While there are many resources and offerings regarding helping customers move to the Cloud, there are not as many who specialize in helping customers to decommission their on-premises infrastructure.
In this article I would like to draft up the aspects you might want to consider for closing the legacy infrastructure when moving into the Cloud.
The main actions when closing old data systems and local drives and servers is related to the destruction of physical infrastructure, including media deletion and/or disposal, data archiving and identity management (user access). As a consequence, clients also face other precursory and subsequent procedures needed to ensure business continuity and a secure decommissioning of on-premises solutions.
Below, I have summarized the main activities and areas of concern.
On-Premises Decommissioning
First of all, you need to secure organization alignment and readiness. This entails setting up clear roles and responsibilities for the decommissioning process – who is responsible for the disposal of on-premises data, outdated local drives and servers and for the documentation and monitoring of actions during this process. – Remember to involve management and DPO (data protection officer) in this phase.
Then you need to establish a monitoring strategy to cover every action, aspect and phase of the architecture and business continuity during the decommission process. Develop a project plan for on-premises decommission (preferably an agile approach) – e.g., decide on a timeline, use a roadmap, milestones and maturity heatmap and identify key deliverables, in order to figure out the order and prioritization of actions, and for everybody to know when to move to the next step. As part of this preparation you need to establish a new contingency plan including the Cloud installation.
Risk and Compliance requirements
One of the main elements is the handling of your data, some of which you may choose to archive. This needs to be handled in accordance with the Danish Bookkeeping Act. Secure access to archived data must comply with GDPR.
Further to this we have other data management requirements: data transfer, data minimization, data deletion and data retention. Be aware of how a cloud environment impacts processing of personal data including data deletion, data minimization, data retention in order to comply with GDPR regulations – e.g., acquire data retention license to ensure access to archived data. Assign data owners for remaining sensitive data and perform entitlement reviews (review of access rights, or permissions, for all organization's employees and vendors) pre-migration to ensure elimination of excessive access that the automated remediation did not manage (data privileges).
Be aware: There are circumstances when your Cloud provider can become a data controller. You will need to update information security policies, access control, asset management and operations security measures in accordance with international standards such as ISO27001.
Implement data encryption where necessary and ensure IT auditing in the contract with the cloud provider – how does the future audit schedule look like around Cloud as a platform.
Precursory procedures
Before engaging, you may want to perform a proper evaluation of the Cloud service provider – a due diligence to check on e.g., financial stability, examination of independent assurance and accreditation, data access, application support, security and compliance, and even potential migration between providers in the future (exit options); and take decision on “containerization” of applications to facilitate change of cloud provider.
You need to secure transfer or termination of software licenses and service agreements. When moving to the cloud one of the most important decisions regards the future access control: Identity and Access Management in the Cloud which involves transfer/setup of future identity control (user access) – e.g., moving Active Directory services from on-premises to cloud; plan how to grant access in the future and who will have access to what. Implement Contingency Planning regarding future access to the Cloud (plan for enabling ISP redundancy) in case of disruption, compromise, or failure of any component of the cloud service.
You may also want to conduct a risk assessment to secure business secrets when all data is moved in the cloud. This involves a change impact assessment for employees, identifying how moving to a cloud-based solution would alter their operational responsibilities, including data handling and access.
Ensure that the employees and stakeholders are made aware of cloud migration and what data and systems relevant to them are decommissioned and what is transferred to the Cloud and how that will impact them.
Get insurance to transfer/mitigate risk, especially if there is a failure that results in data loss while decommissioning on-premises systems – consider shared responsibility with the cloud service provider.
Make sure to pre-test systems before deployment.
Technical processes and Technology enablement
In most cases you may find that certain applications are not suitable/compatible with the cloud. These applications needs to be identified and you need to decide on gradual abolition or alternative hosting of these systems. Decide on the right approach for each application migration (i.e., Containerization, IaaS etc.).
Next you will need to secure disposal of physical infrastructure (hardware; networks: cabling, routers, switches, servers, SAN, server rooms) including secure destruction of data media (according to NIST 800-88 ”Guidelines for Media Sanitization”). In this part of the process, you will also have to eliminate stale data from the migration scope – e.g., by applying a classification taxonomy to identify which data or IT assets should be deleted or disposed of based on criticality, legal requirements, sensitivity etc., as recommended in ISO27002. Assign the task of handling the destruction of sensitive data to a relevant trusted person.
Delete any digital signature certificates that have been migrated – including MOCES, VOCES, FOCES (Older NemHandel) certificates. Ensure a way to document any use of removable media and/or devices for the storage of Personally Identifiable Information (PII) in accordance with standards such as ISO27701 and GDPR regulations. Data handling also includes secure handling of physical archived data (scanning and/or shredding).
Ensure that a dynamic back up plan for data and applications is in place during this transition. Secure resilience in future cloud setup – including sufficient and perhaps redundant internet access.
Decide on which tools (third-party or cloud native) to use for automation and environment orchestration – establish cloud deployment pipelines to improve continuous integration (CI) and continuous delivery (CD) processes.
Costs
Consider costs if using a third party to destroy the hardware and parts of the on-premise systems. And consult your accountant regarding tax considerations after decommissioning on-premises services. Consider tax consequences from the abolition of physical infrastructure (depreciation, proper accounting of Intellectual Property in the Cloud). You should be aware of which components of the cloud arrangement are subject to e.g., sales tax, VAT and other indirect taxes.
Subsequent procedures
Use a support model (hyper care, extra resources allocated to user/client support) during initial phase post deployment to ensure stability and business continuity. Perform periodical reviewing and monitoring of standards and procedures to ensure compliance.
Another safeguard is to conduct regular training awareness for employees and testing of systems (e.g. vulnerabilities) and data archiving and deletion to comply with GDPR and the Bookkeeping Act.
Legal Frameworks and Information Security Standards applicable/relevant for Cloud
The following is a list of relevant laws and regulations to be aware of when moving to the cloud:
General Data Protection Regulation (GDPR)
Especially on the roles and responsibilities of data controllers and data processors – you should be aware if the cloud provider serves only as a data processor, or whether there are situations in which they could be a data controller. When archiving data, decommissioning data or transferring data that includes PII, you should be aware of whether you need to inform the data subjects of their data transfer/storage to a third party (the cloud provider) and how their data is used. You should pay particular attention if the cloud providers manage their data on servers beyond EU borders (e.g. whether the ‘third country’ has other local agreements in place and if they are compatible with GDPR).
The Danish Bookkeeping Act (Bogføringsloven) includes regulation on storage of data retention and archiving which states that accounting records must be retained for 5 years from the end of the relevant financial year.
The Danish Personal Data Act (Persondataloven) for data controllers in Denmark with activities within the EU.
Digitaliseringsstyrelsen is a public institution responsible for standardization – for implementing public digital ambitions such as cloud computing.
ISO/IEC 27001, 27002, 27701 to support the incorporation of the servers within the host environments into the management systems, especially that it provides guidelines on data management, disposal of media and physical media, data classification, IT asset management etc.
ISO27017 provides additional security controls for the cloud, developed for cloud service providers and users.
NIST 800-88 provides guidelines for media sanitization which can be considered when disposing of (physical data) within the decommissioning process.
I hope this article has given you some food for thought before you plunge into migrating your IT infrastructure to the cloud. Please reach out if you want our assistance on this journey – to make sure it becomes successful.
