Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

6 Questions to Ask Along Your Journey to the Cloud

Published 04/11/2022

6 Questions to Ask Along Your Journey to the Cloud

Written by Robert Clyde, ShardSecure

A few years ago, a question many enterprises wrestled with was whether migrating to the cloud was a worthwhile endeavor. While there are still some server-huggers, enterprises have resoundingly answered ”yes” to that question and moved beyond that basic question. Now, as remote workforces become the norm and customer expectations for seamless digital experiences continue to rise, organizations have new questions as they accelerate their move to the cloud and SaaS applications. Here are six questions organizations should be asking along their journey to the cloud:

1. How can we accelerate our move to the cloud?

There is a reason the cloud computing market is expected to reach nearly $1.3 trillion by 2028– the cloud allows organizations to become more efficient, flexible and secure, among other benefits. So, why not be bold in making the move? As enterprises plan their migrations, they should consider going investing even more now. If the management team had more resources to invest in the cloud transition, what could they accomplish? It might be better to invest more up front and move faster.

2. What percentage of our business-critical applications are currently running on the cloud?

Even IT leaders who are aware of the cloud’s upside might hesitate to act if bogged down by existing technologies and processes. That is why it is important to swiftly transition business-critical applications to the cloud. After determining the percentage of business-critical apps that are running on the cloud, a logical follow-up question for cloud champions is whether there are plans to make that total 100%. If not, why? If so, when will the last server be turned off?

3. Did we include a third-party supplier risk assessment in our cloud risk assessment?

Relative to third-party risk, the massive SolarWinds attack caught the attention of enterprise leaders. Many now account for third-party supplier risk as part of the risk assessment. Organizations can automatically assess some third-party risks by using tools that block, report, and warn about such risks in the continuous integration and deployment (CI/CD) pipeline. Any major transition done on an aggressive timeframe poses new risks. Further, management must show the board of directors that all major cloud-related risks have been assessed and the appropriate mitigations have been put in place. It is important to call out which risks, if any, might exceed the organization’s risk appetite.

4. Have we identified sensitive data and protected it in the cloud?

Cloud providers operate with a shared responsibility model, which includes varying levels of security responsibility depending on deployment models – IaaS, PaaS, and SaaS. The lines of responsibility for protecting data in the cloud can become blurred. The risk assessment should identify sensitive data stored in the cloud and how well it is protected. Has the organization implemented appropriate and effective data protection solutions like encryption, obfuscation, or microsharding? Does the way the data is stored, used, and protected comply with company policy, industry standards and regulations? For example, microsharding is a three-step process that consists of shredding, mixing, and distributing data across multiple storage repositories. It protects data by making it incomplete, unintelligible, and of no value to unauthorized users, including threat actors, so shared responsibility is a moot point.

5. Have we implemented DevSecOps to develop and deploy cloud applications?

The answer to this must be a strong “yes”. To put it plainly, migrating to the cloud without DevSecOps doesn’t make sense. DevSecOps is the way to successfully implement cloud applications from the standpoints of both security and quality. For organizations on this path, ask probing questions like, what percentage of our CI/CD pipeline is fully automated? Does it include automated unit tests, third-party risk checks, integration tests, security tests, security checks and audit artifacts? Can IT leaders show a simple report illustrating the DevSecOps capability progress over time?

6. Do we have knowledgeable cloud practitioners in place?

Migrating from on-premises servers and infrastructure to the cloud will likely require existing employees to be re-skilled and trained. Independent reviews are critical, and cloud audits performed by credentialed auditors will typically surface significant security and/or compliance risks, particularly given the fast-evolving regulatory landscape for data governance and data privacy.

These questions are just a starting point for keeping cloud journeys on track and successful. In today’s business climate, savvy boards will want to know what their organizations are doing to meet current and future needs. The cloud changes rapidly with new capabilities, and both management and board directors should be curious about what their teams are doing to keep up.

The business landscape has already benefitted from migrating to the cloud and the advantages will continue as that journey progresses. However, organizations need to be mindful that just because they are moving to the cloud does not guarantee success. Related security, risk, and regulatory considerations must be accounted for to realize the intended business benefits.

Share this content on your favorite social network today!