18. Top 5 Things to Do When You're Lifting & Shifting Workloads to the Cloud (and a bonus one)

Earlier this week, someone asked me for my top 5-10 things I would recommend to an organization lifting & shifting workloads to public cloud. I thought that was a good starting point. “Refactor” for cloud-native is the common answer, but the reality is that everybody lifts & shifts, so why not recognize that.

So, here are my top 5... and I'll add a sixth as a bonus.

  1. Centralize and automate cloud account creation and billing, and ensure that all are in your public cloud Organization. This will allow you to apply policies centrally, and more easily deploy cloud-native security tooling.

  2. Apply cloud guardrails at that Organization level to apply basic preventative controls and make your cloud accounts behave more secure-by-default. These are likely the cheapest and most effective security controls you can apply to enforce logging, encryption standards, network restrictions, MFA enforcement, etc.

  3. Get a Cloud-Native Application Protection Platform (CNAPP). This can be deployed via Organization policy and provides broad visibility to your cloud estate, across providers and for multiple use cases, including asset discovery, CSPM and vulnerability management.

  4. Related to that, while lifting & shifting your workloads, resist the urge to lift & shift your secure tooling from the data center. Look at what the CNAPP gives you, and see whether you may not be able to rationalize your security stack, retire point solutions you no longer need, and reduce cost.

  5. Cloud APIs give you the opportunity to describe the infrastructure and services you want and have the cloud materialize that for you, rather than do everything yourself. It is designed for automation. Use Infrastructure-as-Code (IaC) to create your infrastructure, network and service configuration, create compute instances and deploy your VM images. IaC allows you to redeploy from known-good state, which accelerates patching, system configuration and restoration, while making deployments more predictable.

The Cloud is Metered

One bonus recommendation, given the difference between owned and rented compute, network and storage resources. Remember that everything in the cloud is metered and that your architectural choices have potential significant cost impacts. Don't size like in data centers with head room to spare. Figure out what your workload needs. Smaller instances but many of them may be cheaper than fewer large instances. If the workload is variable (seasonal, variable during the day), consider autoscaling. If the workload is static, use reserved instances at lower cost.

And after you have done all that, feel free to refactor!

cloud security posts without corporate approval @jaythvv@infosec.exchange