22 Aug Planning for Cloud Migration or Data Center Consolidation: Security Controls
Whether you are beginning a cloud migration or starting to consolidate data centers (frequently both happen at the same time), there are a variety of questions you should answer that will result in saving time and expense down the road. These questions can be boiled down into an overarching issue: figuring out the boundaries. What do you, as a customer, want to maintain control over, and what responsibility do you want to cede to the data center? These choices will have implications on responsiveness and access to the data you need to run your organization, as well as varying levels of cost, and therefore need to be driven by business strategy as well as technology needs.
This article is the first in a series of cloud/data center management articles designed to help answer questions you may have or address challenges you may encounter as you move forward in your project. Criterion has years of experience in both cloud migration and data center management (and consolidation) based on our work with the USDA DISC, responsible for one of the largest and most advanced government owned and operated data centers, and one of the agencies the furthest along in data center consolidation, according to the GAO. Our subject matter experts will be sharing lessons learned and best practices over the coming months. Our overall goal is to demonstrate how to keep enterprise data center needs aligned with business strategy. This is increasingly important as federal government departments and agencies seek to modernize their infrastructure and technology approaches.
Building Security In from the Start: Security Governance and Network Security
Every day it seems we get news of yet another security breach and millions of compromised consumer data records. In any technology modernization effort, cybersecurity needs to be built in from the start. Unfortunately, as the recent FITARA Scorecard 8.0 results show, agencies are far from meeting their FISMA cybersecurity requirements. A cloud migration or data center consolidation project represents an excellent opportunity to review and put in place new and/or updated security controls. By addressing these issues during the planning stage, agencies will find it more cost effective in time and resources then trying to solve issues after the fact.
The first step is to choose a security governance framework or model. This establishes the foundation for security controls (FISMA, FEDRAMP High/Med/Low, PCI, HIPPA, GDPR, etc.) and lockdown for authentication and authorizations (RBAC, User Auth, Kerberos, AD, LDAP, etc.).
Next, agencies should consider network security: The cloud provides an integrated network that brings together data centers, public clouds, and private clouds in a hybrid environment. Depending on the scale of the planned environment, there are a variety of options to choose from for security physical link connectivity. These include private Internet Service Providers (ISPs) such as AT&T Netbond, AWS Direct Connect, or Azure ExpressRoute; or IPSEC Virtual Private Networks (VPNs) (IPSEC is for small-scale businesses).
Planning Security Controls: Roles/Responsibilities and Monitoring
We talked to Avinash (Avi) Vellori, a Criterion senior firewall engineer, who shared with us two good places to start when planning security controls. The first is roles and responsibilities. The second is monitoring.
“It is important to fully understand the scope and scale of a planned migration up front,” explained Avi. “Roles and responsibilities that may or may not be performed today will be required in a consolidated data center environment. Also, many agencies are used to operating with their own sysadmins or their own firewall rules. The transition plan needs to identify where their scope ends and where the data center’s begins. For example, you will need to have a hard discussion with agencies around access roles or desktop procedures they will no longer be performing as result of the migration.”
Criterion’s experience has shown us that the drivers for data center consolidation or moving to the cloud is not really cost, but security risk and compliance. If the project is a data migration or an as-is move (server-in-state or converting to virtual machines), the project team will need to do compliance scanning and assessments. If they are building new systems, compliance will be built in from the beginning.
“Getting to the level of security controls agencies need can be very challenging,” Avi continued. “However, a lack of monitoring can leave your system wide open. It is important to have a proper monitoring set-up for every service in the cloud that can send out events, including a filtering mechanism that enables the events to be categorized. Because we have so much experience in creating processes to create and maintain these controls, we can save agencies time and money. This type of control is inherent to our services.”
By focusing on building security in from the beginning, agencies will be able to make progress towards meeting their compliance goals while benefiting from a system that will help them more cost effectively and efficiently meet their missions.