AWS Migration Considerations: Governance and Security

AWS Migration Considerations: Part 7 (8 part series) Posted 10 May 2021

Welcome to the seventh article in our AWS Migration Considerations Series. You can find the start of the series here.

Many successful AWS Cloud migrations are lead from the start by the security and governance function for an enterprise being the first cab off the rank for inclusion and awareness of the transition being proposed.

It is critical that security and governance teams – and operations teams – understand the shared responsibility model; they must be aware of what maintenance and uplift AWS will perform, and what is left as an exercise for the customer or their implementation and operating partner(s).

A common pattern we see is customers trying to recreate their existing on-premises tools in the cloud. These are sometimes unnecessary or are better replaced with cloud-native and cloud scalable solutions to implement the same functionality. This is even more attractive when the solution is fully managed and requires no customer action for security uplift and enablement over time.

A key element is having some architectural standards, shared by all implementation teams, coupled with permitting the security team to inspect your workloads.

In the VPC environment, its good practice to design to minimise the amount of traffic that needs to egress over the Internet and minimise both inbound and outbound access via the ever-present Security Groups (akin to a stateful firewall) that work at the granularity of an instance, not a complete subnet as is traditional for on-premises networks. For more information see our previous whitepaper on restricting lateral movement in the AWS Cloud.

When implementing a Cloud migration, it is an ideal time to also aim to lift all protocols to their end-to-end encrypted equivalents, leveraging automated certificate deployment from Amazon Certificate Manager. Diving deeper, it also a time to lift even the TLS protocol versions used on encrypted communications – restricting the minimum and enabling newer.

The security and governance discussion continues deep with each AWS Cloud service being considered as part of a solution mix.

One key element to keep in mind is 3rd party solutions and services that offer to fix a gap. Often these applications are over exaggerated or are serviced by a cloud-native equivalent. There are no required tools or dashboards that must be in place before you get started.

Modis has been an AWS Consulting Partner since 2013. You can learn more about our AWS Practice and services here.

Find out how Modis can provide you with innovative AWS cloud based solutions and servicesModis has been an AWS Advanced Tier Partner since 2014. Modis' AWS Cloud Consulting services encompasses fundamentals of cyber security, fault tolerant digital system architecture, modernisation, traditional virtual machine or through to modern Serverless approaches, commercial off-the-shelf software operation to bespoke software development, delivered with high throughput, repeatable DevOps approaches to operations. With over half a decade of running critical authoritative government data sets that affects the lives of millions of citizens and the economies of the state, Modis has one of the most mature, experienced and recognised consulting service providers in the world. More importantly, we like to work very closely with our customers, not providing something to purchase, but taking a deep understanding of their business, and providing the recommendations and implementations to ensure a modern, efficient, reliable and secure environment for digital business systems.Contact us
Modis Australia | Animated map showing global locations
We operate around the world. Would you like to find out more about your local office?Find out about Modis