Cloud migration
security: why it
works when the
architecture is right.

The Security Case for Cloud Is Real, but Conditional

Major cloud providers run some of the most scrutinised infrastructure on the planet. They employ dedicated security teams numbering in the thousands. They encrypt data at rest and in transit by default. They patch vulnerabilities faster than most internal IT teams can schedule a change window. Their physical security, network segmentation, and redundancy capabilities exceed what all but the largest enterprises can build on premises.

For most organisations, this represents a genuine security uplift. Running your own data centre means owning every layer of the stack: physical access, hardware lifecycle, OS patching, network security, application controls, and identity management. Few organisations do all of these well simultaneously, and the ones that struggle most are typically mid-market businesses with constrained security teams and ageing infrastructure.

But this security uplift is conditional. Moving workloads to AWS, Azure, or GCP does not automatically fix weak access controls, poor network segmentation, or missing logging. It changes where those problems live. And in some cases, it makes them harder to see.

Where Cloud Security Actually Fails

When cloud environments get breached, the root cause is almost never a vulnerability in the provider's infrastructure. Gartner has predicted that 99% of cloud security failures will be the customer's fault. Research consistently shows that more than 60% of cloud security incidents stem from customer misconfigurations, not provider-side weaknesses.

The most common failure patterns are predictable:

• Misconfigured storage and services. Public-facing storage buckets, overly permissive security groups, and default settings left unchanged. Cloud environments prioritise flexibility, which means defaults are rarely secure.
• Weak identity and access management. Over-provisioned accounts, lack of multi-factor authentication on privileged access, and service accounts with broad permissions that no one reviews.
• Insufficient logging and monitoring. Organisations migrate workloads but do not enable cloud-native logging, or they enable it and never build the detection logic to act on it.
• Misunderstanding the shared responsibility boundary. Assuming the provider handles security controls that are actually the customer's responsibility. This is the single most dangerous assumption in cloud security.

None of these are reasons to avoid cloud migration. They are reasons to invest in getting the architecture right before, during, and after the move. A well-governed cloud environment with proper configuration management is measurably more secure than a neglected on-premises setup. But a poorly governed cloud environment can be worse, because the attack surface is internet-facing by design.

The Shared Responsibility Model: What It Means in Practice

Every major cloud provider operates on a shared responsibility model. The concept is simple: the provider secures the infrastructure (security of the cloud), and the customer secures their workloads, data, and configurations (security in the cloud). In practice, the boundary is less clear than the diagrams suggest.

The split depends on the service model:

• Infrastructure as a Service (IaaS): You manage the most. The provider handles physical infrastructure, virtualisation, and network fabric. You are responsible for the operating system, middleware, applications, data, and all identity and access controls.
• Platform as a Service (PaaS): The provider takes on operating system and middleware management. You still own the application logic, data governance, and access controls.
• Software as a Service (SaaS): The provider manages nearly everything. Your responsibilities narrow to user access management, data classification, and configuration of the security settings the platform exposes.

The practical risk is that many organisations assume they are getting SaaS-level coverage when they are operating at IaaS or PaaS level. This mismatch creates gaps. If your team believes the provider is handling patch management but you are running IaaS workloads, those systems are going unpatched. If your team assumes the provider monitors for threats but you have not configured detection rules, no one is watching.

Before any migration, map out exactly which controls belong to your organisation and which belong to the provider. Document this. Review it with your security architecture team. Make the boundaries explicit in your operational runbooks, not just in a slide deck that gets presented once and forgotten.

What a Secure Cloud Migration Looks Like

A secure cloud migration is not a lift-and-shift exercise with security bolted on afterwards. It is an architectural decision that should embed security from the start. Organisations that treat cloud migration as a pure infrastructure project, led by IT operations without security input, consistently end up with configuration debt that takes years to remediate.

Here is what good looks like in practice:

Start with identity, not infrastructure

Identity is the new perimeter in cloud environments. Before migrating workloads, establish your identity architecture: federated authentication, role-based access control, privileged access management, and service account governance. If your on-premises Active Directory is a mess, migrating it to the cloud will produce a cloud-scale mess. Clean it up first, or architect around it.

Codify your security controls

Cloud-native security works best when controls are defined as code, not configured manually through a console. Infrastructure as Code (IaC) combined with policy-as-code frameworks lets you enforce security guardrails consistently across environments. This approach, sometimes called DevSecOps, shifts security controls into the development and deployment pipeline rather than relying on manual reviews after the fact.

Build logging and detection from day one

Enable cloud-native logging services from the moment your first workload goes live. Configure alerting for high-risk events: privilege escalation, configuration changes to security groups, access from unexpected locations, and API calls from service accounts outside normal patterns. Logging without detection logic is just storage. If your organisation lacks the internal capability to build and maintain cloud detection, a managed SOC with cloud expertise can close that gap.

Govern configuration continuously

Cloud environments change faster than traditional infrastructure. A storage bucket that was private yesterday can be made public today with a single API call. Cloud Security Posture Management (CSPM) tools continuously assess your configurations against security baselines and flag drift. Gartner expects that by 2026, 60% of organisations will prioritise cloud misconfiguration prevention, up from 25% in 2021. The organisations that start this governance early avoid the remediation debt that comes with retrofitting it later.

Test before and after migration

Run a security assessment of your target cloud architecture before migration, not just after. Pre-migration architecture reviews catch design-level issues, such as overly flat network designs, missing segmentation, or identity models that will not scale, that are expensive to fix once workloads are running. Post-migration, cloud-specific security audits validate that what was designed is what was actually deployed.

Australian Considerations: ASD Guidance and Data Sovereignty

Australian organisations have specific regulatory and guidance frameworks to consider when planning a cloud migration.

The Australian Signals Directorate (ASD) publishes comprehensive cloud security guidance that covers provider assessment, service evaluation, and ongoing monitoring. The ASD recommends a structured approach: assess the cloud provider and its services, assess your own systems and data sensitivity, make shared responsibilities explicit, and then monitor continuously with reassessment at least every 24 months.

For organisations handling sensitive data, the ASD recommends prioritising cloud providers that are located in Australia and operated under Australian jurisdiction. This is not just a compliance checkbox. It affects which legal frameworks govern your data, how incident response and law enforcement cooperation works, and whether your data can be compelled for disclosure under foreign legislation.

The ASD Blueprint for Secure Cloud provides practical configuration guides and templates aligned with the Information Security Manual (ISM). For organisations migrating to Microsoft 365 or Azure, the Blueprint offers a credible starting point for secure configuration that aligns with Australian government expectations.

Regulated industries face additional requirements. Financial services organisations operating under APRA CPS 234 must ensure their cloud arrangements meet information security capability requirements, including for material service providers. Organisations pursuing Essential Eight maturity should verify that their cloud architecture supports the required controls, particularly around application control, patching, and privilege restriction, which can behave differently in cloud environments than on premises.

What to Do Next

If your organisation is planning a cloud migration, or is mid-way through one and concerned about security gaps, the most valuable step is an honest assessment of where you stand. Not a sales pitch. A clear-eyed look at your current architecture, your shared responsibility boundaries, your identity posture, and your configuration governance maturity.

The organisations that get cloud security right are the ones that treat it as an architecture and governance challenge, not a technology procurement exercise. Cloud providers give you powerful tools. Whether those tools make you more secure depends entirely on how well you use them.

Cliffside's cloud security and security architecture teams work with Australian organisations across financial services, government, and critical infrastructure to design cloud environments that are secure by design, auditable by design, and compliant by design. If you want an honest conversation about your cloud security posture, start with a Lighthouse Assessment.