Cloud Migration Strategy Guide: 7 Best Practices

If you are reading this guide, you are probably planning a data migration from on-premises data storage to a cloud-based platform like Microsoft Office 365, Google Drive (G Suite), or Box. You know it’s crucial to have a secure cloud migration strategy and execution.

You are not alone. Varonis has helped countless organizations prepare to move legacy on-premises data in file shares, NAS, and SharePoint to Microsoft’s cloud using deep insights to avoid migrating legacy issues to your new cloud environment.

Is your Office 365 and Teams data as secure as it could be? Find out with our Free Video Course.

"I was kind of shocked how open the sharing with Teams can be, one mis-click and your data is accessible to anyone on the Internet."

This guide is designed to show you how to use Varonis’ platform and methodology to expedite your migration planning, mitigate risk, and remove the guesswork. Even if you don’t use Varonis, many of the principles in this guide will be helpful in planning your migration:

Basics: What is Cloud Migration
Cloud Migration Strategy Considerations
Cloud Migration Best Practices and Step-by-Step Plan
How Varonis Helps Protect Data Once it’s Migrated

The better your plan, the more successful your migration will be. A solid plan will lower your risk of downtime and ensure your post-migration environment is both secure and easy to maintain.

Quick Review: What is Cloud Migration and What Does a Secure Migration Look Like?

Cloud migration is the process of moving your data (typically files, emails, and applications) from local IT infrastructure that you manage in-house to cloud storage that is managed for you.

Organizations often migrate to the cloud because of the decreased management overhead and flexibility to expand or contract their storage requirements with the click of a button rather than purchasing and decommissioning physical servers in a data center.

Many businesses elect for a hybrid cloud approach: some data stays on-premises, some moves to the cloud–a decision that is usually based on data sensitivity or security policy.

Cloud Migration Strategy Considerations

Migrating data quickly and securely falls squarely on IT’s shoulders. Unfortunately, it can be downright nerve-wracking to move data with little or no downtime, ensure all data is migrated to the correct location, and is accessible to the right people (and only the right people) when it gets there.

Here are some key considerations when planning a migration:

Which data should or shouldn’t be migrated? By excluding stale or obsolete data you can save on storage costs, simplify your migration, and reduce your risk.
How should sensitive data be handled? Many privacy regulations require specific safeguards for personally identifiable information. Also, any critical data such as contracts or intellectual property should be treated with extra care.
How do I ensure the right users have access post-migration? You don’t want to accidentally cut users off from the data they need to do their job. On the other hand, you have to ensure you don’t unintentionally open up access to people who don’t need it.

Cloud Migration Best Practices and Step-by-Step Plan

It’s difficult to build a one-size-fits-all checklist that works for any cloud migration, but this step-by-step guide can serve as a strong foundation. It’s the process we’ve used to guide countless customer migrations.

Inventory and understand your existing data estate
Eliminate stale data from your migration scope
Apply a classification taxonomy to determine migration scope
Remediate excessive access to in-scope data
Assign data owners to sensitive data
Perform entitlement reviews to further eliminate excessive access
Review regulations and data security policies for Office 365
How Varonis helps protect data once it’s in Office 365

Case Study: How a Top U.S. Airline is Making a Worry-Free Transition to OneDrive Thanks to Varonis

“Varonis gave us so much visibility into our network. It’s incredible. We were able to clean up files that we wouldn’t have even known existed, and it definitely aided with PCI compliance.”

1. Inventory and Understand Your Existing Data Estate

One of the biggest IT challenges, even if you’re not planning a massive cloud migration, is gaining full visibility into your on-premises data. Migration projects require a clear and accurate understanding of the nature of the data you hold—the size, relevance, sensitivity, and risk profile as it stands today.

Most organizations don’t realize just how much dark data they have prior to installing Varonis. Many discover SharePoint sites, Exchange mailboxes and public folders, and file shares they didn’t know existed—sometimes with toxic and overexposed regulated information (GDPR, HIPAA, CCPA, etc.).

Building a complete and accurate inventory, establishing a classification taxonomy, and prioritizing data sets are essential steps for a successful migration. Varonis gives you the visibility required to take these steps without heaps of manual work and without relying solely on surveying end-users.

Explore your unstructured data interactively

Varonis helps you get a picture of your unstructured data in disparate systems. The DatAdvantage work area gives you a live representation of your unstructured data estate in an interactive view with context about data sensitivity, size, content type, activity, and more.

Varonis provides a unified view across on-premises and cloud data stores, making it easy to answer:

For any data container — who has access? Is the content sensitive? Is it being used? Is it over-exposed?
For any user or group — what data can they access? How did they get that access? What are they doing with that access? Do they need it anymore?

Migration Decisions Guided by Data

In addition to the interactive work area, Varonis has a suite of reports designed to help you analyze your data estate ahead of your migration.

Varonis reports can help you answer migration questions such as:

Which data sets are most active and will take serious coordination to migrate?
Which department shares are candidates to migrate first?
Which servers contain users’ home drives?

Report 14.a.02, File System Action Items Statistics is a fantastic report to run to assess the readiness of a given server to migrate to the cloud. The report shows the following stats about your file servers and on-premises SharePoint servers:

Using this report, you can quickly get a feel for how much data on the server can be eliminated altogether, how sensitive it is, how consistent the permissions are, and the overall risk profile.

Watch: Setting Up KPI Reports for Data Stores*

*Requires a free Varonis Connect account, which comes with a free trial license of our software.

Some helpful inventory and analysis reports include:

Report 2.a.01, Access Statistics
Report 2.a.02, Statistics by Event Operation
Report 2.a.03, Users with Failed Events
Report 2.b.01, Sensitive Files Statistics
Report 2.b.02, GDPR Files Statistics
Report 2.c.01, File Type Utilization
Report 2.d.01, Activity By Users Other than the Mailbox Owner
Report 2.e.01, Most Active Users per Folder
Report 2.e.02, Users with Most Failed Events per Folder
Report 2.f.01, Event Type Distribution on File Server
Report 2.f.02, Event Type Distribution per User

This is an example of the 2.b.01 – Sensitive File Statistics report. This report exports a list of every file that has classification hits, and the number of hits per file in the far-right column. You can group this report by File Server to determine which locations contain the highest concentrations of sensitive and highly active data.

This is just the tip of the iceberg. Varonis DatAdvantage contains a vast library of useful reports that can help you understand your data more deeply than ever before, helping you make evidence-backed migration decisions.

Watch: How to Get the Most Out of DatAdvantage Masterclass

What about the data I don’t even know about?

Varonis can also help auto-detect file shares that you may not even know existed.

While you’re preparing for your migration, Varonis will use machine learning to build peace-time profiles over hours, days and weeks for every user and device, so when they behave abnormally, you’ll get an actionable alert.

2. Eliminate Stale Data From Your Migration Scope

Because Varonis is actively monitoring all user activity on data—every file open, move, rename, modify, delete—we can confidently identify data that is stale and can be excluded from your migration scope, archived, or deleted.

A quick snapshot of stale data per server is available in the KPI dashboards:

You can drill into each widget to see the trend over time, which can be helpful to measure the progress of stale data removal efforts.

However, most users will want an exportable report of stale data across their entire environment. Varonis has a set of reports to help with that. Report 7.b.01 Inactive Directories by Size will come in handy. Results of the stale data report can be exported to CSV or other formats and fed into another system for action. Once you’ve identified stale data, you can use Varonis’ built-in flags & tags to mark the data as stale and stage it for automatic archival or removal using a policy in Data Transport Engine.

What is considered stale?

By default, Varonis considers data stale if it has not been accessed or modified in the past 180 days (6 months). Accessed means that someone opened the file, modified means that someone saved a change to the file. You can choose to mark data stale using either last access date or last modified date. The default is a combination of both — which is Last Event Date in the interface.

*Requires a free Varonis Connect account, which comes with a free trial license of our software.

3. Apply a Classification Taxonomy to Determine Migration Scope

Determine what sensitive data — if any — you will migrate and create controls around that data to prevent data breaches. Varonis classifies data for PCI, GDPR, HIPAA, CCPA, and many more regulations out-of-the-box, at petabyte scale.

You can also import classification results from other products, such as DLP, and configure custom classification rules to discover intellectual property (IP) and other information that is unique to your business.

Open the Data Classification options dialog in DatAdvantage to configure your scan. In this dialog you can select which rules to enable, file types, taxonomy, scanning priority, and schedule.

Most Varonis customers test a few built-in classification rules on a handful of servers as an initial test and eventually enable more rules to establish a full inventory, rather than guess what kind of data they have.

Varonis’ engine will automatically detect changes to files and re-scan them, which is more efficient than examining every single file daily for changes in its modification timestamp.

Once you know what data you have, you can start to make decisions on security and retention policies.

Depending on your current use cases, privacy requirements, and regulatory responsibilities you might treat classification rules differently. For example, if your company has to comply with HIPAA, you will have to apply a different set of security controls to your HIPAA-tagged data than your PCI-tagged data.

Varonis will tell you which specific rule(s) a file matches (like GDPR, SOX, CCPA), but you can also create custom categories that built-in or user-defined rules can roll up to.

Let’s say your organization has determined, as a policy, that CCPA and GDPR data are sensitive, but “cloud-ready” – meaning that class of data can be moved to the cloud (with protections, of course). However, PCI and PHI is not cloud-ready. You can create an umbrella category called “Cloud-Ready Sensitive” that includes CCPA and GDPR.

Other categories you might want to build, pre-migration map to the policy you plan to enforce once data is in the cloud:

Cloud-Ready No External Sharing
Cloud-Ready No Download

You can take this one step further by applying labels to the files themselves using Varonis’ integration with Microsoft Azure Information Protection (AIP) to enable additional protections like DRM and encryption.

*Requires a free Varonis Connect account, which comes with a free trial license of our software.

4. Remediate Excessive Access to In-Scope Data

One of the biggest challenges in all of data security, regardless of where data lives, is to visualize and remediate overexposed sensitive data. Our global risk report shows that, on average, 22% of all company data is exposed to everyone in the company.

We suggest customers remediate excessive access prior to their migration. With Automation Engine, remediation of hundreds of terabytes of data can be complete in days, not years. Varonis automatically remediates Global Access Groups (GAGs) and Broken Access Control Lists (BACLs) to alleviate two enormous sources of risk quickly and easily.

Global Access Groups are the default groups in Windows systems like Everyone or Authenticated Users. Varonis can detect global access and automatically revoke that access without interrupting users who actively use the data.

Broken ACLs are permissions issues where the permissions on a child folder don’t match the parent and other similar issues. Broken ACLs occur for many reasons, but what you need to know about them for your cloud migration is that just because you move your data to the cloud, it doesn’t mean your data on-premise is safe.

Once you tackle GAG and BACL remediation, you can continue to remove over-permissive access and further refine accurate groups in preparation for your Office 365 migration.

Varonis provides recommendations of users that have permissions to data based on cluster analysis and machine learning, so you can safely revoke permissions without affecting productivity. Use the Review tab in DatAdvantage and the to safely revoke access to over-permissive folders before you move them to the cloud.

This data is summarized in two reports that you can use to work through the recommendations list and remove access:

5.b.01 Recommended Changes on User Repository —this report shows you which users can safely be removed from Active Directory groups
5.c.01 Recommended Changes on File System — this report summarizes recommendations of removal for permissions by file server

Use DatAdvantage to remove and commit any changes you make to permissions. Varonis models possible changes and warns you if you are removing access to a resource that a user needs.

5. Assign Data Owners to Sensitive Data

Varonis’ algorithms are very good at determining who should and shouldn’t have access to data, but it’s a best practice to assign data owners to critical data sets. Data owners can review who has access and make decisions based on business context.

Varonis has a tried-and-true process, using both quantitative and qualitative methods, to a.) determine which data should have an owner and b.) who the owner should be.

The quantitative approach uses file activity to determine the likely owner of a particular file share or SharePoint site. You can right-click on a user and designate them as a data owner directly in the Varonis platform. You can also gather the folder usage statistics in DatAdvantage report 2.a.01.

The qualitative approach uses a Data Owner Survey tool installed by our Professional Services team that automates the process to identify and request acknowledgment from potential data owners. This system tracks responses and automates the process to assign data owners in Varonis. You can also bulk upload data owners from another application if needed.

Our professional services team is experienced in rolling out data governance solutions and integrating these efforts into traditional IAM programs.

Watch: DataPrivilege Masterclass

6. Perform Entitlement Reviews to Further Eliminate Excessive Access

Once you have data owners established, force an entitlement review pre-migration to ensure that they weed out excess access that your automated remediation didn’t tackle.

Varonis DataPrivilege makes it easy for data owners to review and revoke access via entitlement reviews, inspect usage of their data via a self-service portal, and approve/deny incoming access control requests.

You can schedule entitlement views to occur on a monthly or quarterly basis, or kick one off manually before your migration to the cloud. Each data set or department can have a custom review schedule and, when completing a review, the data owner is notified if the folders or sites they are reviewing contains any sensitive or regulated information.

*Requires a free Varonis Connect account, which comes with a free trial license of our software.

7. Review Regulations and Data Security Policies for Office 365

Your organization’s security policies and the regulations your data is subject to will often dictate which features in Office 365 should be enabled or disabled.

One of the most important decisions to make prior to migrating is how data should be shared—both internally and externally.

What will your external sharing policy be?
How will you ensure that policy isn’t violated?
Is it different for sensitive vs. non-sensitive?
Is it different for OneDrive vs. Teams vs. SharePoint?

This topic is covered extensively in our 1-Hour Office 365 Sharing Security Audit video course, led by renowned Microsoft MVP Vlad Catrinescu.

When you complete this course, you’ll be confident that despite all the fine-grained controls Microsoft gives you, your Office 365 sharing settings match your organization’s desired sharing policy.

How Varonis Helps Protect Data Once it’s Migrated

Varonis provides Office 365 users with data monitoring and advanced threat detection and analysis capabilities to protect your data and investment in the cloud.

View reports of all kinds of sharing links and automate remediation if necessary
Continuously monitor permissions and access to SharePoint and OneDrive
Detect cybersecurity threats by monitoring data and email activity, pulling in perimeter telemetry and individual user baselines, and comparing current data to threat models built by security experts to detect malware, ransomware, APT, insider threats, and more
Level-up your Incident Response team with Varonis alerts and context to begin an investigation of potential attacks with actionable data security intelligence
Read: 5 Steps to Office 365 Security with Varonis
Read: Cybersecurity from the Inside Out

Organizations are constantly changing; neither our data nor our infrastructure is static. Data gets old and should be archived or moved to inexpensive storage. Organizations change, too—teams move around, corporations merge and divest, and new businesses are acquired.

In addition to these singular “migration events,” there are requirements to move (or remove) data on a continual basis, like when an organization decides that employees shouldn’t keep music files on the corporate NAS, or when regulations, policy, or legal requirements dictate how and where content is stored.

In all of these situations, planning is essential. To ensure cloud migration success, create checklists, validate them with business stakeholders, and set expectations.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
Download our free report and learn the risks associated with SaaS data exposure.
Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.