Mitigating the Security Risks: migrating legacy applications to the Cloud

For many organisations, an increasing proportion of the applications that they rely on for their day-to-day business operations are hosted in the cloud. This stands to reason: the cloud offers a range of benefits from cost to flexibility and scalability, which makes it an attractive option at a time when the need to ‘do more with less’ is high on the corporate agenda.

[easy-tweet tweet=”The Cloud offers a range of benefits from cost to flexibility and scalability” hashtags=”cloud, tech, IT”]

However, moving legacy applications to the cloud comes with its own set of security challenges. The way that an application is used and hosted in the cloud could be significantly different from how the original application was deployed on-premise. With shared tenancy and multiple users using the same stack, organisations need to assess and remediate new vulnerabilities. Planning the journey, and understanding and mitigating these security risks, is key.

Application Security

Cloud computing has fast become the de-facto model of computing for many key applications and services. In fact, it is estimated that, by 2018, 50% of the applications running in public cloud environments will be considered mission-critical by the organisations that use them. The cloud evolution and all the benefits that come with hosted applications and services – reduced operating costs and an ‘on-demand’ consumption model – now mean that the cloud-first, or cloud-only, approach to applications will soon be the default option.

As with any significant change, there are security risks. Yet where the focus for cloud security has typically been on the controls and checks in place protecting the infrastructure on the cloud provider side, organisations must also consider security from the perspective of the design and architecture of the application that’s running in their cloud. Migrating apps to the cloud introduces new issues arising from inter-connections and interactions between components, authentication, logging and key management. A critical part of the path to migration is identifying any missing or weak security controls or flaws in the application itself that could increase the risk of a breach.

[easy-tweet tweet=”A critical part of path to migration is identifying any missing or weak security controls” hashtags=”tech, cloud, security”]

Organisations need to start by assessing their strategy including:

Defining the boundaries

One of the issues to resolve is defining the lines of responsibility. For on-premise applications, the organisation is wholly responsible for security. In the cloud model, responsibilities shift to the cloud provider, so it’s important to know exactly what these are and where the ‘hand-off’ is. Many network and application level security assessments become strictly cloud provider activities – or they can only be conducted if the provider permits the action.  Some assurance activities that were typically conducted by security consulting firms are now responsibilities of cloud providers.

For example, with a SaaS (Software as a Service) model, in which the cloud provider runs the infrastructure and application for the customer, they also own the majority of security responsibility and control. In the IaaS (Infrastructure as a Service) model, the customer runs and manages virtual machines in a software-defined environment. This means that the customer has the greatest security control and responsibility.

Security Assessments

A full security assessment can help to identify the specific areas of risk. This will not only ensure that the application works optimally in the cloud, but also that there are no new risks as a result of the migration.

[easy-tweet tweet=”The cloud platform layer controls testing applications” hashtags=”cloud, tech, security”]

This should include a configuration review: assessing the cloud platform layer controls and testing applications for vulnerabilities, remediating what is found. Performing deeper testing, combining static testing (SAST) and dynamic testing (DAST) and code review will identify the risks.  Reviews of the design and architecture of the application, along with threat modelling, will identify where the risks are and where action needs to be taken.  This may highlight issues such as how authentication and authorisation is designed for the application, analysing the encryption mechanism and key management design. It will determine if you are protected against targeted threats such as malicious insiders, or an external cyber criminal.

Ultimately, the responsibility for the security of the application rests with the organisation.  As more of us make the journey to the cloud, ensuring that application security has been addressed and that any flaws in design or architecture have been remediated – must become a core part of the migration strategy.

+ posts

Newsletter

Related articles

The future of cloud and edge optimisation

As more enterprises use multi-cloud and hybrid infrastructures, the danger of cost overruns and loss of control increases.

Here is how to stage a public cloud migration

As the relationships between CSPs and cloud providers are deepening, CSPs need to develop a clear strategy on how they add value to customer relationships.

The future of work is collaborative

As hybrid work models continue to gain traction, businesses will need to start implementing collaborative tools and processes to meet the needs and expectations of the upcoming workforce, seamlessly integrating them into existing workflows to enhance productivity and performance. Innovations in technology, including AI and machine learning, mean that organisations are in a better position than ever to shape the collaborative future of work – and with the right support in place, they can ensure that these digital tools continue to bring out the best in their workforce for years to come.

How Business Data Can Be Protected, Even with Remote Workers

According to a study conducted by OwlLabs, approximately 69% of survey respondents worked remotely during the pandemic or are now working from home since.

DevOps Metrics – How to measure success in DevOps?

Even though there is no perfect definition for DevOps,...

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Subscribe to our Newsletter