AWS Migration Considerations Series: Governance and Security

Enterprise security and governance often lead AWS Cloud migrations, ensuring early inclusion and awareness.

2 minutes

9th of July, 2024

Man standing in server room looking at his own reflection.

This article is the seventh of a series of blog posts showcasing Akkodis’ experience with AWS Cloud Migrations.

 

Many successful AWS Cloud migrations are led from the start by an enterprise's security and governance function, which is the first cab off the rank for inclusion and awareness of the transition being proposed.

It is critical that security, governance, and operations teams understand the shared responsibility model. They must know what maintenance and uplift AWS will perform and what is left as an exercise for the customer or their implementation and operating partner(s). 

Why AWS for cloud

The Shared Responsibility Model in AWS Cloud Migrations

A common pattern is customers trying to recreate their existing on-premises tools in the cloud. These are sometimes unnecessary or better replaced with cloud-native and cloud-scalable solutions to implement the same functionality. This is even more attractive when the solution is fully managed and requires no customer action for security uplift and enablement over time.

A key element is having some architectural standards shared by all implementation teams and permitting the security team to inspect your workloads.

In the Virtual Private Cloud (VPC) environment, it's good practice to design to minimize the amount of traffic that needs to egress over the Internet. It is also good to reduce both inbound and outbound access via the ever-present Security Groups, which function like a stateful firewall. These groups operate at the granularity of an instance, not a complete subnet, as is traditional for on-premises networks.

AWS Protocol Encryption, Service Integration, and Third-Party Solutions

When implementing a Cloud migration, it is ideal to aim to lift all protocols to their end-to-end encrypted equivalents, leveraging automated certificate deployment from Amazon Certificate Manager. Diving deeper is also a time to lift even the TLS protocol versions used on encrypted communications—restricting the minimum and enabling newer ones.

The security and governance discussion continues, with each AWS Cloud service considered part of a solution mix. 

One key element to keep in mind is third-party solutions and services that offer to fix a gap. Often, these applications are over-exaggerated or are serviced by a cloud-native equivalent. No required tools or dashboards must be in place before you get started, so do not feel pressured by salespeople in suits insisting that their expensive solution is mandatory or used by everyone else.

Akkodis has been an AWS Consulting Partner since 2013. Learn more about our AWS Practice and services.

By James Bromberger, VP Cloud Computing, Akkodis Australia