Three Cloud Migration Myths Putting Organizations at Risk

IT teams make a lot of assumptions about network infrastructure when they’re migrating to the cloud. We dispel some of the myths about cloud DNS.

Cloud migration concept with white clouds and arrows moving toward a blue background representing secure cloud transition
Key takeawaysKey takeaways are generated with AI assistance. Because automated summaries can occasionally contain errors or miss important context, always refer to the full blog post for complete information.

The article summarizes a Cyber Tech & Risk panel discussing common misconceptions about cloud migration and security, emphasizing that organizations often underestimate shared security responsibilities, the architectural differences between cloud and on-premises environments, and the true costs of cloud adoption. Panelists highlighted real-world operational risks such as misconfigured storage (e.g., exposed S3 buckets) and unchecked DNS queries that can create backdoors between internet and intranet, stressing the need for resilient network architecture and adaptive DNS strategies. The key outcome is a call for careful planning, clarified ownership, ongoing funding, and skills readiness before and after a migration to ensure long-term security and operational viability.

What did the panel say about who is responsible for cloud security between providers and customers?

The panel emphasized that cloud security is a shared responsibility: Cloud Service Providers (CSPs) and Cloud Service Subscribers (CSSs) both have duties. CSPs provide the platform and some security controls, but subscribers must correctly configure services, harden hosted operating systems, securely deploy applications, and perform vulnerability assessments. Misconfigurations on the subscriber side—such as leaving Amazon S3 buckets public—have led to data exposures, demonstrating that relying solely on the CSP for comprehensive protection is a dangerous misconception.

Why is it incorrect to treat the cloud as just an extension of an existing corporate network?

Panelists warned that cloud and hybrid environments are fundamentally different from traditional data centers and should not be treated as mere additional servers. In the cloud there is often no clear network perimeter—queries originating in cloud environments can receive privileged access without rigorous pre-checks, creating potential backdoors between internet and intranet. Decentralized, ad hoc network designs reduce visibility and control over internal queries at scale, so migrations require resilient architectures (for example, Adaptive DNS) and explicit plans to retain security and observability.

How does cloud adoption affect costs and budgeting for security over time?

The panel noted cloud migration is an ongoing journey with dynamic costs that can grow as applications and interfaces evolve. While cloud avoids periodic capital refresh spikes typical of on-premises infrastructure, it introduces continual cost uncertainty: new applications, protocols, and integrations drive increased complexity and expenditure. Importantly, securing distributed cloud compute requires additional budget because cloud security responsibilities extend beyond the CSP; organizations must plan long-term funding for administration, security controls, and talent to manage the evolving environment.

Many organizations get so caught up in the promise of the cloud that they overlook the challenges associated with migrating to a new environment, and keeping it secure.

This was the topic of last month’s Cyber Tech & Risk: People in Cybersecurity discussion by Ajay Sood of Symantec, Arani Adhikari of KPMG, Marcos Santiago of TD Canada, and BlueCat’s own Andrew Wertkin.

Together, they broke down the most common cloud migration mistakes they see in the industry.

Falsehood #1: My Cloud Service Provider Will Keep Me Secure

Adhikari, who consults on cybersecurity-related projects for KPMG, told us that customers need to understand “cybersecurity as a joint responsibility for both the Cloud Service Provider (CSP) and Cloud Service Subscriber (CSS).” Those who assume a public cloud provider will comprehensively guard their network as part of their service package risk exposure to avoidable cyber incidents.

Examples of such incidents are easy to find. Some were simply caused by unsecured Amazon S3 buckets (these are like file folders, but in the cloud). The result was exposed voter and customer data at companies like FedEx, Booz Allen Hamilton, and more.

“When an Amazon S3 bucket with sensitive information is exposed, it is not due to any issue on Amazon’s front,” Adhikari explains. “It is due to the misconfiguration of settings that lead to the buckets being public–this is the subscriber organization’s responsibility.”

While Amazon has taken steps to help clients better manage settings on their own end, organizations are not off the hook. Adhikari reminds attendees that organizations are “still responsible for hardening the operating system they host, making sure that the hosted applications are securely deployed, conducting vulnerability assessments on them, etc.” Organizational cloud migration strategies ought to take this into account.

Falsehood #2: The Cloud is an Extension of my Network

During the panel, Wertkin cautioned that the cloud environment – and hybrid cloud environment – is a completely different landscape from the traditional data center. It needs to be treated that way, too. “You’re not in your firewall anymore,” he said. “There’s not a boundary. We’re removing the border between internet and intranet in many, many cases.”

Consider this: DNS queries which come in from the cloud typically get privileged access to the network. Only, there’s no rigorous pre-check for them. The moment those queries enter the corporate network, they’re left to act unchecked. This is because enterprises often build their networks in an ad hoc, decentralized way. That inhibits visibility and control over internal queries in any at-scale, meaningful way.

To build a backdoor between internet and intranet requires a more secure migration plan, you need resilient network architecture (see: Adaptive DNS for cloud). It just isn’t cautious to treat the cloud like a simple additional server on the network.

Falsehood #3: Cloud is Cheaper

Ajay Sood noted that moving applications to the cloud, and data to the cloud, is “a never-ending journey.” While cloud platforms don’t come with the same expense spikes that traditional IT infrastructure demands every few years, it isn’t free of cost guesswork and risk.

“Looking at the number of applications we have now, can we predict where they will be in five or ten years? Every time you need a new application, or any time there’s a new piece of technology, new protocol, or new way of interfacing with your customers or your workers, you’re going to have to adopt that in the cloud. What people don’t often recognize is that the dynamic nature of cloud applications means increased complexity, and it’s also getting more expensive.”

This expanded cost consideration also applies to cybersecurity in the cloud. It isn’t just a CSP’s responsibility. Cloud security isn’t same as on premise security. Securing the sprawling compute in there requires additional budget.

Closing Suggestions

Moving to the cloud isn’t a prerogative, it’s a responsibility. One that requires thoughtful planning and execution. Cybersecurity incidents can occur when network infrastructure becomes disjointed, responsibility for security is fragmented, and long-term funding is absent. Before deciding that applications and services belong in cloud infrastructure, triple-check those factors to ensure they can support your cloud initiative through its lifetime. 

As cloud computing becomes a better understood technology, keep abreast of additional developments in the space. According to Gartner at a recent conference, factors that also need to be considered in a cloud migration (besides cost) include: availability of talent to administer a cloud infrastructure in the context of a likely-diverse environment, organizational politics involved in managing that environment. Learn more about getting your DNS ready for the cloud here.


Published in:


An avatar of the author

BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.

Related content

Graphic with text “The shift toward Intelligent NetOps” over abstract network data visualization for DNS and network observab

We bet on Intelligent NetOps two years ago. Infoblox now has too.

With Infoblox acquiring Kentik, BlueCat’s CEO confirms its vision for a single platform unifying DDI, network monitoring, and observability.

Read more
BlueCat and Cisco graphic stating “Get DDI data from BlueCat in Cisco Cloud Control” for AI-driven network operations

BlueCat DDI data boosts Cisco Cloud Control AI-driven operations

BlueCat’s integration with Cisco Cloud Control provides AI agents with access to trusted DDI data for network investigation and remediation.

Read more
Flock of geese flying in formation across a blue sky, framed by a pink graphic border, symbolizing coordinated network migrat

Automate your DDI modernization path by migrating with Micetro

Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.

Read more
Close-up of interlocked metal chain links symbolizing connected network objects and relationships in IPAM

How to map your network with user-defined links in Integrity X

Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.

Read more

📣  Now live: Explore BlueCat Horizon, our SaaS-first Intelligent NetOps platform.