This content is part of the Essential Guide: Use this AWS cloud security guide to protect workloads

Mind sensitive data during a hybrid cloud migration

Many organizations fret over the security of sensitive data in hybrid cloud. And while that fear isn't totally irrational, there are solid options to keep your workloads safe.

While hybrid cloud offers enterprises increased flexibility, organizations have concerns over how this type of environment protects -- or fails to protect -- sensitive data. And while AWS provides a host of security tools that can help secure hybrid cloud migrations and deployments, network vulnerabilities still leave organizations wary.

Many enterprises believe their own data centers can safeguard sensitive data better than the cloud. But that popular notion might not be entirely true.

"Most of the companies we work with -- while they have corporate offices -- would not typically store any sensitive customer data there when they otherwise could in AWS," said Doug Barbin, principal and cybersecurity practice leader of Schellman & Company Inc., a security and privacy compliance assessor based in Tampa, Fla. This is because few offices actually have the physical security controls to thoroughly protect their data centers.

For some businesses, the benefits of the cloud eventually convince them to drop their data protection worries. "All data, even sensitive data, can be found throughout an organization's hybrid environment," said Andy Stone, senior product manager at Sungard Availability Services, a business continuity and disaster recovery (DR) services provider that uses AWS. "Once a customer deploys across multiple environments, they become invested in the cloud and quickly see the benefits of having a fully auditable environment." With the proper architecture and approach, the public cloud can secure data equally as well, if not better, than a standard data center. AWS is no exception.

"From an AWS perspective, there are three key elements to securely handling sensitive data: encryption, event logging and monitoring," Stone said. In particular, he emphasized the latter two methods, which some organizations overlook.

Get started with an AWS hybrid infrastructure

Once security concerns subside, data migration conversations typically start with costs, Stone said, but eventually scalability and flexibility enter the discussion. Those benefits, along with the ease of cloud deployment, convince an organization to execute a hybrid cloud migration when legacy hardware no longer meets its requirements. "We typically don't see [migration] until there is a specific performance need, such as when their existing hardware has fully depreciated or runs out of capacity," Stone said.

Enterprises with mission-critical websites and applications in sensitive or highly regulated industries take some solace in AWS' progressive approach to hybrid cloud, said Shawn Moore, CTO at Solodev, a content management system provider. And AWS stands to benefit as some organizations move from a hybrid to an all-AWS deployment.

"AWS has made the transition from on prem to hybrid to cloud-first more secure, accessible and predictable than any other infrastructure provider," Moore said.

AWS provides several methods to migrate resources and data to its cloud. One more platform-neutral approach to hybrid cloud migration involves a pilot light, an environment that typically backs up data for DR. With a pilot light, users can choose resources to replicate as needed on the cloud and process workloads on premises with data backups on AWS, Moore said.

After an enterprises spins up a pilot light environment, it can accelerate its hybrid cloud migration. This approach retains sensitive data and applications on premises but sends it to the cloud for backup. Once in the cloud, organizations can take advantage of AWS and third-party tools they wouldn't otherwise have on premises. They could then choose to migrate more critical workloads to AWS.

"After an organization adopts a pilot light strategy with AWS and becomes increasingly comfortable with cloud technologies, a hybrid approach will almost naturally emerge," Moore said.

Protect your assets with best practices

There are a number of general best practices to bolster security across cloud environments. "The first practice would be to keep the data in applications and use encryption keys to encrypt the data at rest," said Aaron Bawcom, chief architect at Candid Partners, an AWS Advanced Consulting Partner. This strategy is fairly easy to implement, particularly with cloud-native technologies, such as AWS Key Management Service (KMS), but it still relies on application owners to properly secure sensitive data.

While it's a more complicated approach, an IT team could obfuscate data that resides in applications with tokens. "This strategy can take advantage of cloud-native technologies, such as AWS Redshift, DynamoDB and KMS, for tokenization algorithms or off-the-shelf solutions from independent software vendors," Bawcom said. But this approach can introduce dependencies, and it usually requires application structure and processing changes that can affect app-dev timelines.

An organization could also choose to regulate sensitive data to segregated services for applications to use. "This provides the greatest security and compliance risk posture but, consequently, requires the largest change to application structure and processing capabilities," Bawcom said.

Dig Deeper on AWS cloud development

App Architecture
Cloud Computing
Software Quality