Introduction

Increasingly, global organizations are migrating from legacy on-premise infrastructure to the cloud in order to achieve greater business agility and resilience with a modern IT approach. Yet too often, cloud migration and cybersecurity are considered separately, with different teams focused on different phases of what could be a shared process. With cybercrime estimated to cost US$6 trillion annually by the end of this year,¹ cloud migration raises the cybersecurity stakes. At the same time, despite the benefits—and even though “security and data protection” is a number one or two top driver for cloud migration²—investment in integrated cloud cyber technology strategies is often lacking. Deloitte & Touche LLP’s 2019 Future of Cyber survey found that 90% of responding organizations spent 10% or less of their cyber budget on cloud migration, software-as-a-service (SaaS), analytics, and machine learning.³

Indeed, many organizations are moving fast to migrate to the cloud without paying enough attention upfront to security.

This points to an opportunity for cybersecurity modernization that drives business and technology resilience—wherein cyber can become the differentiator to provide consumer trust. An integrated cloud cyber strategy enables organizations to use security in their transformation in a way that promotes greater consumer trust, especially in today’s digital age.

• incorporating leading-edge, innovative approaches such as intelligent threat detection
• balancing the need for speed while reducing risk related to technology, insider threats, and the supply chain
• supporting developers and engineers while enabling the business with DevSecOps
• establishing a cyber-forward approach that reinforces business objectives such as security and trust

This article asserts the importance of taking a conscious approach to “security by design” (focused on mission-critical business applications) to guide greater collaboration between cloud and cyber teams and to drive greater agility, security, and trust.

Based on our research, which combines primary data analysis, secondary research, and internal interviews with nine Deloitte executives versed in cloud and cyber strategies, we’ve detailed specific considerations for organizations embarking on the cloud migration journey.

Security by design: Specific considerations

Ultimately, the cloud and cyber teams should come together managed by a modernization and migration Center of Excellence (CoE) leader (often the digital transformation leader) and enabled by cross-teaming, cross-skilling, and a shared operating model. Once in place, the operating model can be used to guide greater collaboration, coordination, and implementation across controls, and risk management and compliance practices in a way that builds in security at the IT infrastructure layer while promoting the business (and ultimately) the customer experience.

This integrated team may need to collaborate around:

• Initiating the modernization and migration program. This cannot be envisioned in a silo without understanding broader business objectives, and it includes assessing business continuity issues, service-level upgrades, and potential customer impact. It also means understanding the important assets of the organization and protecting them with a cyber-centric strategy. For example, with a major retailer this could be data on product sales and customer preferences.
• Understanding innovative new cloud security technologies and approaches. Leaders should embrace a new operating model that brings together the cloud and cyber teams, taking into consideration the various aspects of modernization including talent operating model, DevSecOps, microservices, and more. The operating model can consider new offerings, implementations, and capabilities from the solution providers (such as cloud native access points) and cybersecurity leading practices (for example, National Institute of Standards and Technology’s cybersecurity framework).
• Determining the enterprise security requirements upfront. It can be critical to make sure requirements are frictionless and baked into the development process, rather than bolted on. Select a platform with the applicable security layers based on enterprise requirements such as risk and regulation. For example, one cloud provider may have more mature, customized industry solutions for the Health Insurance Portability and Accountability Act (HIPAA), which aims to modernize the flow of health care information, versus another cloud provider, or might share data quarterly instead of affecting monthly compliance reporting.
• Identifying who may likely do the work with a shared services model and cloud cyber team structure. Develop conscientious cloud security inclusive of identity access, application-level security, network security, platform security, infrastructure security, and even code-level security. Ideally, this process should understand cloud provider service-level agreements and tap into relevant controls, risk strategies, and regulatory compliance leading practices. Organizations, for example, can set up a CoE with internal cloud and cyber team members as well as external cloud and managed service providers.

A new cloud modernization operating model for cloud security by design

In many organizations, cyber entities are siloed from the rest of the organization, often with minimal and/or incomplete transparency, which can impede trust. As companies migrate to the cloud, this issue will likely grow—and perhaps the migration itself become more difficult.

This makes security by design by an integrated team more critical. Indeed, evidence suggests this is already happening. Our interviews reveal that the biggest cloud-security shift has been a move away from developers handling security toward a more collaborative model across the technology C-suite. As recently as five years ago, a chief information officer (CIO) could oversee and fund cloud-migration projects, without security involved until the end. Today, there is more coordination among the chief security officer (CSO), chief information security officer (CISO), and CIO,⁶ and this collaboration should trickle down into the modernization and migration CoE, allowing ownership to shift clearly across shared operating and responsibility models, from pre-contracting and across the development process.

This conscious, integrated approach can be used to help guide baseline analysis and security requirements during discovery and cloud vendor selection; to determine the shared responsibility model across the integrated CoE team with the cloud vendor; to set up guardrails within the IT infrastructure itself; and to manage DevSecOps processes with the applicable mix of talent and technology in place.

Discovery and cloud vendor selection

Pre-contracting, many cloud vendors expect a minimum baseline of analysis and security configurations that are handled by the client. These differ for each cloud vendor. Cloud teams can benefit from their cyber colleagues’ perspectives to better address these areas during contracting. Post-contracting and during implementation, a joint cloud-cyber team approach can accelerate the team’s ability to understand, assess, and reconfigure the cloud environment. It can also better position and prepare the CIO/CISO to perform the required third-party cloud vendor analysis risk assessments on business operations sustainability. This activity can even be written in the contract as ongoing annual activity for business continuity to avoid a “vendor lock-in” situation.

Additionally, in an ever-evolving cyberthreat landscape, cloud vendors could have insight into new cloud security product developments and implementation considerations and innovations to factor in to the operating model. In 2020, for example,

• The US Air Force created the first accredited cloud-native access point enabling the organization to connect to the cloud directly without a shared access point.⁷
• One hyperscaler introduced confidential computing, which allows organizations to keep data encrypted in memory.⁸
• Organizations used “business process as a service” to scrub confidential or personally identifiable data.

Furthermore, better awareness of compliance reporting requirements when negotiating cloud provider contracts can help to determine that the data will be shared at the frequency required for reporting. To that end, a government organization was looking to report patching data to demonstrate continuous compliance, but data reporting at the frequency needed was not part of the cloud service-level agreement (SLA). To address the issue, it was able to pull source code data and integrate it into a manual reporting process. However, this could potentially have been a smoother process if addressed at the time of contracting.⁹ To avoid challenges like this, assess these reporting needs and adjust SLAs or determine alternative reporting solutions.

The shared responsibility model

According to one industry study, 66% of surveyed executives report using cloud providers for baseline security; 73% believe public cloud providers are mainly responsible for securing SaaS solutions; and 42% believe they are responsible for securing infrastructure-as-a-service (IaaS) solutions.¹⁰ Yet, while an organization might lean on the cloud provider for secure data centers and infrastructure, a shared responsibility model gets an organization only so far. It’s still the organization’s responsibility to secure the data and applications in the cloud. An integrated cloud cyber team enables clearer demarcation of where the organization’s responsibility ends and the cloud vendor’s begins (and vice versa) and guides on how to approach ongoing monitoring.

Unlike in an on-premise environment, with cloud, physical infrastructure is rented, and shared operating models may vary based on several contributing factors. For example, 40% of US states are operating in a federated model where the CISO oversees enterprise policy and agencies lead shared services; 10% of US states have a decentralized model where the CIO advises individual state agencies on policy.¹¹ Such has been the case in the New York City Cyber Command Initiative, where the project’s deputy CISO and the agency’s head of threat management adopted cloud technology to access security data from a government network-connected device in the city.¹²

Guardrails within the IT infrastructure

With security central to the vendor selection and responsibility model creation, the security team now has a strong vantage point to embed security into the cloud migration process by setting up base guardrails and minimum configurations to protect deployment before migration activities begin. For example, workload protection and secure landing zones can create a standard configuration template that is scalable and sustainable for rapid deployment of future applications without the need for reengineering. Given the cloud methodology is meant for Agile and DevOps, an organization without secure DevOps could be undertaking a significant amount of risk, and it could be an additional component to managing development during the migration process.

Manage DevSecOps processes with the desired mix in place

DevSecOps enables organizations to embed security into their workflow rather than as a bolt-on to development.¹⁶ This allows developers and security professionals to have the shared goals of secure configurations continuously monitored, remediated, and managed for cybersecurity that drives creation of agile, resilient solutions. One insurance company, for example, migrated hundreds of applications to the cloud. DevSecOps enabled the cloud engineering team to better plan the architecture of the environment and build the cloud infrastructure to enable a secure migration. These processes can be further complemented by security automation and orchestration tools to implement structured workflows, automate security tasks, and prevent and detect threats.

• Skills/talent. Legacy technologies use virtual appliances such as those from firewall vendors to secure systems, whereas cloud technologies require understanding of security configurations. The shift requires a new talent operating model that moves work away from a develop, implement, and deploy framework, followed by security. Shift-left means security is involved upfront to provide baselines and configurations and set up architecture before go-live, reducing the need to be involved afterward. This leads to a very different talent operating and integration model.
• Microservices. As organizations look to modernize legacy applications to create more agile point-to-point services, cloud microservices operating models should consider vendor limitations and vendor portability/interoperability issues. Organizations can consider an agnostic middleware layer or microservices deployment model that helps the client resolve issues such as multi-cloud, as well as issues across enterprise systems.

The cloud security controls framework

Across the C-level, the move from on-premise to cloud typically requires a security mindset shift—from managing physical infrastructure to monitoring access across a “stateless distributed environment.” Importantly, the controls framework should address network, platform, and infrastructure; user and data security; and core application security.

Network, platform, and infrastructure

“Security by design” enables cloud developers and security teams to build guardrails into the infrastructure itself, establishing agile and secure processes. Therefore, before developers gain access to the cloud environment, the CIO and team should consider the leading approach to secure the network. It might be to embed guardrails into the cloud platform itself with “security by design” IT infrastructure, or to put in place restrictive “security by design” IT processes (e.g., authorized users responsible for reviewing infrastructure and source code before pushing to production). Industry-leading practices are moving away from perimeter-based security toward zero-trust network security architectures,¹⁷ which enable more modular developer environments, as well as micro segmentation to allow for varying levels of infrastructure access and controls across the network, identity access, and applications.

As an example of the infrastructure approach, one asset management organization moved from private to public cloud and embedded hundreds of controls into the cloud platform at the code level before giving developers administrative access. These controls served as guardrails, resulting in the successful creation of a safe and compliant development environment.¹⁸

Alternatively, taking the process approach, another financial services organization removed or highly restricted developer keys to shift access and processes for code deployment. This prompted a major cultural shift for developers who previously had been able to push application changes live more autonomously; the privilege was now restricted to a small group. To reinforce the new protocol, the organization monitored for behaviors that deviated from the new controls process; in particular, one common scenario of developers now unauthorized to push live updates using a virtual machine to bypass the privilege-access management tooling, thereby potentially creating an exposed port. To address this risk, the organization implemented a security orchestration automation and response solution, enabling the company to collect security operations data; built a business case to detect security configuration changes; and orchestrated a custom workflow resolution for reviewing them. This gave the firm required visibility for proactive network monitoring and the ability to close open ports.

User and data security

Cloud migration often requires a new approach to identity. While previously physical credentials (e.g., building access) were acceptable authorization, in a distributed system that can be accessed anywhere, user-level access credentials and key management may be required. Identity access management protocols can be fed into a modularized identity platform with user-level access requirements.¹⁹ A focus on data protection, privacy, resilience, and regulations can guide data access rights and user privileges. Executives should plan on balancing legal minimum requirements for encryption against too much encryption, which may slow down applications.²⁰

Core application security

Before moving data or workloads to the cloud, the cloud and cyber teams should determine that the following minimum controls are in place:

• Workload protection–set base guardrails and minimum configurations to protect deployment. For instance, an organization may have preset templates for function-based or container-based applications.
• Secure landing zone–establish a secure environment covering account structures, security rules, and other foundational services, based on the operating model. For example, many organizations establish a public subnet and a private subnet as a public-facing landing zone versus a private virtual network for corporate users.
• Secure by design/DevSecOps–follow security by design and DevSecOps principles as discussed with the operating model recommendations.
• Segmentation and zero trust–employ network segmentation and zero-trust protocols. For example, the organization can restrict full administrative access to the application to only the senior-most developers with stricter security credentials and training, using containers for tiered access segmentation.
• Attack surface management– manage the vulnerability landscape with tailored services to enhance vulnerability and attack surface programs. Organizations can focus on identifying and assessing cloud assets through their life cycle and across different architecture layers. As an example, smart factories can think through data flows across cloud and edge tiers to determine security is in place across the ecosystem.

Risk management considerations for the cloud cyber program

Cloud migration can reduce certain infrastructure security risks managed on-premise, with encryption, logging, private networking, monitoring, DDoS protection, automated patches, and other elements built into the cloud environment. However, many migrated systems and applications were not designed to operate online. To avoid disappointment on this front, before the cloud migration begins, organizations can conduct a cyber risk maturity assessment²¹ to understand specific technology, regulatory, and insider and supply chain risks as well as recommended remediations.²²

Technology risk

While some of these may be new territory for a cloud migration team, organizations face a number of potential technology risks to mitigate as part of their cloud cyber programs where an integrated cloud cyber team can help create a more secure, agile, and trustworthy outcome (figure 1).

Understanding technology risks can be critical—and potentially surprising for organizations that believe their systems to be well protected. One financial institution, for example, conducted a routine scan that found its technology stack had more than 100,000 built-in vulnerabilities, posing a high-security threat and requiring immediate remediation at the application, database, middleware, and code levels. This risk, in part, prompted the cloud migration and is an example of the legacy on-premise platform and applications risk noted in figure 1.23 Had the cloud migration team opted to lift and shift the infrastructure without an understanding of these vulnerabilities first, the organization could have shifted certain risks to the cloud.

In another example, a consumer goods organization running an outdated operating system had its data center taken over by ransomware when a software patch in the development environment went into production. Legacy security vulnerabilities that may have been somewhat protected by firewalls or perimeter security became exposed when moved to the cloud and weren’t remediated. Had the organization had better orchestration across the cloud and cyber teams, with proper controls in place, this type of incident—which can significantly erode consumer trust—might have been avoided.

Managing technology risk requires a balance of understanding the existing and future technology at its core—a strength of the cloud migration team—and advising on how to desirably mitigate the vulnerabilities with a security approach rooted in leading practices across the four risk categories before the migration occurs and even before the cloud vendor is selected.

Regulatory risk

When assessing their cloud vendor and before migrating data or workloads, organizations should bring together cloud and cybersecurity teams to consider four essential regulatory compliance requirements that will likely impact downstream data workflows and system configuration, including global and regional data governance regulations, industry-based frameworks, and broader technology standards, as well as US government-specific regulations (figure 2).

A large global multinational organization doing work in the public and private sectors may have to contend with a larger number of data and technology regulations, while a smaller organization may still need to consider some combination of data, industry-specific, and regional regulations while devising its cloud data strategy and subsequent risk controls. However, even “smaller organizations” can still be subject to broader regulations across borders due to globalization of data.

A regulatory risk requirement review performed by a collaborative cloud and cyber team can enhance understanding of existing data frameworks, relevant risks, and required technology specifications to improve cloud vendor selection, SLA negotiations, and contracting.

Insider and supply chain risk

Finally, a cloud cyber risk program should consider insider threats and the organization’s supply chain as specific threat vectors to balance security and trust inside and outside the organization and to avoid potential data leaks and spillage. Where the cloud migration activity could collide with insider risk is through sharing credentialed access or creating an open network access point. Cloud access security brokers that monitor for data loss and enforce controls across a multi-cloud environment are on the rise. They can help organizations to better manage internal threats24 and monitor for data loss prevention, which about 75% of organizations indicate to be an important element of cloud security.25

Managing cyber risk requires organizations to look inward and outward at different insider risks and potential points of vulnerability across their supply chains. This can be achieved by an integrated cloud and cyber team, with visibility and transparency, communication, and collaboration and execution of an integrated compliance program (and tooling) across the supply chain. For more on this topic, see Deloitte Consulting LLP’s Looking beyond the horizon: Preparing today’s supply chains to thrive in uncertainty.

Cloud program scenarios

Finally, the type of cloud program itself will impact the operating model and subsequent program. The following graphic details four common cloud program scenarios and high-, medium-, and low-complexity considerations for the integrated cloud and cyber team (figure 3).

Conclusion: Getting started

Cloud developers can’t be expected to become security specialists overnight, or to stay on top of the evolving threat landscape. They can, however, embrace working on integrated cloud and cyber teams that bring target operating model, shift-left mentality, microservices, risk, control, and compliance experience to bear during integral points in the cloud migration life cycle and with “security by design” principles. For these teams, here are a few parting thoughts to consider that can help guide the cloud modernization and migration journey, bolster business and technology resilience, enhance security, and reinforce customer trust:

• Develop a modernization operating model that brings together innovative new approaches and technologies. Include new talent models, DevSecOps, and microservices and consider precontracting responsibilities and breakdown of roles and responsibilities across a shared responsibility model. A cloud provider’s investment in security may be better than your security at present.
• Develop a controls framework that allows you to lever up with a more integrated cloud and cyber approach. The process of migration provides an opportunity and necessity to rethink security models, tools, and capabilities. The cloud controls framework should start with an understanding of the data requirements and encompass user/identity level, network/infrastructure/application, and core application controls. Organizations can conduct a risk assessment across their technology, regulatory, and cyber environment; implement the appropriate controls to fill gaps and remediate those risks; and migrate workloads to secure cloud landing zones.
• Manage compliance with innovative approaches. There continues to be new and innovative processes and approaches available to automate and ease the burden of modern compliance monitoring. Stay informed of the latest tools and processes.

By bringing together each of these components through a cloud migration CoE that includes an integrated team of cross-skilled cloud and cyber professionals, organizations can be better positioned to address the need for a broad “life cycle” to prioritize security risk levels and mitigate those risks with the proper governance, risk management, and compliance across these security components. Ultimately, the cloud migration provides an opportunity for not just greater business and technology resilience but also potentially improved security and enhanced consumer trust.

Appendix: Integrated cloud cyber strategies drive greater business and technology resilience

Deloitte Cloud Consulting Services

Cloud is more than a place, a journey, or a technology. It's an opportunity to reimagine everything. It is the power to transform. It is a catalyst for continuous reinvention—and the pathway to help organizations confidently discover their possible and make it actual. Cloud is your pathway to possible.

Learn more