Fidelis Cybersecurity
Fidelis Blog


Securing Lift-and-Shift Migrations for Business-Critical Workloads

The widespread adoption of public cloud to replace or augment on-premises architecture has given rise to “lift-and-shift” migrations. This approach offers a rapid path to the benefits of public cloud, including flexible, on-demand resource provisioning, pay-as-you-go services, and access to a growing variety of cloud services. However, workloads formerly protected in on-premises environments may be vulnerable to new security threats if not properly secured during and after the lift-and-shift process.

Before your next workload migration, take advantage of the experience in this guide and watch our on-demand webinar, “Securing Lift-and-Shift Migrations.”

Lift-and-Shift Accelerates Public Cloud Adoption

Over the past decades, businesses have moved from dipping a toe into the public cloud, using it for backups, disaster recovery, and non-critical workloads, to all-in adoption. Many companies now use the public cloud as their primary infrastructure. As public cloud has become mainstream, businesses are trusting the platform to run their critical workloads.

What is lift-and-shift
Figure: Lift-and-shift accelerates your move to the cloud

There are three common strategies when moving to the cloud: build from scratch, refactor, and lift-and-shift. While born-in-the-cloud and refactored applications can natively use many modern cloud services, they require significant development, resource, and time commitments. The payoff isn’t always worth the cost, especially for legacy applications targeted for eventual replacement. Lift-and-shift migrations accelerate cloud adoption by moving fully-functioning application stacks as-is to IaaS or serverless architectures, and simply redirecting users or connected APIs to the new location. Once an application stack is established in the cloud, refactoring or replacement can happen over time, in a controlled manner, without impacting day-to-day operations.

Moving to the Cloud Requires Strategic Thinking

Because cloud environments are diverse, dynamic, and distributed, cloud security requires a significantly different approach from traditional, on-premises infrastructures. Organizations need to think strategically about emerging architectures and operational processes to stay ahead of security threats in the cloud. By taking into account new technical considerations and operational models, you can prepare your team to secure the new systems, components, and operations that make up the cloud environment that is targeted for your lift-and-shift workload migrations.

Additionally, your security team will be better prepared to support your cloud environments when included from the beginning of your lift-and-shift migration efforts. Your security team is best positioned when it can enable cloud adoption securely and support your operations and development teams as they move workloads into the cloud.

Cloud security must be built for the cloud

Figure: Cloud platforms and the resulting new operational models mean new security considerations

New Security Considerations for Lift-and-Shift Applications

The attackable surface in the public cloud is vastly different from that of a traditional data center environment. With resources and environments that can be provisioned on the fly, one successful intrusion can cause a ripple effect that quickly spreads through cloud workloads. Traditional, on-premises point security tools and control frameworks are often blind to many new threats unique to cloud environments.

Throughout and beyond a lift-and-shift migration, cloud security considerations must become a top priority and an integral part of the process. You’ll need to think about the attack surface and the list of assets that need to be protected in your cloud environment. By limiting and minimizing the blast radius, you can also control the potential for lateral movement of bad actors and ripple effects that are cloud-specific concerns.

As you lift and shift your applications to the cloud, you’ll want to keep in mind the following new architecture and strategy considerations:

The cloud control plane

The cloud, by nature, is a highly secure environment–assuming your cloud resources are correctly configured through the control plane. According to Gartner, a full 99% of cloud security failures are the user’s fault. While cloud resources function similarly to on-premises infrastructure once they’re up and running, configuration, and management through the control plane require adherence to cloud security best practices to ensure proper workload protection.

Software-defined environments

In the cloud, everything is a configurable object, including networking, software, storage, compute, and even users. Identities drive everything from environment creation to workload access, and identity and access management is the glue that holds everything together. Even in a lift-and-shift migration, role-based access and user privileges become a larger conversation that moves well beyond application access. The legacy access strategies used on-premises, typically based on least-privilege access, can result in security gaps and blind spots when moved as-is to the cloud. Software-defined environments require new ways of thinking about access management to close the gaps and provide better security for your cloud workloads.

Understanding the new perimeter

Traditionally, information security relied on the idea of a secured network perimeter. You had a trusted group of users behind your firewall and inside your network, and you relied on role-based, least-privilege access to a fixed set of resources. These controls, along with point security products and monitoring tools, kept the external “bad actors” outside of your network. Your network perimeter changes with the move to the cloud. With dynamic, software-defined resources and environments, you need to redefine the ideas of trust and access control for your lift-and-shift workloads. Automated access management and asset configuration strategies can close cloud security blind spots and keep your workloads safer in a dynamic and distributed environment.

Unified security controls and the benefits of automation

While workloads in traditional data center environments might not have necessitated unified, automated security solutions, once they shift to the cloud, point solutions and manual processes won’t keep up. As your cloud strategy matures, it will invariably become more complex. Maintaining a strong security posture requires unified, automated, elastic capabilities that keep up with cloud resources’ expansive and dynamic nature. By consolidating key functions into a single security platform and preparing for automation with bi-directional APIs, you can increase the agility and effectiveness of your security and compliance program. With your unified and automated platform, you can secure your architecture no matter how fast it grows or changes.

Unified security controls close cloud security gaps
Figure: Unified cloud security controls, driven by automation, help close gaps and illuminate blind spots

Three Tips for a Secure Migration

  1. Make sure you have visibility into the cloud environments that will run the workload
    Your cloud provider offers you access to diverse capabilities, including containerization, elastic and expansive server configuration, and software-defined everything. Your lift-and-shift migration might be a one-for-one move to the cloud. However, you might also make immediate use of cloud-native features, such as cloud databases, software-defined networking and storage, or dynamic memory or processing allocation based on application load. And you’ll also find many beneficial platform-as-a-service (PaaS) offerings that become available once your workload runs in a cloud environment. Verify that your security team has visibility into all cloud resources beyond the server hosting application binaries.
  2. Verify that you can see environment configurations in the cloud control plane
    When it comes to cloud security, it’s not enough to just have visibility into your applications’ and workloads’ runtime aspects. As seen above, cloud configuration is the most common weak spot in cloud security. Knowing how, where, and when resources are configured through the control plane is critical to managing both compliance and potential vulnerabilities. And the sooner you can automate environment creation on a foundation of accepted best practices and rigorous security rules, the better.
  3. Understand the new vulnerability and exposures that exist on cloud systems
    Moving to the cloud is significantly more complicated than standing up resources in a remote data center and using them. When you lift and shift your workloads to the cloud, you assume your share of security responsibilities. It’s essential to understand how the risks and responsibilities differ from a data center environment. Your security team, operations, and developers need to work together to understand the risks that come with cloud computing. Together, you can address them head-on with security tools that are purpose-built in the cloud, for the cloud.

Ready to Learn More About Securing Lift-and-Shift Migrations?

In our on-demand webinar, “Securing Lift-and-Shift Migrations,” cloud security experts Dave Shackleford, SANS Institute Sr. Instructor and Carson Sweet, CloudPassage CEO and co-founder, go into detail, discussing:

  • The differences between securing traditional and cloud environments
  • The shared responsibility model which defines what your cloud service provider is accountable for securing and what you must secure yourself
  • How to secure the dynamic, diverse, and distributed cloud environment
  • How to make your security controls portable between the data center and cloud
  • A step-by-step process to secure servers pre-migration to achieve a “migrate-clean” outcome
  • A brief demonstration of one automated cloud security solution

Watch the webinar >

You can also follow our blueprint for securing lift-and-shift migrations with CloudPassage Halo.

Download the blueprint>

And as always, if you need help securing your next workload migration, you can contact our security experts, and we can get you started on the right path.

Stay up to date on all things security

Subscribe to the Threat Geek Blog