Creating an exhaustive list of cyber security issues that arise out of system migration is beyond the scope of this document. However, organisations should consider the following high level issues.
Cyber security basics
Are systems still under vendor support? Are systems patched and up-to-date? What systems are not being monitored or are not in the inventory?
Organisations can find that they inherit a substantial amount of technical debt and associated security risk during major organisational change. While a high level understanding of the number and type of different platforms and applications provides one view, looking at patch and support levels provides an insight into the attention and care paid to systems operated under business as usual arrangements.
Organisations inheriting systems may also need to look beyond what is reported in inventories or configuration management databases as the greatest technical debt is often hidden in systems that are not properly enrolled in monitoring and management systems.
Use of a discovery capability, such as an automated vulnerability scanner, may help organisations build a more complete picture of what they need to accommodate, including the security posture of systems in question.
How will new systems be patched, backed up, monitored and managed?
Systems are often complex. In addition to the applications, systems also rely on operating system and application server platforms which may not be known inside an organisation’s existing technical workforce.
Organisations should consider whether they have:
- Sufficient expertise to support applications, including developers familiar with the languages, frameworks, application programming interfaces and cloud services used to develop them.
- Existing capability to support the underlying operating system, database, application server, network technology, cloud infrastructure and other dependencies. Support should include:
- compatible patching platform and capabilities
- backup infrastructure
- monitoring and configuration management (including log management and review).
Where organisations do not have sufficient capability, they will need to consider how that capability is put in place.
Cyber security governance
Organisations will need to consider who will become the new system owner of migrated systems. They will also need to consider who will accept the security risks before authorising the operation of the system in accordance with the organisation’s cyber security framework, including any additional security risks and technical debt resulting from the migration.
Organisations may also need to consider whether existing security documentation needs to be reviewed and updated. For example, policies and Standard Operating Procedures may need to be updated to align responsibilities and authority into the new organisational structure. Incident Response Plans may also need to be updated to reflect new contacts, teams and escalation points.
Organisations may find themselves having to respond to cyber security incidents during or after major organisational change as a result of dependencies between systems that cross organisational boundaries. If this occurs it will be highly beneficial if there is already well developed relationships between the operational cyber security teams in each organisation. Organisations should consider how they can establish these relationships early in planning and promote their use during the change.
Conventional systems migration planning will typically address issues related to business interruptions during major organisational change. However, organisations should consider any reduction in availability protection occurring as part of system migration. For example, some organisations operate significant distributed denial of service mitigation measures leveraging public cloud, while others may operate less capable on premise solutions. The protection afforded a system should only be reduced if the security risk is understood and accepted.
Organisations should also consider availability risks related to not being able to restore data. Organisations which cannot recover their data after a cyber security incident often fail. The Essential Eight provides additional advice on backups, including the importance of offline, or non-rewritable and non-erasable, backups to prevent damage from ransomware and similar adversary tactics.
Joining networks provides adversaries with a significant opportunity to move laterally into a different organisation’s environment should one network already be compromised. Organisations should take care to only permit the network services that are required through any organisation to organisation communication links.
If organisations plan to join environments, and one of those environments has already been compromised, then lateral movement into the other environment can be trivial depending on the inherent trust built into the underlying technology. If environments are to be joined, organisations may have to consider how they will develop reasonable assurances that neither environment is the subject of an active compromise. Organisations may find it is easier and safer to build new versions of existing services in a new network, and migrate users and data, than to try and ‘lift and shift’ servers which are in an unknown state and exist in an organisation with a low cyber security posture.
Organisations should consider the use of gateway technologies such as proxies as well as scanning and monitoring infrastructure for communications links between organisations. The ISM and the Strategies to Mitigate Cyber Security Incidents  provides additional advice in this regard.
Identity and access control
Issues related to how identity is provisioned will typically be considered as part of system migration planning. For example, identity may be provided to an application internally (identity is recorded in a connected database), via an external directory (such as a corporate active directory) or via a third party (such as a federated identity solution).
In all cases, organisations need to consider that mechanisms that protect systems are not always integral to the system itself. For example, a multi-factor authentication solution may rely on integration through a corporate identity directory, which may not be being moved as part of major organisational change.
The greater concern however is not the security controls which are obvious (because they affect user experience and/or availability) but rather those that are unseen by the user, such as those that monitor and react when suspicious activity is detected. For example, monitoring to detect identity abuse which occurred in the previous owner’s Security Operations Centre or security controls which relied on capabilities which are not part of the destination system’s technology stack, for example, different end point security agents, gateway and proxy technologies.
To accommodate for these situations as best as possible, organisations should review:
- system security documentation
- tickets for configuration changes to the system over its operating life
- staff that support the system, including any gateway and cyber security staff, to identify external security controls which protect that system.