Cloud Migration with Legacy IT Systems: Overcoming Hurdles
Migration to the cloud is seen as a way to simplify IT, but legacy systems may not allow for simple lift-and-shift cloud migration. Mark Kedgley of Netwrix discusses why it’s important to consider private vs public cloud and the implications for security, cost and scalability.
We are all moving toward cloud-delivered IT. If you can get an application off the shelf, SaaS is attractive for its relative simplicity and ease of deployment and maintenance. If you need to develop an application in-house, you will likely want to embrace modern cloud and container-based computing models, with a DevOps pipeline incorporating automated, continuous testing and image deployment.
But in the real world, most of us also have systems that pre-date the cloud and don’t allow a simple lift-and-shift cloud migration. So, while migration to the cloud is generally seen as a means of simplifying IT, it can actually make life more complicated since IT teams need to manage both cloud and legacy systems consistently. Indeed, according to the Netwrix Cloud Security Report, the top factor slowing down cloud adoption (named by 41% of respondents) is integration with the existing IT environment.
As of 2023, 73% of organizations already have a hybrid IT infrastructure. 37% of those currently on-premises only plan to adopt cloud technologies within the next 12 months. It means that for most organizations, it is vital to learn how to use the cloud effectively yet securely.
The Private Cloud, the Public Cloud and the Hybrid Cloud
When it comes to cloud architecture, there are two main options: private cloud and public cloud. However, you may need a combination of the two, known as a hybrid cloud. Your choice has implications across a range of concerns, including cost, scalability, security and compliance.
Private cloud means that you have your own cloud infrastructure, built and managed by your internal IT team. This approach typically gives more control over your data and infrastructure, but flexibility comes at a cost: managing these systems requires more hardware, software, and personnel resources. In addition, the total cost of ownership of a private cloud includes ongoing maintenance, upgrades, and support.
Operating in a public cloud, on the other hand, means that you are using a cloud service provider’s infrastructure to host your data and applications. This option is more convenient and cost-effective, but it also comes with some limitations in terms of customization and control. What’s more, security responsibilities are split between your cloud service provider and your own IT team. You do not get the chance to negotiate who takes care of what; as a client, you just accept their terms and conditions. Therefore, to avoid security gaps, you need to pay special attention to which areas are your responsibility.
If you have specific security or compliance requirements (such as HIPAA), operating in your own cloud may be preferable. However, if you need to scale quickly or don’t have the resources to manage your own cloud infrastructure, a public cloud will usually make life simpler.
See More: Private vs. Public Cloud: 10 Key Comparisons
Security Specifics of Being 100% Cloud-based
In a 100% cloud-based IT model, security is multi-faceted. On the one hand, cloud service providers have robust security measures in place. Indeed, many will carry SOC2 certification, meaning that the service provider, their infrastructure and their operating procedures have been audited and judged to have reached a sufficiently high level of security.
On the other hand, as a tenant, you need to take additional measures to ensure the security of your applications and data. One of the most important strategies is a Zero Trust approach. This is not a new security control specifically for the cloud but a fundamental IT security best practice for ensuring that only authorized users have access to their applications and data and that access is granted on an as-needed basis. This may involve the use of multifactor authentication, access controls and monitoring.
Another important security consideration is encryption. Again, it is not unique to cloud computing but perhaps more acutely important when data is being stored within what is essentially a publicly accessible resource. Ensuring that data is encrypted both in transit and at rest provides indemnity against data loss even if systems are compromised. Fortunately, encryption is a standard option for many public cloud providers.
Finally, cloud-based organizations also need to think carefully about their backup policy. When you have on-premises servers, you can store backups offline to make it more difficult for attackers to gain access to them. When all your data is in the cloud, make sure to store your backups in another cloud. For example, if you have Microsoft app data, do not store your backups in Azure.
See More: Scaling Cloud Security with Policy as Code
Legacy IT Systems: Can’t Live With ‘em, Can’t Live Without ‘em
If you need only modern Windows or Linux platforms, you can do anything you want using any combination of public and private cloud. However, moving completely to the cloud may not be an option if you are still tied to legacy platforms — older Linux or Unix versions, or even things like iSeries and mainframe.
What’s more, these systems need the most protection since they are, well, legacy! No patches or updates will be available as such systems are often no longer supported by vendors. In addition, you may well be limited to outdated encryption technologies.
As a result, you need to be vigilant and adopt a multi-layered approach to system hardening and compensating security controls. These controls may include firewalls, jump servers, proxied connections and virtualized desktop access, to name a few. Consider isolating legacy systems from the rest of the network to significantly reduce the attack surface and make it harder for the attacker to penetrate other parts of your organization’s IT environment.
Choosing the Right Cloud
Cloud architecture is fundamentally different from on-premises architecture, and it requires a different approach to design, implementation and management. When moving to the cloud, organizations need to carefully consider the differences between operating in their own cloud versus a public cloud, including implications for security, cost and scalability.
IT pros must take steps to ensure the security and availability of cloud-based applications and data, paying close attention to what the cloud provider is and is not responsible for. A Zero Trust approach can be particularly valuable. If you need to maintain legacy systems, then you are going to have to rely more heavily on fundamental security controls like system hardening and access control.
What cloud migration challenges are you facing? Share with us on Facebook, Twitter, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock