With data breaches appearing in the headlines almost on a daily basis, many have concerns about cloud security. There is no doubt that the introduction of trends like cloud, IoT and BYOD are changing our networks, dissolving the perimeters we used to have. In this reality, ensuring the security of enterprise systems that are migrated to the cloud can be a challenge and in some cases, put on hold the migration of homegrown and legacy systems.
When planning to migrate a homegrown or legacy application to the cloud, many organizations choose the ‘lift and shift’ approach. The advantages of the ‘Lift-and-Shift’ approach are clear because it means that the application and its associated data are migrated to the cloud with minimal or no changes. You “lifted” the application from its existing environments and “shifted” it as-is to the cloud. This means that there won’t be any significant changes to the application architecture, data flow, or authentication mechanisms.
Securing Access to Migrated Applications
Many have concerns regarding the security of migrated applications in the cloud. Some of these concerns are justified: In a 2018 Cloud Security Report from Crowd Research Partners, 84% said their traditional security solutions either don’t work at all in cloud environments or will have only limited functionality. 43% of cybersecurity professionals said they struggle with visibility into cloud infrastructure security, 38% struggled with compliance, and 35% struggled to apply consistent security policies across cloud and on-premises environments.
55% said that their biggest perceived threats to cloud security were unauthorized access through misuse of employee credentials and improper access controls. These concerns are justified when our homegrown and legacy applications rely on password-only authentication. While running in on-premises data centers, traditional defense layers provided additional protection. If the same security controls aren’t available when running these systems in the cloud, they become inherently more vulnerable. In some cases, adjustments to traditional security controls can be made to the system with some code changes. In other cases, such changes are impractical.
5 things that can help with a smooth and secure migration of on-premises servers and applications to the cloud
Here are five things to keep in mind when planning a migration of on-premises homegrown and legacy systems to the cloud:
- Mapping dependencies before moving the app to the cloud
Successful application migration requires a detailed understanding of how all of your applications and servers are communicating. To map dependencies, you first need to discover how all machines and applications in your infrastructure are communicating with each other, including any Shadow IT, e.g. servers and systems implemented by various business units, that your IT is not aware of. If your applications have any dependencies on Shadow IT, it must be incorporated into your migration plan. Without mapping all dependencies first, your applications are likely to break.
- Securing authentication to migrated applications
Securing access to enterprise systems is a top priority whether an application is running on-premises or in the cloud. After all, it doesn’t really matter where the application is running – if it relies of password authentication it can be exposed to unauthorized access. And if you obtain an administrator password, which enables full access and control over the application and its infrastructure, you can steal data or make whatever changes you want. The only difference is that when an application is running in the cloud, it may not be protected by the traditional security defense layers that would defend applications on premises. However, there are cloud security defenses that can be applied.
Adding multi-factor authentication for any migrated application, especially those that rely on password-only authentication mechanisms, provides a critical security control and ensures that only authorized users can log into the application. (There is a caveat: if you are doing a ‘shift-and-lift’ migration of a homegrown or legacy system, it would probably be a challenge to apply mainstream MFA solutions. A next-generation authentication solution will better support these apps.)
- Adding access policies (deny or grant access):
Most applications apply role-based access controls on users after they logged into the application. However, in some cases, these may not be enough. For example, you may want a policy that says that a user may not log into the application from an unauthorized device, or from an untrusted location. In that case, access controls should be applied at the access request level.
By applying secure authentication it is possible to apply effective access control to deny or allow access based on the source of the request, the user, the device used and other parameters before the user logs into the system.
- Auditing all access:
If you have concerns regarding unauthorized access, it’s important to keep track of any access attempts to your sensitive resources and to have the ability to put them in the proper context. First of all, a consolidated audit trail can help us understand which users are accessing our sensitive resources and how they are accessing them, to detect both internal and external threats. When looking to minimize access rights to ‘least privileges’, meaning limiting a user’s access rights to the bare minimum permissions he/she needs to perform their work, an audit trail helps us verify if a user is currently using or not using all his/her access rights. In addition, understanding what other resources a user is accessing can help us associate the user with a community of similar users, and predict if he/she might need to access additional resources. Or, if the user is accessing different resources than his peers, an audit trail can help us identify this anomaly which may require further investigation.
- Unified security policies:
Migrating homegrown and legacy systems to the cloud is typically a long process and may take years. This is why it’s often done in a phased approach, and involves applications that run in hybrid environments. Many organizations already have some hybrid environments, and Gartner estimates that by 2020, 90% of Organizations will adopt hybrid infrastructure management.
Managing security policies across hybrid environments in a unified manner not only simplifies these processes but also ensures improved and consistent protection.
How can Silverfort help?
Silverfort’s next-generation authentication platform was designed to meet the needs of our modern networks. Unlike mainstream MFA solutions, it doesn’t require deployment of software agents or proxies, or any integration with the protected systems. This makes it uniquely suitable for securing homegrown and legacy applications whether they are running on-premises or while migrating them to the cloud.
Before migrating the application, Silverfort automatically maps out dependencies – a critical step in ensuring a smooth migration without ‘breaking’ the application. Then it can seamlessly add MFA to the system and ensure secure access, without requiring any changes to it, its supporting infrastructure or network.
Silverfort continuously monitors and audits all access requests across on-premises, cloud, and hybrid environments. The consolidated audit trail details both user-to-machine and machine-to-machine access activities and is further analyzed by Silverfort’s AI-driven risk engine to automatically identify behavior anomalies and known malicious access patterns, like brute force attacks, ransomware, lateral movement attacks (e.g. pass-the-hash) and more.
Finally, Silverfort enables you to manage MFA and access policies across all your enterprise environments from a unified console, simplifying the implementation and reducing ongoing maintenance costs.
By Dana Tamir, VP Market Strategy, Silverfort
Dana is a veteran of the cybersecurity industry with over 15 years of real-world expertise and leadership roles in leading security companies. Prior to Silverfort, Dana served as VP Marketing at Indegy. Before that, she served as Director of Enterprise Security at Trusteer (acquired by IBM in 2012). She also held various roles at Imperva, Symantec, Bindview, and Amdocs. Dana holds an engineering degree from the Technion – Israel Institute of Technology, in addition to a number of industry and vendor certifications.
To learn more about Silverfort and see a demo, contact us today!