Cloud Migration best practices -part 4

This blog series will discuss the best practices employed by our technical team when they are engaging into a cloud migration project. These guidelines have been developed over the years, based on hundreds of workload migrated to Azure and GCP.

Here are a few of the application related questions/details that can be asked/identified during the planning phase of the cloud migration:

Application owner
Brief description
Application type
Hosted location (Private, Public, On-prem)
Hosted model (IaaS, PaaS, SaaS)
Required compliance
Required SLA
Application monitoring
Maintenance window allowed
Maintenance window length
Maintenance window schedule start
Change management process and lead time
Change freeze window(s)
Application business priority
Offline business impact
Maximum allowed offline time
Migration risk
Rollback plan
Cutover strategy and executer
Recovery time objective
Recovery point objective
Backup requirements
Party responsible for backups
GCP backup plan
Disaster recovery plan
Host name
Components (DB, caching, proxy, LB, etc)
External dependencies
Required licenses
Shared services
External download data size and frequency
External upload data size and frequency

Contact us today for your FREE Cloud Migration Consultation!

Cloud Migration best practices -part 3

This blog series will discuss the best practices employed by our technical team when they are engaging into a cloud migration project. These guidelines have been developed over the years, based on hundreds of workload migrated to Azure and GCP.

Planning Phase: Building the foundations

The planning phase is designed to build the foundational Cloud “landing zone” and to pilot and validate the migration approach while aligning on the long-term roadmap.

We’ll help group workloads into migration waves and build a detailed plan for those first workloads

The plan is necessarily less detailed for later waves. This plan will be iterative, building and maintaining a pipeline that is ready for migration.

Some key activities that are performed during this phase:

  • Build cloud foundations
  • Define agile process
  • Determine the governance
  • Schedule migration groups
  • Pilot migration

Contact us today for your FREE Cloud Migration Consultation!

Cloud Migration best practices -part 2

This blog series will discuss the best practices employed by our technical team when they are engaging into a cloud migration project. These guidelines have been developed over the years, based on hundreds of workload migrated to Azure and GCP.

Discovery Phase

The discovery phase helps uncover the existing workloads that will need to be migrated and the information necessary to determine migration type, level of effort, and application groups

The goal here is to understand what the customer has, and what they want to do with it. We’ll typically look to gather inventory data for the whole estate in one go; but then we’ll build a backlog by business unit / data centre location / technology type and gather the business-level detail. 

This phase is the starting point of any migration journey – but we often find customers want this as a standalone service.

As part of this discovery phase, the following outputs will be created:

  • Workloads grouped
  • First-mover workloads identified
  • TCO/ROI analysis
  • High-level effort estimations

Contact us today for your FREE Cloud Migration Consultation!

Cloud Migration best practices -part 1

This blog series will discuss the best practices employed by our technical team when they are engaging into a cloud migration project. These guidelines have been developed over the years, based on hundreds of workload migrated to Azure and GCP.

First mover identification

We’ll look for first movers(workloads that can be moved first) by aggregating the data from the automation inventory tools and from the interviews with app owners. 

Here are a few factors to take in consideration when you are trying to decide what can you move to the cloud first.

  • High business value but not mission critical
  • Not a POC
  • Are not edge cases
  • Can be used to build a knowledge base
  • Are managed by central teams
  • Have supportive app or line of business owner who likes spearheading new and innovative projects
  • High business value but not mission critical
  • Not a POC
  • Are not edge cases
  • Can be used to build a knowledge base
  • Are managed by central teams
  • Have supportive app or line of business owner who likes spearheading new and innovative projects

Contact us today for your FREE Cloud Migration Consultation!

Google Cloud Security Requirements -part 4

This blog series consists of detailed set of cloud security requirements that can be used for any organization who wants to implement securely cloud services. The requirements expressed below are cloud agnostic and can be applied to any public cloud or even private clouds.

The sub domain and requirement description are mapped to *ISO 27002:2013 controls and standards. The overall theme of this blog series covers all the cloud security controls stated by NIST 800-53 series.

Domain: Vulnerability and Threat Management

Sub-DomainReq. NameReq. Description
Governance and Operating ModelPolicyPolicy that includes responsibilities related to threat and vulnerability management, reporting, rating criteria, remediation timelines, and escalation/exception processes shall be established
Governance and Operating ModelAsset InventoryAsset inventory (to include physical systems, virtual systems, sensitive information) that is to be included in the Vulnerability & Threat management scope shall be maintained. A list of technologies able to monitor for vulnerability impacts shall be maintained
Reporting and AnalysisIntegration with Risk ManagementVulnerabilities for their impact on identified risks shall be analyzed.  Technical vulnerabilities shall be aligned with / inform risks in the risk register and the effectiveness of controls
Reporting and AnalysisPatch ManagementPatch management strategy and process shall be defined that outlines recurring patch management activities, defines acceptable implementation timelines, requires bac-kout procedures, tests patches for operational and security implications before deployment, has an exception process for not implementing patches, has a defined emergency patching process
Vulnerability TestingCloud TestingRegularly scheduled, recurring security testing of the cloud environment shall be conducted. Testing shall follow the cloud provider’s process and guidelines. Client shall require the cloud provider to regularly conduct assessments and remediation and provide attestation of such to client.  Client shall review provider attestation on a regular basis.

Client shall:
a. Periodically monitor third parties’ compliance with security requirements
b. Supervise and monitor outsourced software development
c. Periodically monitor and review the services, reports, and records provided by third parties
Vulnerability TestingCode ScanningCode reviews/scanning to identify potential security issues shall be conducted
Vulnerability TestingPre-deployment testingSecurity testing before deployment of changes to code or environment shall be conducted
Vulnerability TestingDatabase TestingRegularly scheduled reviews of database security shall be conducted
Vulnerability TestingPenetration Testing (Internal)Regularly scheduled penetration testing of it’s perimeter and public-facing environment shall be conducted
Vulnerability TestingApplication TestingApplication reviews/testing to identify potential security issues shall be conducted
Vulnerability TestingTools and TechniquesVulnerability scanning tools and techniques that shall be deployed to:
a. Promote interoperability among tools and accommodate the virtualization technologies used
b. Automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations; formatting and making transparent, checklists and test procedures; measuring vulnerability impact; and readily updating the list of information system vulnerabilities scanned
c. Analyze vulnerability scan reports and results from security control assessments. Remediate legitimate high-risk vulnerabilities mitigated within 30 days and moderate risk vulnerabilities within 90 days, in accordance with an organizational assessment of risk
d. Share information obtained from the vulnerability scanning process and security control assessments with designated personnel throughout the organization to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)
Threat IntelligenceVulnerability Monitoring of AssetsRegularly scheduled reviews of the Vulnerability Management program and results of vulnerabilities shall be conducted
Threat IntelligenceCollection and Dissemination of AlertsReceive information system security alerts, advisories, and directives from designated external organizations from GCP. In addition, the capability shall disseminate security alerts, advisories, and directives to all staff with system administration, monitoring, and/or security responsibilities, and implement security directives in accordance with established time frames. Client shall establish and execute a plan for communicating how, if, and when Client is remediating security issues affecting each customer or with appropriate regulatory entities as needed. Appropriate contacts with special interest groups, relevant authorities, or other specialist security forums and professional associations shall be maintained
Technical RequirementOS SupportUnix/Linux/BSD, CISCO IOS, Junos, and Windows scanning shall be supported
Technical RequirementData ProtectionData shall be stored and transmitted securely 
Technical RequirementData AccessAccess to scanning data shall be restricted to those with a need for it

Are you ready to audit and secure your Google cloud environment? Contact our security specialists, today!

Google Cloud Security Requirements -part 3

This blog series consists of detailed set of cloud security requirements that can be used for any organization who wants to implement securely cloud services. The requirements expressed below are cloud agnostic and can be applied to any public cloud or even private clouds.

The sub domain and requirement description are mapped to *ISO 27002:2013 controls and standards. The overall theme of this blog series covers all the cloud security controls stated by NIST 800-53 series.

Domain: Data Protection

Sub-DomainReq. NameReq. Description
Privacy Processes and ProceduresUser NotificationPrivacy policies and procedures and the purposes for which personal information is collected, used, retained, and disclosed shall be documented
Privacy Processes and ProceduresThird-Party UsagePolicies and procedures should be in place that include:
a. Disclosing personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the employees and customers
b. Having procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements
c. Taking remedial action in response to misuse of personal information by a third party to whom Client has transferred such information
Data Identification and ClassificationData Ownership & InventoryAppropriate ownership to data and establish procedures to classify, monitor, and update data in accordance with its classification policies. Policies and procedures shall be in place to inventory, document, and maintain data flows to ascertain any regulatory, statutory impact, and to address any other business risks associated with the data
Data Protection and MonitoringHandling ProceduresProcedures for labeling, handling, and protecting the confidentiality and integrity of personal information, test data, production data, and data involved in online transactions to prevent contract dispute and compromise of data shall be established. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data
Data Protection and MonitoringLeakage MitigationAreas where potential information leakage can occur shall be identified, and appropriate controls to mitigate it shall be implemented
Data Protection and MonitoringDLP SystemData Loss Prevention (DLP) system to monitor user interactions with data, analyze data traffic over its network, and scan and inspect enterprise data repositories to identify sensitive content shall be implemented. The DLP system shall integrate with:
a. HTTP/HTTPS proxy server – for HTTP and HTTPS blocking
b. DLP SMTP agent (Message Transfer Agent [MTA]) – for blocking an email containing sensitive data
c. Security Information and Event Management (SIEM) solution – for real-time security alerting and analysis
Data Protection and MonitoringDatabase Activity MonitoringDatabase Activity Monitoring (DAM) tools to monitor and audit all access to sensitive data across heterogeneous database platforms shall be deployed
Data Protection and MonitoringFile IntegrityFile Integrity/Activity Monitoring tools to monitor files of all types and detect changes in those files that can lead to increased risk of data compromise shall be deployed
Cryptographic ControlsEncryption PoliciesPolicies and procedures for the use of strong encryption protocols (e.g., AES-256) for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations) and data in transmission (e.g., system interfaces, over public networks, and electronic messaging), as per applicable legal, statutory, and regulatory compliance obligations, shall be established
Cryptographic ControlsKey ManagementIncludes:
a. Establish policies and procedures for the management of cryptographic keys in the cryptosystem
b. Assign ownership to keys
c. Prevent storage of keys in the cloud
d. Implement segregation of duties for the responsibilities of key management and key usage
Cryptographic ControlsKey RotationAutomatic key rotation for customer-managed keys shall be enabled

Are you ready to audit and secure your Google cloud environment? Contact our security specialists, today!

Google Cloud Security Requirements -part 2

This blog series consists of detailed set of cloud security requirements that can be used for any organization who wants to implement securely cloud services. The requirements expressed below are cloud agnostic and can be applied to any public cloud or even private clouds.

The sub domain and requirement description are mapped to *ISO 27002:2013 controls and standards. The overall theme of this blog series covers all the cloud security controls stated by NIST 800-53 series.

Domain: DevSecOps and CI/CD

Sub-DomainReq. NameReq. Description
GovernanceApplication Risk CategorizationAll applications shall be categorized by risk. Risk can be categorized as internal, external, or strategic (e.g., weak cryptographic standards can get the app compromised during production phase. So this can be marked as high risk.) 
ConstructionThird-Party ComponentsAny third-party components that may be used in any software development cycle shall be documented
VerificationAutomated Code Analysis Tools — SecurityAutomated code analysis tools with specific components for monitoring for security issues shall be used
VerificationPenetration TestingPenetration tests prior to release to production shall be performed
DeploymentThird-Party Components Security UpdatesThird-party software components’ websites for any security-related updates shall be regularly reviewed
DeploymentPatch Management ProcessSingle process for applying upgrades and patches to applications shall be used
DeploymentOperational Environment AutomationSoftware Engineering shall use automated tools to evaluate operational environment and application-specific health
DeploymentSecurity Alerts and ErrorsSecurity-related alerts and error conditions for all released applications
DeploymentChange Management ProcessUse of common change management process, and all software engineers shall be trained on the process
DeploymentSecure Code SigningAll released code for a single consistent process shall be securely signed on

Are you ready to audit and secure your cloud environment? Contact our security specialists, today!

Google Cloud Security Requirements -part 1

This blog series consists of detailed set of cloud security requirements that can be used for any organization who wants to implement securely cloud services. The requirements expressed below are cloud agnostic and can be applied to any public cloud or even private clouds.

The sub domain and requirement description are mapped to *ISO 27002:2013 controls and standards. The overall theme of this blog series covers all the cloud security controls stated by NIST 800-53 series.

Domain: Governance Risk and Compliance

Sub-domainReq. NameReq. Description
Governance and OversightManagement SupportSecurity through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities shall be actively supported. This includes Senior Leadership review of the security policy at planned intervals (or when significant change occurs) to coordinate and update changes that enable alignment and relevance to business, legal, or other requirements
Governance and OversightArchitectureReference architectures that addresses the following shall be developed:
*  Cloud architecture
*  Development environment
*  Test environment
*  Support environment (including remote access, administrative workstations)
The reference architectures shall delineate points of demarcation of responsibilities between different groups and identify the security controls in place
Governance and OversightSecurity Program Audit/AssessmentAudit and assessment plans to validate and track compliance with internal and external requirements at scheduled intervals and required intervals shall be developed. This includes:
a. Develop a security assessment plan that describes the scope of the assessment including:
    i. Security controls and control enhancements under assessment
    ii. Assessment procedures to be used to determine security control effectiveness
    iii. Assessment environment, assessment team, and assessment roles and responsibilities
b. Assess the security controls in the information system at least annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system
c. Produce a security assessment report that documents the results of the assessment
d. Provide the results of the security control assessment, in writing, to the authorizing official or authorizing official designated representative
e. Employ an independent assessor or assessment team to conduct an assessment of the security controls in the information system
Governance and OversightData RetentionHandle and retain both information within and output from IT systems, in accordance with applicable national and local laws, executive orders, directives, policies, regulations, standards, and operational requirements
Governance and OversightPoliciesA set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. Policies shall include the following:
*  Encryption
*  User access
*  Privileged access
*  Monitoring
*  Coordination with law enforcement
Governance and OversightPolicy EnforcementInformation security policies shall be enforced by management
Governance and OversightStandardsStandards shall be developed and implemented for:
*  SDLC
*  Separation of development, test, and operational environments
*  Security testing before and after implementations
*  Secure configuration of systems (hosted, development, administrative)
Operating Model and Business AlignmentSegregation of DutiesConflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets
Operating Model and Business AlignmentRoles and ResponsibilitiesSecurity roles and responsibilities of employees, contractors, and third-party users shall be clearly defined and documented in accordance with the information security policy
Risk ManagementRisk and Mitigation TrackingTrack risks and develop and execute mitigation efforts so that risks are mitigated to an acceptable level (based on established risk criteria) within reasonable timeframes and executive approval
Risk ManagementNon-compliance managementProcedures shall exist to provide that issues of noncompliance with security policies are promptly addressed and that corrective measures are taken on a timely basis
Risk ManagementRemediation TrackingRemediate and track progress toward remediation for areas of noncompliance to include:
a. Developing a plan of action and milestones for the information system to document planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls, and to reduce or eliminate known vulnerabilities in the system
b. Updating existing plan of action and milestones at each quarter, based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities
Security CultureTraining and AwarenessA training and awareness program focused on cloud product security shall be in place. The program shall include:
*  Reviewing risks
*  Reviewing actions each group shall take to treat risks
*  Training and testing participants in their responsibilities
*  Requires passing before being allowed to participate in the development and support of cloud products
Security CultureSecurity PoliciesInformation security policies and procedures shall be established and made readily available for review by all impacted personnel and external business relationships. Information security policies shall be authorized by business leadership (or other accountable business role or function) and supported by a strategic business plan and an information security management program inclusive of defined information security roles and responsibilities for business leadership.

Documented procedures shall be used to facilitate the implementation of the information security policy and associated controls. Documented procedures shall address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and will cover, at a minimum, the following areas:
a. Access control
b. Security awareness and training
c. Audit and accountability
d. Security assessment and authorization
e. Configuration management
f. Contingency planning
g. Identification and authentication
h. Incident response
i. Information system maintenance
j. Media protection
k. Physical and environmental protection
l. Security planning
m. Personnel security
n. Risk assessment
o. System and services acquisition
p. System and communications protection
q. System and information integrity

Are you ready to audit and secure your Google cloud environment? Contact our security specialists, today!

COVID-19 brings unexpected IT challenges

How do we rapidly enable work from home while protecting corporate resources?

Enabling a remote workforce is no trivial challenge in the best of times, and it can seem especially daunting when rolling out during a global crisis.
Many organizations needed to transition their workforce to remote work overnight.

We face several challenges simultaneously:

  • We must ensure our people can be productive while working remotely – that includes making sure they have the right tools. We may need to get people new devices or enable use of personal devices.
  • We’re all experiencing serious spikes in remote app access, which puts a lot of pressure on VPN scalability for on-premises app access.
  • And, of course, bad actors are looking to take advantage of the crisis – we’re seeing increases in cybersecurity threats attempting to exploit the situation.

Contact us today for a FREE security consultation! Let our security experts audit and propose security fixes to your environment.