Cloud migration demands contractual safeguards and clear strategy

A clear strategy, a deep understanding of shared responsibilities, and contractual safeguards are key as organisations embark on or expand their cloud journeys, cyber security leaders advised at the ATxEnterprise conference in Singapore this week.

During a panel discussion moderated by Anil Kumar Appayanna, chief information security officer of India International Insurance, experts from Huawei and the Cyber Security Agency of Singapore (CSA) delved into the strategic and technical hurdles of moving to and operating within cloud environments.

Appayanna set the stage by noting that “everybody has either moved, or are in process of moving, to cloud”, adding that organisations should now focus on doing so in a secure manner.

For a start, businesses will need to define their goals, according to Dennis Chan, chief security officer of Huawei International. “I always ask our end-users to clarify their key objectives for moving their business processes to cloud,” he said, noting that business owners often do not have a clear vision and can be overwhelmed by the marketing from cloud suppliers.

Chan also stressed the importance of data classification in determining the appropriate cloud model to adopt. “What sort of data is involved? We need proper data classification so that we can recommend if they should stay on-premises, use a private cloud, or have the flexibility to use any of the public cloud providers”.

Donald Ong, senior assistant director at the cloud cyber security programme office at CSA, offered a national perspective. “Our key mandate is to ensure that all digital services in Singapore, if they were to move to cloud, can stay resilient,” he said.

Ong also noted the concentration risk associated with a public cloud market dominated by major suppliers. “What if the services go down? How much of that is going to impact Singapore? That has always been our worry.”

Discussing technical challenges, Chan raised the problem of shadow IT, where the use of unauthorised software and virtual machines could lead to data breaches. He also underscored the importance of contractual agreements, so that organisations can work with suppliers under the terms of their contracts to investigate data breaches.

Ong also detailed common cloud migration pitfalls, particularly with lift-and-shift migrations, where developers may ask for administrator privileges to facilitate the move, bypassing identity and access management controls. If such arrangements become permanent over time, then organisations could be exposed to security risks, he said.

He also warned of the danger of access keys with administrator privileges being inadvertently exposed by developers on GitHub after deploying cloud applications. If those keys are in an open repository, threat actors could use them to compromise an organisation, Ong said. “You don’t even need to access the demilitarised zone or find some vulnerability to hack through it.”

On data governance in a multicloud environment, Chan urged organisations to understand how their data flows across different jurisdictions. He also pointed to contractual clauses, such as those referenced in the Infocomm Media Development Authority’s cross-border privacy rules, as tools to safeguard data.

Ong underscored the importance of understanding the shared responsibility model, noting that encrypting and protecting data is the responsibility of both end-users and cloud service providers. He added that CSA is developing a set of cloud security competencies for operators of critical infrastructure slated to be released later this year.

Addressing a question on whether organisations should revert to on-premises platforms, Chan acknowledged that some organisations have started to do so out of cost and security concerns. But regardless of where the workloads reside, organisations will still need a security playbook that details incident response processes to mitigate the impact of security breaches, he added.

In addition, organisations will require robust backup strategies. “You will still need backups to protect your crown jewels,” Chan said. “Also, ensure your backups are clean, and if you get hit by ransomware, scan your backups to ensure the malware is not there.”

Concluding the discussion, Appayanna likened exit clauses in cloud service contracts to a prenuptial agreement, an analogy Chan supported: “Have good exit clauses in contracts with your cloud service providers or else you will find it difficult to move out.”