How to get your security team on board with your cloud migration

To find out more about cloud migrations, the pitfalls that await the unwary, and what the security implications are, I recently sat down with Dustin Dorsey, Systems & Data Architect at Biobot Analytics, based in Cambridge, MA.

In the first post in this series, we talked about cloud providers being responsible for security ‘of’ the cloud, while their clients are responsible for security ‘in’ the cloud. This inevitably means any cloud migration project team should involve security from the very beginning.

For this second post, I asked him about how to get buy-in from security teams who are cautious by nature, how to encourage the wider IT team to accept their recommendations, and what additional challenges highly regulated sectors like healthcare and finance face.

He offered some really valuable advice …

Have you ever seen any cloud migration project stopped or paused by security teams?

I like this question because, just like with anything else, there are good security teams and there are bad security teams. I’ve had the pleasure, the unfortunate pleasure maybe, of working with a little bit of both.

The good security teams are the ones that work toward the common goal of doing everything they can to make the company successful and their project successful. Their primary intention is not to be an unnecessary roadblock. They work alongside you, they offer solutions, they’re part of the team.

The bad ones, though, are almost the complete opposite of that, and these are the ones that can jeopardize your project. They are the ones that think they have this unlimited godlike power that allows them to do anything in the name of security, and don’t really care how successful your project is. They usually work over you and tell you the problems as opposed to actually working with you and helping to provide solutions.

Obviously, everyone wants to work with the good ones, but unfortunately that isn’t always the case. The bad ones that I have worked with have never completely derailed a project, but they have stalled migration projects. And this was even when including them from the very beginning because they didn’t have the mindset of ‘We want your project to be successful, we’re here to better the company’. They wanted to find problems and call those out and just become a big, massive roadblock to everything.

The way to get around it is to have a good executive sponsor when you start these projects. When things come up, and they’re nonsensical sorts of things in the name of security, you can go to your executive sponsor to work through it.

What’s an effective way to get buy-in from a security team to be part of the team?

It’s pretty much true with any team, even outside of security. The best way to get anyone involved is to involve them early. When they believe they’re an important part of the project at the very beginning, they’re more invested in it, as opposed to being brought in halfway and probably not being as connected to its success.

So security shouldn’t be an afterthought, they should be a fundamental part of the project. Involve them when you first start talking about the migration. Let them be a part of the conversation and welcome input, and it’s going to go a lot smoother.

What’s the best way to get buy-in from the broader IT team about the need for the measures that will be proposed by the security team?

This goes back to the comment that security should be fully integrated into the project. They should be part of the project and everyone should understand their role from the beginning. Just like you need data engineers to migrate the data and cloud engineers to build the services, you need security evaluating the solution. That way, the entire team know they’re getting a security review at different stages of the project, and there is X amount of time baked in to be able to fix any remediation items.

In my experience, if you’re doing it right, and security is involved from the beginning, there’s not a lot you have to do to get buy-in from everyone else. If you work in tech, you understand the value of security, right? You know you have to have secure solutions, you’ve got to have security processes in place.

Turn on the news and it seems like every other week, you hear about a company that’s been derailed by some sort of cyberattack or hacking or something. I think everyone’s pretty aware that it is a pretty serious thing that needs to be considered.

In the healthcare sector, what additional cloud migration concerns do you need to be aware of, as opposed to say, the manufacturing sector?

There are a whole lot of regulations in healthcare, which obviously makes security super important. The most notable one is HIPAA, which you’re probably familiar with, and there’s also HITECH which introduces additional things like breach notification requirements, CMS regulations which regulate Medicare and Medicaid programs, and state-specific regulations like the CCPA.

All of this has to be taken into account when you do your migration but perhaps the biggest concern is the cloud itself. When you’re moving to the cloud, you’re moving from a private data center where you have a lot of controls over protecting what gets in and gets out. You’re moving into a public cloud where you’re a checkbox away from publicly exposing something.

In a lot of cases, you have to be very, very careful when you’re doing this, and I think that scares a lot of folks away in heavily regulated industries like healthcare. You’re a checkbox away from maybe making a huge mistake that could ruin your company, if you’re not doing it right.

Do you think regulated industries like healthcare and finance have a bigger security challenge in terms of migrating to the cloud?

When you move things to the cloud and you’re in a heavily regulated field, you have to take it very, very seriously – probably more seriously than what you are doing with your on-prem infrastructure.

But the benefits outweigh that, like the ability to be able to scale immediately and spin up services, and use new technologies, and get data to your partners faster. You can build go-to-market strategies quicker in the cloud than you can do on-prem. So I think a lot of companies look at the security challenges and think about how they can be smart about it.

Obviously, the shared responsibility model is the first challenge, because when you’re working on-prem, it’s all your responsibility. When you move to the cloud, you’re having to trust someone else, and I can’t stress the following enough: If you’re doing your first cloud migration and you’re moving to the cloud, you should be working with your cloud provider, hands down.

You should be on the phone with them, meeting with them regularly, telling them what you’re doing, getting their advice, because they are invested in you having a successful migration. They don’t want horror stories out there: it makes them look bad. So work with them. Use their security assessment tools, talk through your designs with their security experts, work with them on your plan as an added layer of protection.

The second challenge is the storage of your data in remote data centers rather than your sanitized on-prem environment. This raises security issues you have to take into account like access controls, Multi-Factor Authentication and identity access management policies which now need to include cloud-based services. You’re going to be spinning up multiple services and you have to have security in place for them. Data encryption also need to be managed, both at rest and in transit, and network security and monitoring becomes really, really important, as does incident response planning.


I learned a lot from Dustin Dorsey in our conversation about security and cloud migrations. The key take-outs for me were:

  • Take your responsibility of security ‘in’ the cloud seriously. Don’t presume, for example, your data will be encrypted by default. Check the configuration and settings.
  • Don’t be tied down by job titles. It’s common for people to wear multiple hats in their roles at work, especially in smaller companies, so evaluate the skills you have in-house before you call in consultants or look for a new hire when undertaking a cloud migration.
  • Involve your IT security people from the very beginning of a cloud migration project, so they can assess what your vulnerabilities will be when you undertake the migration, and mitigate them during the migration.
  • Work with your cloud provider – they want you to succeed just as much as you do. As Dustin emphasizes, You should be working with your cloud provider, hands down.’
  • And finally my favorite, which I think applies to every migration for every organization: ‘You’re a checkbox away from maybe making a huge mistake that could ruin your company, if you’re not doing it right.’ Check everything and then check everything again. Oh, and then keep checking in to keep up to date with any new features or changes that have emerged.

To find out more about best practices for cloud security and migrations, read the first post in this series, Security in the cloud: Whose responsibility is it?, along with our previous posts: