Security checklist for migrating on‑premise data centers to the cloud

Q: Is lift-and-shift always insecure compared to refactoring?

Lift-and-shift can be acceptable if combined with strong baseline controls: segmented landing zones, IAM hardening, encryption and logging. It becomes insecure when you copy on-prem weaknesses without adding cloud-native protections.

Q: When should I bring in external migration services or consultants?

Bring in cloud migration services or consultants when you lack specific cloud platform skills, have tight deadlines, or must meet strict compliance. Contracts must clearly define access, security responsibilities and log visibility so you can audit their actions.

A practical security checklist for migração de data center para nuvem starts with strict asset inventory, risk‑based classification and minimization. Then you harden network connectivity, identity and access, and data protection using encryption and key management. Finally, you validate with tests, logging, incident playbooks and clearly defined rollback triggers before any production cutover.

Essential security checklist snapshot

[High] Map and classify all on‑prem workloads and data; remove or isolate anything you do not need to migrate.
[High] Design segmented landing zones, VPN/Direct Connect and security controls with your cloud provider before moving traffic.
[High] Implement strong identity, least privilege, MFA and role separation across cloud and on‑prem directories.
[High] Encrypt data in transit and at rest, define key ownership and rotation, and validate LGPD‑aligned retention.
[Medium] Deploy centralized logging, threat detection and tested incident response for the new cloud perimeter.
[High] For every wave of serviços de migração para cloud computing, define cutover criteria, rollback plans and test scripts.
[Medium] When using any empresa especializada em migração para cloud, bind them to strict security, privacy and access contracts.

Inventory, classification and minimization of on‑prem assets

Checklist de segurança para migração de data centers on-premise para a nuvem - иллюстрация

This checklist fits organisations in Brazil that already run consistent operations in on‑prem data centers and are planning structured migração de data center para nuvem, not ad‑hoc moves. It is most valuable when you have clear ownership of systems and at least basic CMDB or asset lists.

You should not run this full approach when:

[Medium] You are only adopting a single SaaS product and not moving infrastructure or data center workloads.
[High] You are under severe time pressure for a DR event; in that case, prioritise service continuity over full optimisation.
[Medium] A provider is forcing migration but contracts and compliance requirements are not yet clarified.

Initial on‑prem inventory and classification steps:

[High] Build an application‑centric asset list: name, owner, business criticality, data types processed, dependencies.
[High] Identify regulated or sensitive data (LGPD personal data, financial, health, secrets) linked to each workload.
[Medium] Mark technical constraints: legacy OS, mainframe, tightly coupled appliances that may not port easily.
[Low] Add rough performance and capacity information: peak usage patterns, storage footprint, network bandwidth.

Minimisation before migration reduces risk and cost:

[High] Decommission unused servers, databases, test environments and old backups not required by regulation.
[Medium] Archive low‑value historical data to cheaper storage on‑prem or to a dedicated cold tier in the cloud.
[Medium] Consolidate duplicate services (e.g., multiple file servers, monitoring tools) before planning target architectures.

Network segmentation, secure connectivity and perimeter controls

For secure connectivity between your data center and the cloud, prepare these requirements and accesses before any cutover:

[High] Cloud accounts and landing zones aligned with environments (dev, test, prod) and business units.
[High] Network design artifacts: IP addressing plan, VPC/VNet layout, subnet strategy, and on‑prem routing overview.
[High] At least one secure connectivity option: IPsec VPN, Direct Connect/ExpressRoute or equivalent dedicated link.
[Medium] Access to firewall, load balancer, WAF and DDoS protection configurations on both sides.
[Medium] Integration points for DNS, IPAM and certificate management to avoid name conflicts and expired TLS certs.
[Medium] Approval from security and network teams for changes to perimeter rules and internet egress control.
[Low] Read‑only access to cloud native security services used as ferramentas de migração segura para nuvem (e.g., discovery, assessment, firewall recommendations).

When involving consultoria de migração de data center on-premise para nuvem, ensure their engineers receive:

[High] Temporary, audited access to network devices and cloud environments, scoped to migration tasks only.
[Medium] Documentation of current remote access paths (VPNs, jump servers, bastions) and security monitoring.

Risk scenario	Required control	Verification method	Priority
Flat network between on‑prem and cloud allows lateral movement	Segregated VPCs/VNets, security groups/NSGs and strict firewall rules per environment	Review segmentation diagrams and run a network scan from cloud to on‑prem subnets	High
Unencrypted application traffic over public or shared links	Mandatory TLS for all apps, IPsec VPN or private link for hybrid traffic	Packet capture during pilot migration and TLS configuration checks	High
Unexpected exposure of management ports to the internet	Bastion hosts or VPN for admin access, no direct RDP/SSH from public IPs	External attack surface scan and firewall rule review pre‑cutover	High
Shadow services created outside governance	Central landing zone, account vending and tagging policies	Periodic cloud inventory, tag compliance and account review	Medium

Identity, access management and least‑privilege governance

Before executing IAM changes for migração de data center para nuvem, consider these risks and limitations:

[High] Misconfigured federation can lock out admins or expose cloud consoles to the internet.
[High] Over‑privileged service accounts may bypass network segmentation and data protections.
[Medium] Inconsistent identity sources (on‑prem AD versus cloud directory) complicate auditing and LGPD obligations.
[Medium] Aggressive privilege reduction without communication may break critical production workflows.

Step‑by‑step IAM hardening, safe for intermediate teams:

Map all identities and admin paths

List human, service and integration accounts that will touch the new cloud environment, including third parties and any empresa especializada em migração para cloud. Document where privileged actions are performed today (jump hosts, consoles, scripts).
- [High] Identify global admins, root accounts and domain admins across on‑prem and cloud.
- [Medium] Map automation credentials used in CI/CD, backup and monitoring tools.
Decide on identity source and federation

Choose whether on‑prem AD, cloud directory, or a hybrid model will be the primary identity store. Configure SSO and federation using tested, vendor‑supported patterns and avoid custom code.
- [High] Enforce MFA on all interactive admin logins and console access.
- [Medium] Use conditional access (location, device) for high‑risk roles.
Define roles and least‑privilege policies

Create reusable roles (RBAC/IAM roles) that match operational duties: network admin, security admin, application owner, read‑only auditor. Avoid using built‑in super‑admin roles for daily work.
- [High] Split duties so the same person cannot both deploy infra and disable logging or security controls.
- [Medium] For migration waves, create temporary, time‑bound elevated roles that expire automatically.
Secure service accounts and secrets

Move credentials, API keys and certificates to a managed secrets vault instead of storing them in scripts or CI/CD variables without encryption. Use managed identities where supported.
- [High] Replace static keys with short‑lived tokens validated by cloud IAM.
- [Medium] Rotate all privileged passwords and keys before production cutover.
Implement approvals, logging and reviews

Require change tickets or approvals for granting high‑privilege roles. Log all admin actions in a central system and review them regularly, especially during migration windows.
- [Medium] Schedule periodic access reviews with system owners.
- [Low] Provide simple admin runbooks documenting which role is required for which task.
Test IAM scenarios before each cutover

Use a staging environment and a pilot workload to simulate real operations: deployments, incident handling, and emergency access procedures.
- [High] Verify that breaking‑glass accounts work and are stored securely offline.
- [Medium] Confirm that monitoring captures failed logins, role changes and privilege escalations.

Data protection: encryption, key management and data lifecycle

Use this checklist to validate that data security is correctly implemented before and after each migration wave:

[High] All data in transit between on‑prem and cloud uses TLS or IPsec; no plain‑text protocols remain in application flows.
[High] Storage services, databases, and backups in the cloud have encryption at rest enabled with documented key ownership.
[High] Key management follows a clear model: who can create, rotate, disable and delete keys; which keys are cloud‑managed versus customer‑managed.
[Medium] Key rotation schedules are defined and tested, and do not break application connectivity during rotation.
[Medium] Data classification labels (e.g., personal, confidential, public) map to concrete controls such as encryption strength and access restrictions.
[Medium] Data retention and deletion rules comply with LGPD and sector regulations, and are implemented in backup and archive policies.
[Medium] Migration tools and temporary staging buckets used by ferramentas de migração segura para nuvem are encrypted and cleaned up after each wave.
[Low] Cross‑region or cross‑provider replications are documented, including where personal data physically resides.
[Low] Data masking or tokenization is used in non‑production environments that contain copies of production datasets.

Monitoring, logging, incident response and compliance mapping

Common mistakes in this phase and how to spot them:

[High] Relying only on cloud default logs: key audit trails (admin actions, security events) are missing or stored for too short a period.
[High] No unified view: on‑prem SIEM is not integrated with cloud logs, so hybrid attacks go unnoticed.
[High] Incident runbooks ignore new cloud services, meaning the team does not know who is on‑call or which tools to use during an event.
[Medium] Compliance requirements (LGPD, PCI, ISO 27001) are not mapped to specific cloud controls and evidence sources.
[Medium] Alert rules are copied from on‑prem patterns without adapting to cloud behaviours like autoscaling and ephemeral IPs.
[Medium] Critical security findings discovered by providers or consultoria de migração de data center on-premise para nuvem are not tracked to closure in your ticketing system.
[Low] Playbooks are written but never exercised through tabletop or technical simulations.
[Low] Access to logs is too broad, potentially exposing personal data contained in application logs.

Pre‑migration validation, cutover testing and rollback planning

Different migration strategies and when they are appropriate from a security perspective:

Wave‑based re‑hosting (lift‑and‑shift with guardrails) – Suitable when you must exit a data center on a fixed date and cannot redesign every app, but still want improved security baselines in the cloud. Requires strong network and IAM controls plus clear rollback triggers per wave.
Re‑platform with controlled feature adoption – Use when you can modify applications moderately to adopt managed databases or messaging. Offers better security by design (managed patching, built‑in encryption) but needs more testing and staged cutovers.
Strangler‑pattern refactor – Ideal for high‑risk, business‑critical systems. You incrementally move capabilities to cloud microservices while the original system still runs, giving room for progressive hardening and repeated security validation.
Cloud‑only greenfield replacement – Use when legacy systems are too risky or inflexible to move. Security is easier to build cleanly, but data migration and coexistence must be planned with strict access controls and strong rollback or coexistence plans.

Example validation thresholds, tests and rollback triggers:

[High] Threshold: no critical or high security findings remain open for the workloads in a wave before production cutover.
[High] Test case: simulate a credential leak and confirm revocation, logging and alerting work in under a defined response time.
[Medium] Threshold: application latency and error rates under realistic load tests do not exceed agreed SLOs after security controls are enabled.
[Medium] Test case: break simulated connectivity between regions or VPNs and confirm failover and incident handling are effective.
[High] Rollback trigger: integrity or confidentiality of regulated data cannot be guaranteed due to misconfiguration discovered during cutover.
[Medium] Rollback trigger: essential third‑party integration or payment flow fails repeatedly under secure configuration with no short‑term fix.

Common migration security concerns and clarifications

Do I need a full inventory before starting any migration to the cloud?

You do not need a perfect CMDB, but you do need a minimal, application‑centric inventory with data sensitivity and dependencies. Without it, you risk exposing sensitive data, breaking integrations and mis‑prioritising controls such as encryption and network segmentation.

Is lift‑and‑shift always insecure compared to refactoring?

No. Lift‑and‑shift can be acceptable if combined with strong baseline controls: segmented landing zones, IAM hardening, encryption and logging. Insecure lift‑and‑shift happens when you copy on‑prem weaknesses without adding cloud‑native protections.

When should I bring in external migration services or consultants?

Bring in serviços de migração para cloud computing or consultoria when you lack specific cloud platform skills, have tight deadlines, or must meet strict compliance. Ensure contracts clearly define access, security responsibilities and log visibility so you can audit their actions.

How do I avoid data exposure during bulk database migrations?

Use encrypted channels, temporary encrypted storage in the target cloud, and strong authentication on migration tools. Restrict who can access staging areas, and delete or re‑key all temporary artifacts immediately after verification tests succeed.

What is a safe way to handle root and break‑glass accounts?

Create dedicated emergency accounts with strong, unique credentials and mandatory MFA. Store secrets in an offline, tamper‑evident location, use them only for time‑bound emergencies, and log and review all actions taken with these accounts.

Do I have to stop all changes on‑prem during migration?

A full freeze is not always necessary, but uncontrolled changes greatly complicate security validation and rollback. For critical systems, adopt at least a partial freeze with strict change management and clear synchronisation points.

How often should I review access and logs after migration?

During active migration waves, review privileged access and security logs at least daily. Once the environment stabilises, move to a regular schedule aligned with your risk profile and regulatory requirements, keeping automated alerts for high‑risk events.