How to Keep PII Secure while Migrating Users to the Cloud

Organisations are increasingly leveraging the benefits of the cloud to support employee productivity and IT efficiencies, while also delivering more compelling user experiences to their external customers and partners. Yet migrating these various users to new cloud systems can be fraught with challenges, particularly when it comes to securing highly regulated personally identifiable information (PII).

According to GDPR regulators, “personal data” or PII is classified as any info “related to an identified or identifiable natural person”—which in practice could mean anything from an account number to an IP address.

IT and cybersecurity chiefs must plan their migration strategy carefully, with plans for mitigating security gaps and minimising user friction.

What are the risks?

Cloud migration can be a daunting prospect—especially given the complexity of modern hybrid IT environments—and user identity sits at the heart of the challenge. Hackers are increasingly focusing their efforts on users and their passwords rather than IT infrastructure, so a high level of security is key to safeguarding PII.

If attackers gain access to passwords, they can circulate the PII on the dark web, making it available for a wide range of follow-up attacks. Breaches of this sort can severely damage corporate reputation, costing millions in clean-up and remediation, regulatory fines, and possible legal costs. These types of attacks are on the rise. According to Javelin Strategy and Research, cyberattacks reached an all-time high in the US in 2017, affecting 16.7 million consumers and generating $16.8 billion in losses.

Consider PII when choosing your migration method

In order to reduce the potential for an expensive breach, securing PII and creating a seamless user experience should be your top priorities as you plan and implement your user migration. For your migration, there are solutions that prompt you to open firewall ports or database access to third-party cloud systems. This can add security risk and complexity. When outlining your path to migration, look for tools and methods that protect your employee and customer data.

Here are some of the migration methods to consider as you develop your strategy:

Bulk import

This approach has the advantage of pre-loading all user profiles onto your cloud service before the go-live date, giving you time to iron out any potential issues. There are two types of bulk import:

• CSV import: This can be done from any system able to export in CSV format. However, it’s not ideal for large migrations as passwords can’t be imported, creating major friction for users that will need to reset their credentials.
• User management API: this is probably the least disruptive import method as it lets administrators develop passwords for newly onboarded users. You can do this by importing hashed passwords, or via a hybrid live migration whereby user identity attributes are bulk imported but passwords are set on their first log-in.

Just-in-time (JIT) provisioning

This methodology can streamline processes by only developing new users if they aren’t already registered on the system. However, it can cause delays if large numbers of users try to login at once. There are three basic methods:

• JIT inbound federation: uses any SAML 2.0-supported application or social provider to sign-in.
• JIT from existing database: uses user management APIs and a custom login page. Once a user is authenticated, a profile is created using their credentials and a password is provided.
• JIT from existing database with delegated authentication: allows you to keep your local user system of record, and use cloud authentication at the same time. Profiles are imported from a local user store and can be enriched using an inline import took. Credentials can be stored locally even after migration.

Make sure you’re choosing the option which best fits your existing architecture, users and organisation. This is the surest way to a seamless user experience that keeps PII under lock and key.

Keep PII top of mind

Once you’ve chosen your migration method, be sure to plan well ahead. Many migration failures—which can put employee and customer PII at risk—come about because they are not tested often at every phase of the project. Multiple rounds of testing that cover as many scenarios as possible are vital to help you identify any problem areas before migrating the majority of your user base. In terms of security, don’t fall back on what feels easy, like migrating user data on plain text. Take the time to encrypt, hash and protect PII.

If you’re planning a cloud migration and want to ensure your organization’s user data is protected throughout the process, Okta can help. Check out our Okta User Migration Guide infographic for more information.