4 key considerations for a secure cloud migration

ARTICLE | February 16, 2024

Authored by RSM US LLP

The middle market has traditionally taken a slower approach to cloud adoption than their enterprise counterparts. Today, it's a different story: midsized firms are expanding and accelerating cloud adoption plans to avoid getting left behind.

Every cloud journey, however, will eventually run into its share of obstacles. That's especially true when it comes to securing a company's cloud applications, data and infrastructure. To help you anticipate, identify and manage those hurdles, here are four common scenarios along with solutions for turning those challenges into opportunities.

1. Embracing a "better late than never" approach to cloud security


An ideal cloud migration strategy puts security front and center. The reality, however, is that many customers will be deep into a migration journey before they prioritize security issues or consider adopting a cloud security framework. In some cases, security may not have been a concern at all during the early stages of a migration project—that is, until a regulator, insurer or other high-powered stakeholder starts to ask questions.

If your organization is in this position, it makes sense to bring in a third party to help ensure that your shift to the cloud ends up delivering security and scalability. After all, those are two of the top reasons for embarking on a cloud migration project. But you should also consider how this move to the cloud helps meet your broader business objectives and whether your chosen framework can grow and adapt with you.


The first step of an engagement with a third-party advisor is understanding both what it is you need and where you want to go. This kind of holistic approach to cloud security means your digital architecture is more likely to deliver real value, whether that means slimming your tech stack, refining your processes or adjusting your security protocols.

When it comes to the technology, tools and platforms at the heart of your move, you’ll want to choose from the widest possible selection rather than trying to shoehorn your architecture into a one-size-fits-all plan. A flexible, vendor- and platform-neutral technology strategy can be a very effective way to maximize the value and flexibility of your cloud technology investments. Finally, for firms that may be considering cloud security improvements at various points in a cloud journey, it's important to ask whether a third-party advisor has experience working with clients in the middle or later stages of a cloud migration initiative.

2. Adopting secure multi-cloud environments


The same migration challenges can surface when customers move cloud workloads to another vendor's infrastructure. These migrations are often necessary to create a multi-cloud environment—a useful way to manage risk, improve resilience and try new capabilities.

As with other cloud migrations, moving ahead without a suitable cloud security framework can undermine these benefits and introduce new sources of security risk. Security controls, for example, may need to be reconfigured. Or the new vendor may introduce a completely different set of attack surfaces to your cloud estate.


In these cases, experience matters for midsized firms seeking expert cloud security guidance. A veteran team of cloud security experts should have a track record that includes hundreds of similar projects completed for other midsize companies—giving them the ability to find and address unfamiliar and unconventional threats. A world-class cloud security team will also have hands-on experience with a wide range of cloud infrastructure providers, virtualization options, application types and other variables, all of which contribute to their ability to troubleshoot a client's migration efforts and introduce processes for mitigating risk.

3. Working with cloud security standards, benchmarks and assessments


There are a number of industry standards available for midsize firms looking to assess, analyze and improve their cloud security capabilities. Standards-based assessments and performance goals are an important concern for companies in financial services, health care, government contracting and other highly regulated industries. But this is also an important—and often very challenging—area of emphasis for a much bigger group of midsized firms either by choice or necessity.


If your organization is focused on SOC2, PCI, Sarbanes-Oxley and other compliance regimes, you'll want an advisor that can assess current compliance performance and recommend targeted improvements. This includes specific, hands-on expertise with key cloud security industry standards, including:

  • ISO27001 (Information security management system guidelines)&
  • OWASP Top 10 (web application security risks)
  • NIST 800 Series (secure cloud migrations; secure cloud services)
  • CIS Benchmarks (cloud infrastructure hardening
  • PCI-DSS (credit card data and payment processing)

An experienced cloud security team can work with your firm to design custom assessments that integrate best practices, reference designs, benchmarking tools and other elements from these and other sources. The resulting process can be a highly effective way to align a standards-driven assessment with a customer's specific priorities and pain points. It can also uncover gaps or performance improvements that a cookie-cutter assessment process is likely to overlook.

4. Cost optimization that doesn’t compromise security


Organizations were forced to jump into the cloud in 2020 to keep employees connected and business moving forward at the outset of the COVID-19 pandemic. Out of necessity, speed was prioritized over strategic planning. Now the mounting expense of data storage is prompting many leaders to reevaluate those choices. But in the quest for cost optimization, it’s essential that you don’t lose sight of the security fundamentals. Luckily, there are ways to streamline your approach and rein in costs without increasing risk.


Cost optimization is another area where it's essential to work with an advisor that has direct and extensive experience with your firm's specific industry sector. Armed with this, an advisor can recommend a customized approach that allows your firm to optimize costs without exposing your data to additional risk. This approach to right-sizing your cloud architecture typically includes:

  • Keeping cost optimization front and center. Your budget matters, and the right team of advisors should work to ensure that your cloud capabilities can scale up and down as needed to keep resources aligned with requirements. In many cases, this will involve finding savings by identifying things like duplicative technology or adjusting storage utilization.
  • Balancing flexibility and functionality. A third-party advisor should also give you an exceptional degree of freedom to choose the platforms, tools and capabilities for your cloud migration. This is yet another area where a qualified advisor will have experience working with different cloud technology combinations—ensuring that customers know what works and what doesn't so they can choose accordingly.
  • Putting customer choice ahead of vendor focus. Part of the value of working with a third party is getting honest advice and opinions. An advisor with strict product and vendor neutrality policies will be free to support customers with the right solutions and unbiased guidance.
  • Saying "yes" to customer requests. Even advisors with extensive experience helping midsized firms succeed in the cloud can expect to see requests for capabilities, customizations, toolsets and other elements they've never built or implemented before. Many consultants routinely turn down these requests or make them prohibitively expensive, but it's imperative to work with an advisor that looks for ways to say "yes" to these requests whenever they can.

Let's Talk!

Call us at +1 213.873.1700, email us at or fill out the form below and we'll contact you to discuss your specific situation.

  • Topic Name:
  • Should be Empty:

This article was written by RSM US LLP and originally appeared on 2024-02-16.
2022 RSM US LLP. All rights reserved.

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each is separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit us for more information regarding RSM US LLP and RSM International. The RSM logo is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.

​Vasquez & Company LLP is a proud member of the RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise and technical resources.

For more information on how ​Vasquez & Company LLP can assist you, please call +1 213.873.1700.

Subscribe to receive important updates from our Insights and Resources.

  • Should be Empty: