrate natively with the latest cloud vendor networking services, be elastic, agile and scalable and be easy to deploy. They also require automation so they are ready to support cloud operations teams, and they need to provide adaptive security policy to manage any and all dynamic changes to your cloud environment.
In short, “don’t assume that your tool sets on premise will be a one-to-one relationship in the cloud,” as Saul Schwartz, Information Security Manager at Zinnia, says in the webinar. But you should expect to be able to adapt and extend some of your on-prem security tools and strategies to support your cloud migration. You don’t need to start from scratch.
Myth 2: Cloud vendor cybersecurity tools are better than third-party solutions
The built-in security tools that public cloud vendors offer may seem compelling because they’re available by default. But they are almost never better than third-party offerings.
After all, the cloud vendor’s main objective is to sell more cloud services to their customers, and offering cybersecurity solutions supports this goal. In contrast, third-party cybersecurity vendors don’t have a horse in the cloud-sales race. Their only goal is to help their customers secure their cloud migrations and secure workloads during and after migration.
Plus, cloud vendors’ own tools suffer from the problem of not being able to support other clouds in most cases, which is a big issue for organizations that adopt a multi-cloud architecture. They also wed you to a particular cloud, creating challenges if you choose to migrate or if a merger or acquisition event requires your company to consolidate cloud environments.
Myth 3: Cloud vendor cybersecurity tools are cheaper
It’s also easy, but wrong, to assume that cloud vendor security tools are cheaper. They may offer lower pricing in some areas, such as data ingestion costs. But overall, your total cost of ownership (TCO) will often be higher due to factors like:
- Fewer tool features, requiring you to hire more staff to fill in the gaps left by the tools.
- The need to switch between different tools and UIs to achieve tasks (for example, Azure has five different consoles for cloud network security: Security Groups, Azure Firewall, Microsoft Defender for Cloud, Azure Policy, Microsoft Sentinel), which also leads to less efficiency and requires larger teams.
- They work only with a particular cloud, which means you can’t easily take advantage of cost savings opportunities you’d obtain by migrating to other clouds or going multi-cloud. As Schwartz notes in the CISO webinar, “If you’re dependent on a cloud vendor security solution, and then suddenly you have to do the same thing in another cloud, you’re toast.”
- A reduced ability to prevent detect risks and threats, leading to potentially higher costs from more serious security incidents with higher probability.
In short, once you look beyond the basic price tag, you realize that cloud vendor tools are almost never more cost-effective.
Myth 4: You don’t need firewalls in the cloud
Because cloud vendors offer tools for filtering traffic and isolating workloads at the network level, you might assume you don’t need a firewall in the cloud.
The reality, though, is that cloud firewalls play a critical role in cloud migration security and are a foundation layer, providing significant risk reduction and with high cost-benefit ratio. Suffice to say that leading cloud vendors would not invest heavily in developing cloud firewall solutions if it wasn’t a necessary security layer for their customers.
However, the flexibility of cloud vendor firewall tools is limited. For example, they don’t provide advanced features like deep traffic analysis, they don’t work across multiple clouds and they don’t easily integrate with third-party tools to facilitate centralized risk management. To protect against sophisticated cloud network threats, you need a sophisticated cloud firewall.
Myth 5: Developers are siloed from cloud security
This myth persists because developers and security teams tend to work in silos. Developers focus on developing applications but then leave it to cloud security teams to protect the applications and the cloud environment. When this challenge is not managed, it can slow teams down and lead to internal conflicts.
The key to breaking these siloes is to get dev and security teams shared tools. For example, Infrastructure-as-Code (IaC) platforms that enable developers to define the infrastructure they need using code, and also enable security teams to validate that the infrastructure is secure via automated analysis. Likewise, shared access to threat prevention, detection, and analysis tools by both developers and security teams helps each group collaborate with the other to manage risks, while also providing shared visibility into the status of security operations.
A shared set of tools will allow you to converge different security methodologies to break down the silos, while enabling development and security teams to speak the same language. Shared tooling also helps put the spirit of shift-left cloud security into practice. And it may allow developers to participate more actively in the cloud migration process by ensuring that apps designed with on-prem security in mind can also be protected against cloud security risks.
Myth 6: Security comes at the cost of speed
The more effort you invest in cybersecurity, the slower you innovate, right? Doesn’t enforcing strong cloud security controls reduce the speed at which your IT operations engineers can roll out new infrastructure and your developers can build applications?
Well, not necessarily. Unless you suffer from organizational silos and disparate tools, you can be secure while also moving fast.
With tools that let you manage security threats across all environments – meaning any cloud, or multiple clouds where relevant – while also making security collaborative between teams, at all stages within the software development lifecycle, you can move fast while remaining secure because you can integrate security into IT operations and software development workflows. Integration means your engineers can provision new infrastructure and push out new applications quickly, while adhering to the security policies you establish.
Conclusion
Securing cloud migrations can be challenging, especially because cloud migration is a complex process that different organizations approach in different ways, for different reasons and with different considerations and constraints.
Yet, as long as you adhere to the core set of best practices for securing cloud migrations, you can keep your workloads and environments safe. Avoid common mistakes like relying on cloud vendor tools when third-party solutions would be more effective, or assuming that you must trade speed for security. With the right strategy and the right tools, you can have it all: A secure cloud migration, cost-effective operations, collaborative teams and maximum flexibility to pursue whichever cloud strategy makes most sense for your business.
For more information on how to secure your cloud network migration, see Check Point’s solutions for cloud network security.
You can also schedule a demo to see CloudGuard in action and get personalized expert guidance on meeting your organization’s cloud security needs.
If you have any other questions, please contact your local Check Point account representative or channel partner using the contact us link.
Follow and join the conversations about Check Point and CloudGuard on X (formerly Twitter), Facebook, LinkedIn, and Instagram.