Cloud Migration Best Practices: Lessons Learned From One Investment Firm’s Transition

March 28, 2019

 

When it comes to security, the cloud can be a more secure environment, contrary to popular belief. For one, there’s the ability for any person to access data on premise. In addition, a malicious actor could potentially gain access to a shared drive more easily with an on-premise solution versus the cloud.

When transitioning to the cloud, Starwood Capital Group had a lot to consider. First and foremost, switching from an on-premise shared drive to Salesforce meant moving highly sensitive information to a new application.

“When we first did that, we said, ‘This is great – it’s changing the unit of measurement from a file or database in shared drive to a specific record, whether that’s an investor or investment or related record that goes along with it,” said David Tebbi, Starwood’s Project Manager and Solution Architect.

Starwood discussed their process of migrating to the cloud, as well as security considerations and solutions, on the webinar “Building Trust in Salesforce through Data Protection & Governance.” Here are some key takeaways.

The Decision Process

“Cloud” is a buzzword, but it’s also a major part of the infrastructure for many modern businesses. The Intel Security report “Building Trust in a Cloudy Sky: The State of Cloud Adoption and Security” showed that 80 percent of all IT budgets would be committed to cloud applications and solutions within 15 months. Another 51 percent of companies with 1,001 to 5,000 employees, however, say that cloud adoption and usage has slowed due to a cybersecurity skills gap. Cloud migration can be a boon for the business when done well — or a liability if not.

When it comes to security, the cloud can be a more secure environment, contrary to popular belief. For one, there’s the ability for any person to access data on premise. In addition, a malicious actor could potentially gain access to a shared drive more easily with an on-premise solution versus the cloud.

Moving to the cloud also has the added benefit of decreased maintenance costs, said David. For its network drive, shared across all its international sites, Starwood managed and maintained all infrastructure. And transitioning to Salesforce was much more convenient, with mobile and anytime, anywhere access, along with excellent authentication and integration with single sign-on providers.

“One of my biggest complaints in a professional environment is all the passwords you have to remember, so one thing we can do more easily with cloud than on-prem is use out-of-the-box SSO solutions,” David said.

Finally, a proliferation of cloud solutions can enable more advanced technology that allows applications to communicate.

“Once the data are available in the cloud, we can start to aggregate them in business intelligence platforms more easily,” David said. “This gives us the ability to take data from Salesforce using their prebuilt connectors, not have to do any of the tough work of integrating, and be able to report on that data and other data from, for example, our accounting platform.”

Yet while the cloud may be more secure than on-prem in certain instances, it’s still a system containing data that must be secured. As evidenced by the Intel report cybersecurity should be top-of-mind for any organization migrating to the cloud or adding cloud capabilities. It certainly was for Starwood, as a financial services firm operating in a highly regulated environment. So how did the firm prioritize data protection once it moved to the cloud?

Data protection and governance in the cloud

Security is prioritized at the highest level at Starwood; according to David, one of the CEO’s first questions was, “How are we securing this data?” And as a private equity firm, it has a responsibility to protect data from investors. This might include everything from tax identifications to personally identifiable information for some smaller investors.

“A lot of that is stored in a secure way that we’re able to show customers as a sign of competence,” he said.

In addition to protecting the data upfront and monitoring and authorizing access and activity, it’s important to protect the data “after the fact.”

“We need to see exactly what happened,” David said. “This may tie specifically into departing employees – did they take any investor data? How can we investigate that?”

Choosing a security vendor

When choosing a security vendor to help monitor Salesforce, seamless functionality was one essential Starwood looked for.

“We didn’t want to have to change our entire process, change links, route people through a different means of access to Salesforce,” said David.

Starwood also looked for the ability to report on any information that gets passed through different tables on a nightly basis. This would help them not only monitor for security, but also usage and adoption. Who’s accessing different records? How much are records being used?

Finally, they looked for security partners that could keep pace with technology. While Salesforce was the initial cloud application they were interested in securing, more companies are also adopting applications like Office 365. Scaling security across cloud applications without the need to implement a new tool for every application is essential to keeping the tech stack lean, effective, and free from as many vulnerabilities as possible.