How do I move my existing data security controls from On-Prem to the Cloud?

How do I move my existing data security controls from On-Prem to the Cloud?

Several cloud vendors offer capabilities to replicate on-premise systems data security to cloud services, allowing the same consistency in data governance and management.

Cloud-native encryption relies on the cloud provider to secure data and is typically offered as the default data encryption scheme. Under this approach, cloud providers generate and own the keys for encrypting data at rest in the cloud. This approach is easiest to implement and has the benefit of integration with other cloud-native services, but it does not offer customers any control or management of the encryption keys. It comes with several security downsides.

Bring your own KMS (BYOKMS) offers one of the most secure ways to protect keys and cloud data while providing strong integration with cloud-native services. Under this approach, a key management service entirely outside the cloud provider's platform generates and manages the master keys used by the cloud provider. The master keys are always securely stored in the customer's off-cloud KMS/HSM. Unlike BYOK, the cloud provider never has access to the master key. 

Your Own Encryption is the most secure way to protect keys and cloud data, but it may affect integration with other cloud-native services. This approach provides the same level of protection offered in a data center but with the ease of operations and scalability of the cloud. Customers provide all data encryption keys and perform data encryption in the cloud.

For many organizations, Bring Your Own KMS, and Bring Your Own Encryption are new approaches that can help simplify migrating data to the public cloud and managing multiple cloud data security systems.