# Cloud Migration Demands Contractual Safeguards and Clear Strategy

The journey to the cloud has become a necessary step for many organizations, but navigating its complexities can be daunting. Cybersecurity experts gathered at the ATxEnterprise conference in Singapore to discuss the strategic and technical hurdles of moving to and operating in cloud environments.

As Anil Kumar Appayanna, chief information security officer of India International Insurance, noted, "Everybody has either moved, or are in the process of moving, to cloud." However, this shift comes with significant responsibilities. Organisations must define their goals and develop a clear strategy for cloud migration, according to Dennis Chan, chief security officer of Huawei International.

Chan emphasized the importance of data classification in determining the appropriate cloud model to adopt. "What sort of data is involved? We need proper data classification so that we can recommend if they should stay on-premise, use a private cloud or have the flexibility to use any of the public cloud providers," he said.

Donald Ong, senior assistant director at the cloud cyber security programme office at Cyber Security Agency of Singapore (CSA), highlighted the concentration risk associated with a public cloud market dominated by major suppliers. "What if the services go down? How much of that is going to impact Singapore? That has always been our worry," he said.

Technical challenges are also on the rise. Chan warned about shadow IT, where unauthorized software and virtual machines can lead to data breaches. He stressed the importance of contractual agreements, allowing organizations to work with suppliers under the terms of their contracts to investigate data breaches.

Ong cautioned against common cloud migration pitfalls, particularly with lift-and-shift migrations, where developers may bypass identity and access management controls. "You don’t even need to access the demilitarised zone or find some vulnerability to hack through it," he added.

Furthermore, Ong underscored the importance of understanding the shared responsibility model, noting that encrypting and protecting data is a joint responsibility between users and cloud service providers. He also highlighted the development of cloud security competencies for operators of critical infrastructure slated for release later this year.

The discussion also touched on data governance in a multicloud environment, with Chan urging organizations to understand how their data flows across different jurisdictions. He pointed to contractual clauses as tools to safeguard data.

In conclusion, while some organizations may consider reverting to on-premise platforms due to cost and security concerns, Chan emphasized that incident response processes and robust backup strategies remain essential regardless of where workloads reside.

Organizations must also be mindful of exit clauses in cloud service contracts, likened by Appayanna to a prenuptial agreement. "Have good exit clauses in contracts with your cloud service providers or else you will find it difficult to move out," Chan supported.

As the industry continues to evolve, cybersecurity experts emphasize the need for clear strategy, contractual safeguards, and a deep understanding of shared responsibilities when embarking on or expanding cloud journeys.

# Key Takeaways:

* Develop a clear strategy for cloud migration * Understand data classification and its impact on cloud model selection * Recognize concentration risks in public cloud markets * Implement contractual agreements to mitigate security breaches * Prioritize incident response processes and robust backup strategies