WP Why a “Lift-and-shift” Cloud Migration Strategy Doesn’t Support Data Security | Imperva

Why a “Lift-and-shift” Cloud Migration Strategy Doesn’t Support Data Security

Why a “Lift-and-shift” Cloud Migration Strategy Doesn’t Support Data Security

The classic 1982 Steven Spielberg horror film “Poltergeist” chronicles disturbing, unexplained paranormal activity happening in a suburban family’s idyllic home. As the activity becomes more sinister and terrifying, the family learns that their neighborhood was built on an old burial ground. It turns out that the real estate developer moved the burial markers, but not the bodies and the old spirits got really angry.

The “lift-and-shift” cloud migration strategy that many organizations use reminds me of the plot of this scary movie. Instead of moving headstones and leaving bodies, in “lift-and-shift” the organizations move the data but not the protection. Instead of being left with angry ghosts, they are left with massive volumes of data they cannot see, vulnerable to theft and exfiltration they won’t learn about until it’s too late.

Organizations are finally starting to realize this in greater numbers. In a 2022 survey conducted by 451 Research, 45 percent of businesses reported that they had experienced a cloud-based data breach or failed audit in the past 12 months, up 5 percent from the previous year. They also reported that despite the shift to the cloud, many businesses share common concerns about the increasing complexity of cloud services. Fifty-one percent of IT professionals agree that it’s more complex to manage privacy and data protection in the cloud. Respondents also reported that a simple “lift-and-shift” migration tactic has dropped from 55 percent in 2021 to 24 percent today.

The data suggests that the challenge is clear. Breaches of cloud-based data are up, more than half of IT professionals admit their concerns about the complexity of cloud services, and the number of them using “lift-and-shift” migration tactics has dropped by half in a year. They are facing a practical reality that the easy, less expensive tactic will cost much more in the end – in the form of audit failures and data breaches.

In this post we’ll explain the principal factors behind why your data protection does not move with your data when you use “lift-and-shift” tactics and give some insights into how you can create a holistic view of your data repositories – on-premises and cloud-native – so you can apply security controls and quickly identify and mitigate anomalous behavior and facilitate safe data migration to cloud environments.

Moving the data is the easy part, moving the security is the problem

It’s not hard to figure out why organizations undergoing digital transformations are looking for avenues to modernize, innovate, and adapt their application landscapes to the latest technology available on the big public cloud platforms. Doing so enables them to shift their focus from underlying infrastructure and platforms to application innovation. Big public cloud platforms offer unmatched availability, scalability, and agility of cloud resources when compared to on-premises deployments. Cloud platforms offer pay-as-you-go cost management, which helps to convert huge capital expenditures to bite-sized operational expenses. They eliminate the need to replace end-of-life technology and they are purpose-built to be secure. It would make sense to think a simple “lift-and-shift” of the data to the cloud environment would complete the story, but this is exactly where it gets complicated.

Each cloud-native environment has a unique structure, requiring security teams to understand how to configure each specific one to enable them to gain the visibility required to protect the data from policy-violating behavior. If the environment is not configured properly when you “lift-and-shift” your data it is very likely that protection that was there in the on-premises environment will not migrate with it. Also, without the knowledge of the security teams, DevOps teams and DBAs can constantly spin up new databases in their cloud-native environments. Unless there is an automated process in place that enables security teams to detect and monitor these new databases, or at least identify where there are gaps in coverage, they will be unprotected and the risk of breaches will always be higher than it needs to be.

Current agent-based data security tools don’t work on cloud data

Prior to digital transformation, when organizations needed additional data activity monitoring, they would add servers, appliances, and agents to the system to accommodate the increased volume. For others using just native data logging tools, they would focus their efforts only on the data for which they were accountable to provide audit trails and proof of compliance. In a very short period of time, this approach has become obsolete. It is virtually impossible to apply agent-based data activity monitoring or native data logging tools to cloud-based data. Once you “lift-and-shift” data to the cloud, whatever on-premises monitoring you were doing is now gone.

Even in light of that stark reality, we suggest keeping agent-based data activity monitoring for the time being. If your organization is like most, your data repositories feature a mix of modern and legacy systems. With older on-premises environments such as DB2 z/OS, using agents works well. However, in order for you to gain protection for data migrated to the cloud using “lift-and-shift”, you will need an agentless solution as well.

Secure cloud-native data after a “lift-and-shift” migration

After a “lift-and-shift” migration, it is extremely likely that the architecture hosting an organization’s data is secure. Securing the data, however, is the organization’s responsibility. As we mentioned, there can be challenges to accomplishing this. The first is ensuring your security team has configured the cloud environment properly so they can gain visibility into the data. They also need to make sure that there is an automated process in place that enables them to see gaps in security coverage and that detects when DBAs and DevOps teams create new databases.

Imperva Data Security Fabric (DSF) dramatically simplifies this process. In cloud-native environments, the service provider has an API that enables the audit specification and for users to retrieve the log groups from the cloud object stores. When using Imperva agentless auditing, no additional configuration is required. DSF automatically accepts and processes all the incoming data.

A convergence of platforms facilitates cloud data migration

If not executed securely, migrating data to the cloud can cause your organizations’ threat surface to balloon, exposing you to a potential explosion of attacks and leading to breaches whose financial damage outweighs all of your cloud-earned gains. Simplifying the process gives you the greatest chance for success.

Imperva Data Security Fabric protects your organization from data breaches and compliance incidents during cloud migration by augmenting traditional enterprise security approaches with controls for the data itself, to drive policy-compliant data handling behavior, and help security staff pinpoint and mitigate data threats before they become damaging events.

Imperva DSF combines automated security and compliance platforms into a single technology solution to remove the complexity of managing a diverse set of data security tools for data oversight. Through a single dashboard, you can manage data discovery and classification, data activity monitoring, data risk analytics and threat detection, additional options for data loss prevention, data access control and data masking, plus provide instant audit and compliance reporting.

Get Gartner’s recent report, 2022 Strategic Roadmap for Data Security Platform Convergence and learn why Imperva Data Security Fabric represents the future of enterprise data security.