Differentiating your cloud migration with a cyber-forward cloud strategy

As organizations develop their migration and modernization center of excellence (CoE) strategy and team, they can benefit significantly from bringing together both cloud and security specialists with cross-teaming, cross-skilling, and a shared operating model to guide migration. In this way, companies can take the increased collaboration across the technology C-suite (chief information officer [CIO], chief security officer [CSO], and chief information security officer [CISO]) that has been a steady trend over the past decade and trickle that transformation down to the program level in a way that balances agile development needs with risk management requirements and controls. A cyber-forward cloud migration strategy and team will look to:

Align business strategy, leading practices, and innovative approaches with a shared operating model

• Define the business requirements and objectives for the cloud migration program.
• Consider the key drivers for the cloud migration program and determine the business goals (whether that’s improved customer experience on a core business application or enhanced performance of legacy application), aligning with technical requirements.
• Bring together an integrated team of cloud and cyber professionals under the CoE with an operating model based on the migration scenario—whether a data center migration, application migration lift-and-shift, new cloud native development, or hybrid strategy (see figure 2).
• Understand the shared services model, clearly defining responsibilities of the organization (across cloud cyber functions) versus the vendor to bring together the desired mix of skills and capabilities, leading practices, and innovative approaches. A collaborative cloud vendor selection process that brings together both cloud and cyber experience will allow organizations to consider due diligence requirements, base security configuration requirements, compliance reporting and data access needs, and more for optimized service agreements and contracts.
• Employ DevSecOps during the migration to further integrate cloud development with security and operations with a shift-left approach.

Implement organizational and technology controls guided by a Zero Trust mindset

• Determine requirements up front and build guardrails within the IT infrastructure and through “security by design” approach. Consider applying a Zero Trust mindset at the network, data, identity, and workload layers.
• Confirm that the controls framework addresses all tiers of network, platform, and infrastructure; user and application security; core infrastructure security; and core application security.
• Consider creating a Zero Trust environment and focus on data protection, privacy, resilience, and regulations to guide data access rights and user privileges and find the desired balance across security, performance, and customer experience. 
• Secure the core application with workload protection, secure landing zones, security by design, DevSecOps, segmentation, and Zero Trust and attack surface management.

Prepare for the unexpected with the proper risk management plan

• Understand specific technology, regulatory, and insider and supply chain risks and how they could affect the cloud migration program.
• Factor those risks into cloud vendor selection requirements and data governance programs
• Consider implementing continuous and predictive monitoring solutions to meet compliance reporting requirements, confirm security, and enhance threat intelligence and remediation. Organizations increasingly are focused on data loss prevention (DLP) solutions as a key focus area.

Bringing it all together

As organizations look to migrate their legacy infrastructure to the cloud, a cyber-forward approach can help to make security a competitive differentiator. A modern operating model balancing leading practices and innovative new approaches, governed by a robust controls framework and supported by requisite risk considerations can help to advance this strategy.

For more on this topic, watch for our upcoming Deloitte Insights article, “An integrated cyber approach to your cloud migration strategy,” which launches on March 2.