Share This:

When a client migrates to Microsoft 365 or Google Workspace, the instinct is to declare victory once emails are flowing, files are accessible, and users are productive again. The project feels complete. Except it isn’t, because security didn’t make the trip. And this is a more common mistake than many are willing to admit.

“Cloud migrations are treated as a data transfer exercise—mailbox move, files sync, users log in, and everything appears successful,” said James Cassata, Cloud Security Architect at Myriad360. “However, security doesn’t migrate with the data. The policies, controls, and visibility that are from the legacy environment require deliberately rebuilding, and too often they aren’t.”

That gap between being operational and being secure has a name. Cassata calls it a “quiet risk window”—the period immediately after cutover when the organization is fully live in the cloud but still running on default security settings.

The quiet risk window attackers count on

Attackers know this window exists—and they plan for it. “Cutover is the finish line for the migration team and the starting gun for attackers,” said Brian Behe, CTO of RIIG Technology, whose background includes work supporting U.S. Cyber Command, the NSA, and the U.S. Air Force. “Until policies are re-established, access is validated, and monitoring is rebuilt, you are live before you are secure.”

This window creates real opportunity for exploitation, which is why MSPs need to treat the immediate post-migration period as a high-risk phase, not a cooldown lap.

What gets left behind after cutover

The list of security configurations that fail to migrate is long—and consequential. Drew Miles, CISA, Global Leader of Risk & AI Governance at a stealth-stage AI technology company, cited the most common gaps: conditional access policies that must be rebuilt tenant by tenant; MFA gaps on service accounts, shared mailboxes, and super admins; audit log retention that requires explicit configuration; legacy authentication protocols temporarily re-enabled for migration and never turned off; inbox forwarding rules; and overly permissive default sharing in SharePoint and Google Drive.

Martin Summerhayes, Head of Managed and Support Services at UK-based MSP Northdoor, said the problem is often compounded by a common client misconception.

“The objection we hear most often is, ‘We’re already paying for Microsoft 365—isn’t security included?’” Summerhayes said. “The honest answer is: the tools are included, but the configuration isn’t.”

That misunderstanding is something MSPs are routinely left to correct—often after the migration is complete.

When legacy security knowledge disappears

Sayali Patil, AI Infrastructure Reliability Specialist at Splunk, pointed to another layer of risk that rarely gets discussed: undocumented legacy security.

“The security configuration that existed on‑premise was never formally documented,” Patil said. “It accumulated over years through tribal knowledge, one-off firewall rules, and permissions granted for projects that ended long ago. When the migration happens, none of that context travels.”

Patil added that the first 90 days after a cloud migration consistently produce a spike in observable anomalies—yet almost nobody is watching. SIEM tools that monitored the old environment often have no visibility into the new one because that integration was scoped for “phase two.”

Todd Crotts, Chief Technology Officer at Managed Services Group, said audit logging is one of the most overlooked gaps.

“Logging is one of the bigger misses. The highest-risk period is right after cutover—that’s when misconfigurations, over-permissioning, and token issues surface,” Crotts said. “If logging and monitoring aren’t there, you’re blind when you shouldn’t be.”

He also highlighted the compliance impact MSPs sometimes underestimate. “If regulated data moves and controls aren’t in place at cutover, the organization is immediately out of alignment. HIPAA, NIST, cyber insurance—it all applies right away.”

Resilience doesn’t begin at the firewall; it begins at migration. An MSP that builds immutable, cloud‑to‑cloud backup and tested recovery procedures into every migration isn’t just checking a security box. They’re ensuring business continuity when the inevitable breach or outage occurs.

How MSPs close the gap—from day one

Across the board, experts agree: security hardening cannot be a follow-on task. It has to be part of the migration itself.

“Stop treating migration and security hardening as two separate projects on two separate invoices,” Miles said. “The security configuration is the migration.”

Peter Bellini, CEO of ConnectSecure, put it more plainly. “It’s like moving into a new house. Everyone’s focused on getting the furniture inside, but nobody remembers to lock the doors, windows, or set up the security system.”

Ben Potaracke, Vice President of Information Technology at Locknet Managed IT, framed the timing issue bluntly. “The post-migration window is the ‘Golden Hour’ for cybercriminals. While the MSP is verifying that files moved correctly, security configurations are often sitting at default. Hardening has to be a day-one task—not a day-30 task.”

Turning migration into a security discipline

Summerhayes described how Northdoor structures every cloud move in three phases: a pre-migration assessment to address data governance and clean up over‑permissioned accounts; parallel hardening during migration, with MFA enforcement, conditional access policies, legacy authentication disabled, and audit logging live at cutover; and active monitoring through the first 30 days, ideally backed by managed detection and response from day one.

Patil added that monitoring during this window should focus on specific signals, including impossible travel events, unusual OAuth app consents, and first-time access from unfamiliar IP ranges.

Miles recommended that MSPs establish a pre-migration security baseline, use CIS benchmarks or Secure Score thresholds as a project gate, explicitly disable legacy authentication, conduct 30‑60‑90 day hardening reviews, and include cloud‑to‑cloud backup in every engagement.

Anar Israfilov, CISO at Cyberoon and an IEEE Senior Member, summarized the mindset shift required.

“The most common approach to cloud migration is completing the move before determining whether sufficient security controls are in place,” Israfilov said. “The most vulnerable point in time for your data is immediately after migrating. It’s when everything appears operational, but security has not caught up.”

Behe put it most directly of all: “Cloud migration doesn’t carry your security posture with it. You have to rebuild it.”

Photo: Osman Temizel / Shutterstock


Share This:
Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

All Posts

Leave a reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.