How To Excel At Secured Cloud Migrations With A Shared Responsibility Model
- 60% of security and IT professionals state that security is the leading challenge with cloud migrations, despite not being clear about who is responsible for securing cloud environments.
- 71% understand that controlling privileged access to cloud service administrative accounts is a critical concern, yet only 53% cite secure access to cloud workloads as a key objective of their cloud Privileged Access Management (PAM) strategies.
These and many other fascinating insights are from the recent Centrify survey, Reducing Risk in Cloud Migrations: Controlling Privileged Access to Hybrid and Multi-Cloud Environments, downloadable here. The survey is based on a survey of over 700 respondents from the United States, Canada, and the UK from over 50 vertical markets, with technology (21%), finance (14%), education (10%), government (10%) and healthcare (9%) being the top five. For additional details on the methodology, please see page 14 of the study.
What makes this study noteworthy is how it provides a candid, honest assessment of how enterprises can make cloud migrations more secure by a better understanding of who is responsible for securing privileged access to cloud administrative accounts and workloads.
Key insights from the study include the following:
- Improved speed of IT services delivery (65%) and lowered total cost of ownership (54%) are the two top factors driving cloud migrations today. Additional factors include greater flexibility in responding to market changes (40%), outsourcing IT functions that don’t create competitive differentiation (22%), and increased competitiveness (17%). Reducing time-to-market for new systems and applications is one of the primary catalysts driving cloud migrations today, making it imperative for every organization to build security policies and systems into their cloud initiatives.
- Security is the greatest challenge to cloud migration by a wide margin. 60% of organizations define security as the most significant challenge they face with cloud migrations today. One in three sees the cost of migration (35%) and lack of expertise (30%) being the second and third greatest impediments to cloud migration project succeeding. Organizations are facing constant financial and time constraints to achieve cloud migrations on schedule to support time-to-market initiatives. No organization can afford the lost time and expense of an attempted or successful breach impeding cloud migration progress.
- 71% of organizations are implementing privileged access controls to manage their cloud services. However, as the privilege becomes more task-, role-, or access-specific, there is a diminishing interest of securing these levels of privileged access as a goal, evidenced by only 53% of organizations securing access to the workloads and containers they have moved to the cloud. The following graphic reflects the results.
- An alarmingly high 60% of organizations incorrectly view the cloud provider as being responsible for securing privileged access to cloud workloads. It’s shocking how many customers of AWS and other public cloud providers are falling for the myth that cloud service providers can completely protect their customized, highly individualized cloud instances. The native Identity and Access Management (IAM) capabilities offered by AWS, Microsoft Azure, Google Cloud, and others provide enough functionality to help an organization get up and running to control access in their respective homogeneous cloud environments. Often they lack the scale to adequately address the more challenging, complex areas of IAM and Privileged Access Management (PAM) in hybrid or multi-cloud environments, however. For an expanded discussion of the Shared Responsibility Model, please see The Truth About Privileged Access Security On AWS and Other Public Clouds. The following is a graphic from the survey and Amazon Web Services’ interpretation of the Shared Responsibility Model.
- Implementing a common security model in the cloud, on-premises, and in hybrid environments is the most proven approach to making cloud migrations more secure. Migrating cloud instances securely needs to start with Multi-Factor Authentication (MFA), deploying a common privileged access security model equivalent to on-premises and cloud systems, and utilizing enterprise directory accounts for privileged access. These three initial steps set the foundation for implementing least privilege access. It’s been a major challenge for organizations to do this, particularly in cloud environments, as 68% are not eliminating local privilege accounts in favor of federated access controls and are still using root accounts outside of “break glass” scenarios. Even more concerning, 57% are not implementing least privilege access to limit lateral movement and enforce just-enough, just-in-time-access.
- When it comes to securing access to cloud environments, organizations don’t have to re-invent the wheel. Best practices from securing on-premises data centers and workloads can often be successful in securing privileged access in cloud and hybrid environments as well.
The study provides four key takeaways for anyone working to make cloud migrations more secure. First, all organizations need to understand that privileged access to cloud environments is your responsibility, not your cloud providers’. Second, adopt a modern approach to Privileged Access Management that enforces least privilege, prioritizing “just enough, just-in-time” access. Third, employ a common security model across on-premises, cloud, and hybrid environments. Fourth and most important, modernize your security approach by considering how cloud-based PAM systems can help to make cloud migrations more secure.