Data Security Issues In Cloud Migration

Key management: a make-or-break factor in cloud migrations. Migrating data to the cloud is no small feat. While many organizations focus on moving the data, they often underestimate the complexity of encryption and key management. This oversight can leave sensitive data exposed to breaches and compliance failures. Recent research from the Cloud Security Alliance and lead authors Sunil Arora, Santosh Bompally, Rajat Dubey, Yuvaraj Madheswaran, and Michael Roza found that if you want to fortify your migration process, you need to take some key steps to manage encryption keys effectively during cloud migration. 1️⃣ Inventory Your Keys: Document all encryption keys, including their purpose, algorithm, and expiration dates. This ensures nothing slips through the cracks. 2️⃣ Plan Key Transfer Securely: Use customer-managed keys (CMKs) or BYOK (Bring Your Own Key) solutions to maintain control over encryption. 3️⃣ Encrypt Before Transfer: Ensure data is encrypted in transit and at rest. Secure connections (like AWS Direct Connect or Azure ExpressRoute) can minimize exposure risks. 4️⃣ Rotate Keys Regularly: Set automated key rotation policies to limit potential exposure in case of compromise. 5️⃣ Implement Least Privilege Access: Restrict access to encryption keys, enforce role-based permissions, and use monitoring tools to detect misuse. 6️⃣ Validate with Testing: Test key integration with cloud services before migration using unit, integration, and end-to-end testing to avoid surprises post-migration. Cloud migration isn’t just about moving data—it’s about moving securely. #CloudSecurity #Encryption #CloudMigration #CyberResilience #DataProtection Bedrock Security

This EY incident underscores a truth we often overlook: the most common cloud vulnerability isn't a zero-day exploit; it's a configuration oversight. A single misstep in cloud storage permissions turned a database backup into a public-facing risk. These files often hold the "keys to the kingdom" ie. credentials, API keys, and tokens that can lead to a much wider breach. How do we protect ourselves against these costly mistakes? Suggestions 1. Continuous Monitoring: Implement a CSPM for 24/7 configuration scanning. CSPM is Cloud Security Posture Management -> a type of automated security tool that continuously monitors cloud environments for misconfigurations, vulnerabilities, and compliance violations. It provides visibility, threat detection, and remediation workflows across multi-cloud and hybrid cloud setups, including SaaS, PaaS, and IaaS services 2. Least Privilege Access: Default to private. Grant access sparingly. 3. Data Encryption: For data at rest and in transit. 4. Automated Alerts: The moment something becomes public, you should know. 5. Regular Audits: Regularly review access controls and rotate secrets.

The fundamental divide between traditional SOC operations and cloud security operations represents a critical gap in the cybersecurity industry that emerged from the rapid migration from data centers to cloud environments. Traditional SOCs operate on centralized, perimeter-based security models designed for static, predictable infrastructure, while cloud security demands entirely different approaches to handle distributed, dynamic environments with ephemeral workloads and shared responsibility models. This shift has created a severe skills crisis, with 38.9% of organizations identifying cloud security as their most significant skills shortage and nearly 4.8 million cybersecurity jobs remaining unfilled globally. The complexity of multi-cloud environments, lack of centralized visibility, and the need for continuous configuration monitoring have exposed organizations to new attack surfaces that traditional security tools cannot adequately address. Unlike data centers where organizations maintain complete physical and logical control, cloud environments require specialized expertise in identity-centric security, API protection, and automated compliance monitoring under complex shared responsibility models. Organizations must bridge this gap through comprehensive cloud security Programs, cloud security tools, Zero Trust architectures, and recognition that cloud security is not simply an extension of traditional practices but requires fundamental transformation in skills, processes, and organizational culture to effectively protect digital assets in our increasingly cloud-centric world.

Dear IT Auditor, Cloud Security Misconfigurations: An IT Auditor’s Perspective Cloud adoption has unlocked agility, scalability, and cost savings, but it has also introduced one of the most pervasive risks: misconfiguration. Many cloud breaches aren’t caused by hackers exploiting sophisticated vulnerabilities. Instead, they stem from something as simple as a misconfigured storage bucket, overly permissive access policy, or unmonitored API. For IT auditors, the role is not to become cloud engineers but to understand where the risks lie and how to evaluate them. 📌 Inventory of Cloud Assets: Begin by verifying whether the organization maintains a complete and up-to-date inventory of cloud services. Shadow IT often leads to unsanctioned services bypassing security reviews. An incomplete inventory is an immediate red flag. 📌 Access Management Risks: Cloud misconfigurations often involve “open to the world” settings. Auditors should test IAM (Identity and Access Management) policies for least privilege, role segregation, and MFA enforcement. Review logs of administrative activity to detect privilege abuse. 📌 Storage and Data Exposure: Misconfigured storage buckets, databases, or data lakes can leave sensitive data publicly accessible. Audit evidence includes configuration exports, encryption settings, and access controls. Look specifically for defaults that were never tightened. 📌 Network Security: Cloud environments are highly configurable. Confirm that firewalls, security groups, and routing tables are aligned with the design. Misconfigured network rules can unintentionally allow external traffic to sensitive workloads. 📌 Logging and Monitoring: Even the best controls can fail if no one’s watching. Auditors should validate that cloud-native logging (e.g., AWS CloudTrail, Azure Monitor, GCP Audit Logs) is enabled, retained, and reviewed. Misconfigurations often persist because alerts are ignored. 📌 Automation and Continuous Monitoring: At scale, manual reviews won’t cut it. Strong organizations use automated scanners and CSPM (Cloud Security Posture Management) tools. Auditors should request evidence from these tools to verify that misconfigurations are being detected and remediated. 📌 Vendor Shared Responsibility: A common misconception is assuming the cloud provider handles all security. Auditors must assess whether the organization understands and documents its responsibilities vs. those of the vendor. Misconfigurations often occur in customers' areas of shared responsibility. Cloud misconfigurations aren’t just technical issues; they’re governance gaps. Effective audits in this space provide assurance that organizations aren’t just “lifting and shifting” risks to the cloud but managing them with maturity. #CloudSecurity #ITAudit #CyberSecurityAudit #CloudAudit #RiskManagement #InternalAudit #ITControls #ITRisk #GRC #CloudMisconfiguration #ITGovernance #CyberVerge #CyberYard

2024 State of Cloud Security Study Key Insights A great morning read from Datadog ‘analyzed security posture data from a sample of thousands of organizations that use AWS, Azure, or Google Cloud.’ ↗️ Long-lived credentials -> remain a security risk, with 60% of AWS IAM users having access keys older than one year. Unused credentials are widespread, increasing attack surfaces across all cloud providers (AWS, Azure, GCP). Recommendation -> Shift to temporary, time-bound credentials & centralized identity management solutions. ↗️ Public access blocks on cloud storage increasing AWS S3 & Azure Blob Storage are increasingly using public access blocks, with S3 seeing 79% of buckets proactively secured. Recommendation -> Enable account-level public access blocks to minimize risks of accidental data exposure. ↗️ IMDSv2 adoption growing AWS EC2 instances enforcing IMDSv2 have grown from 25% to 47%, yet many instances remain vulnerable. Recommendation -> Enforce IMDSv2 across all EC2 instances & use regional settings for secure defaults. ↗️ Managed Kubernetes clusters Many clusters (almost 50% on AWS) expose APIs publicly, with insecure default configurations risking attacks. Recommendation -> Use private networks, enforce audit logs, & limit permissions on Kubernetes worker nodes. ↗️ 3rd-Party integrations pose supply chain risk 10% of third-party IAM roles are overprivileged, creating risks of AWS account takeover. Recommendation ->Limit permissions, enforce External IDs, & remove unused third-party roles. ↗️ Most cloud incidents caused by compromised cloud credentials Cloud incidents are often triggered by compromised credentials, particularly in AWS, Azure, & Entra ID environments. Patterns of Attack + Compromised identities + Escalation via GetFederationToken + Service enumeration + Reselling access + Persistence techniques Microsoft 365 -> Credential stuffing, bypassing MFA, & malicious OAuth apps for email exfiltration. Google Cloud -> Attackers leverage VPNs & proxies for crypto mining and follow common attack patterns. Recommendations -> Implement strong identity controls & monitor API changes that attackers may exploit. ↗️ Many cloud workloads are excessively privileged or run in risky configurations Overprivileged cloud workloads expose organizations to significant risks, including full account compromise & data breaches. Recommendation ->Enforce least privilege principles on all workloads. Use non-default service accounts with tailored permissions in Google Cloud. Avoid running production workloads in AWS Organization management accounts. The study shows improved adoption of secure cloud configurations -> better awareness + enforcement of secure defaults. However, risky credentials & common misconfigurations in cloud infrastructure remain significant entry points for attackers. P.s. use the info to strengthen your org cloud security posture. Full study report in the comment ⬇️ #cloudsecurity #cloudsec #cybersecurity

Here's the last post sharing what I spoke about during PDP Week. Our moderator Christopher (2024 Global Vanguard Award for Asia) comes up with the most creative titles for panel discussions. He called this one 'Weather Forecast: Cloudy with a Chance of Breach'. Together with Aparna and Abhishek, we talked about privacy and security in the cloud. 1. Who do you typically engage with IRT privacy and security for the cloud? I wanted to dispel the misconception that if a company engages a cloud service provider (CSP) to store your data, they are responsible for privacy and security, and the company doesn't need to do anything. Generally, the cloud customer is still responsible for security in the cloud e.g. configuring user access to data, services that the customer uses. The CSP is responsible for security of the cloud e.g. physical protection of servers, patching flaws. This is known as "shared responsibility" between the CSP and cloud customer. The extent of each party's responsibilities depend on the deployment used e.g. SaaS, PaaS, IaaS. 2. Shared responsibility also applies within organisations e.g. - IT helps with technical implementation and maintenance of cloud services - IT security helps protect data from unauthorised access - Privacy, Legal, and Compliance provide guidance on compliance with laws, and ensure that contracts with CSPs and vendors include privacy and security clauses 3. What tools/processes are involved in privacy considerations for securing cloud use? They include a Privacy Impact Assessment when e.g. new cloud services are used to process sensitive data, when cloud use involves data transfers to various countries. Privacy management tools include encryption, anonymisation, pseudonymisation, access controls. CSPs usually make audit reports available to prospective and current customers, you can request for them. Also, have a well defined incident response plan. 4. How do you implement and manage breach or incident response for the multi-cloud? Multi-cloud environments can be challenging, because each CSP may have its own set of interfaces, tools, processes for incident response. You need to develop a unified incident response framework that can be applied across all cloud providers, which defines standard procedures for detecting, reporting, and responding to incidents, and which can enable collaboration between different cloud environments. The framework must facilitate internal coordination between various teams, as well as external coordination with CSPs. CSPs play a critical role in incident response, as they control the infrastructure and have visibility into their own environments. Ensure that roles and responsibilities are clearly defined, that you understand your legal obligations IRT breach notification e.g. who you need to notify and by when. Get corp comms' help with communication strategies vis-a-vis affected parties, regulators, staff, and other stakeholders. #APF24

Migrating to the cloud is not an 'if' but a 'when'. Financial services must thoroughly plan and execute large-scale migrations, paying particular attention to safeguarding sensitive financial data and maintaining regulatory compliance. Take DBS Bank in Singapore, for example. By migrating their data center to the cloud, they achieved a significant reduction in data center running costs. This freed up resources for innovation and improved customer service. Another example, TAB bank in Utah leveraged the cloud to streamline loan origination and significantly reduce loan closing times, minimizing disruptions. Here's how to ensure a secure and compliant cloud migration for financial services using real-world examples: 1. Holistic Risk Assessment: Identify and mitigate potential security vulnerabilities (e.g., data breaches), data privacy concerns (e.g., customer consent management), ransomware attacks. 2. Regulatory compliance issues: Assess compliance with industry-specific regulations such as Europe's GDPR and operational standards like DORA. Ensure adherence to data residency requirements and other regulatory mandates. 3. Data Centric Security: Implement robust encryption throughout the migration process, both in transit and at rest. Regular penetration testing and vulnerability assessments are crucial, just like the World Bank does to secure its cloud-based Office 365 environment. 4. Compliance as Code: Automate compliance checks to ensure continuous adherence to regulations. This approach streamlines the process and reduces human error. Any examples that you'd like to share? #CloudMigration #FinancialServices ##TechnologyLeadership #DataSecurity #Compliance

Most cloud breaches don't start with hackers. They start with us. I've been reading a solid breakdown on cloud security threats by Abhishek Kumar Choudhary, Rahul Saini, and Roshan Bhangare. And honestly, it's a good reminder of what we keep ignoring. Here's the thing. We spend millions on firewalls and detection tools. But the real vulnerabilities? They're much simpler. Unauthorized Access - Cloud infrastructure sits outside your network perimeter. It's directly exposed to the internet. One misconfigured security group and you've got a problem. Account Hijacking - Weak passwords and password reuse. That's it. A single stolen credential can unlock multiple accounts. We know this. We still do it. External Data Sharing - The cloud makes sharing easy. Too easy. That "anyone with link" option? It's a security incident waiting to happen. Lack of Visibility - Your traditional monitoring tools don't work in the cloud. And most teams don't have cloud-focused alternatives in place. You can't protect what you can't see. The pattern is clear. It's not zero-days or sophisticated attacks. It's basic stuff we skip because we're busy. I've seen this in production environments more times than I'd like to admit. What's the most overlooked cloud security threat you've seen in your organization, and how did you discover it? #smenode #smenodelabs #smenodeacademy

The CSA recently released a new report that shows top threats to cloud computing in 2024. Thales also released a report that describes top reasons for breaches in the cloud. 🧐 Here’s a summary and what you should know: Overall, “The survey […] shows a continuing drop in the ranking of traditional cloud security issues that are the responsibility of cloud service providers [...]” 🙌 Focusing on the top 4 from CSA, we have: 📌 Misconfiguration & inadequate change control 📌 Identity & Access Management (#IAM) ← why do you think I’m constantly talking about this and have entire courses & labs dedicated to this topic? 😉 📌 Insecure interfaces and #APIs 📌 Inadequate #cloudsecurity Strategy ⛔️ Misconfiguration & Inadequate Change Control ⛔️ ➡️ What this is: “Inadequate change control [...] can lead to improper configurations that remain undetected” “Misconfigurations are the incorrect or sub-optimal setup of cloud computing assets that can leave them vulnerable to unintended damage or external/internal malicious activity. Lack of cloud system knowledge or understanding of cloud security settings and nefarious intentions can result in misconfigurations” (train your team, folks 😉) 💡 Examples: - Secrets management - Disabled monitoring/logging - Ports/services left open/running - Storage access - Subdomain hijacking Etc… ⛔️ Identity & Access Management (IAM) ⛔️ I cover this a lot in other posts, workshops, training, etc, so I won’t expand on it here. ⛔️ Insecure Interfaces & APIs ⛔️ ➡️ What this is: “APIs and UIs become vulnerable for various reasons” 💡 Examples: - Inadequate authentication - Lack of encryption - Insufficient input validation, - Poor logging and monitoring, - Outdated or unpatched software etc… ⛔️ Inadequate Cloud Security Strategy ⛔️ ➡️ What this is: Strategically thinking about cloud deployments beforehand by “considering external factors, existing implementation, and selection of cloud technologies, priorities, and trends toward creating a high-level plan or approach.” 💡 Examples: Worries about vendor lock-in, out-of-control costs, picking the right tool/service for requirements today and in the future, etc… 👉👉 Shifting to the root causes from Thales, there are three I want to highlight because they have a common cause (human error): 📌 31% due to a misconfiguration or human error 📌 28% due to exploitation of a known vuln 📌 17% due to failure to use MFA for privileged user accounts 🙋♂️ I’d love to hear from you. What do you think about these results? Do they accurately represent your challenges? What you think leads to the top cloud threats and root causes of cloud data breaches? Let me know in the comments below! Also, be sure to share this with your colleagues. This is important info!

The cloud scales 𝗲𝘃𝗲𝗿𝘆𝘁𝗵𝗶𝗻𝗴. Your app, your user base... including every bad decision you’ve made along the way. I’m tired of hearing things like: “The cloud will make us more efficient!” “Pay-as-you-go will save us money!” “We’ll fix the problems later—let’s just migrate first.” Let me stop you right there. The cloud 𝘄𝗼𝗻’𝘁 𝘀𝗮𝘃𝗲 𝘆𝗼𝘂. It’ll magnify whatever mess you’re already dealing with. Inefficiency? Now it’s cloud-scale inefficiency. Costs? Hope you like paying triple. Poor security? Now you’re one breach away from disaster. Cloud adoption isn’t about flipping a switch. It’s about setting your team up for success—before you even start. Here’s what’s worked for me: 👉 𝗣𝗹𝗮𝗻 𝗳𝗼𝗿 𝗖𝗼𝘀𝘁𝘀 𝗘𝗮𝗿𝗹𝘆. Don’t wait until the CFO is breathing down your neck to start caring about cloud spend. Use tools like AWS Cost Explorer or Datadog to stay on top of it. 👉 𝗘𝗺𝗽𝗼𝘄𝗲𝗿 𝗧𝗲𝗮𝗺𝘀 𝘄𝗶𝘁𝗵 𝗚𝘂𝗮𝗿𝗱𝗿𝗮𝗶𝗹𝘀. Tools like Terraform let teams self-serve resources without creating a mess. 👉 𝗚𝗲𝘁 𝗢𝗯𝘀𝗲𝗿𝘃𝗮𝗯𝗶𝗹𝗶𝘁𝘆. Tools like Datadog and Prometheus help your team find and fix problems fast. And trust me, fast fixes save everyone’s sanity. 👉 𝗕𝗮𝗸𝗲 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗜𝗻. Use tools like HashiCorp Vault to manage secrets, and make sure every workflow has security checks built-in. You can’t half-ass your way into a successful migration. Plan ahead. Build smart. Fix your house before you move it. What’s your top tip for cloud migration? #CloudMigration #CloudNative #DevOps #Infrastructure Zelar - Secure and innovate your cloud-native journey. Follow me for insights on DevOps and tech innovation.