Perspectives on Progress

Building cloud infrastructure to weather any storm

Dynamic Story | 2022

The scale—and importance—of enterprise workloads being migrated to the cloud is rapidly rising. However, failing to factor security and resilience into modernisation projects from day one is raising costs and risks.

Public cloud’s share of enterprise workload hosting is rising fast...

In just three years, public cloud workloads have nearly doubled.

…yet security and resiliency is still an afterthought for many organisations.


The business imperative for agile, scalable operations is pushing more infrastructure onto the cloud, but these modernisation efforts dramatically increase the importance of secure, resilient infrastructure.

Only 45% of CISOs say security is being built into these projects from the outset.

white sails against the blue sky

Disruptions are inevitable. Digital transformation and cloud adoption are leading to an increase in attack surface. Threat actors are becoming stealthier and regulatory compliance requirements are growing more complex.”

Sandeep Parande
Kyndryl Resiliency Practice Leader A/NZ

Best practice #1: Identify your crown jewels

Large, complex organisations often have vast IT workloads. Treating all these workloads the same would mean:


  • Prohibitively high costs to back up all of them
  • Unfeasibly long timeframes to restore backups.


When a major bank approached Kyndryl to help develop a system to protect and restore 70,000 workloads, we reduced that number to less than a thousand—the crown jewels that could harm the bank’s reputation or business continuity if compromised.


Identify your organisation’s crown jewels and prioritise their protection to boost resilience.

Best practice #2: Bring security to the forefront of cloud migration


Too often, security only gets addressed once migration efforts are underway—which can cost your organisation time and money.


Undertaking vulnerability and network assessments during your migration planning phase can help combat this risk, as well as increase functionality and speed modernisation.


  • Examine identity and access management and network protocols
  • Identify how virtual machines are communicating with each other
  • Determine account ownership and access privileges

“Embedding security upfront cuts at least 20% of the time out. If you bring security in post migration, experience shows that could actually double the time needed for the assessment and negatively impact workloads accordingly.”

Collin Penman
Kyndryl Country CISO and Security Practice Leader A/NZ
view to the sky surrounded by skyscrapers of Sydney

Best practice #3: Shift from security to resiliency

Too often, security and resilience are lumped together—but the distinction is vital.

While research shows that cybersecurity risk management in Australian financial services firms is improving, cyber resilience still lags behind those firms’ own benchmarks.

15 %

Targeted improvement in cyber resilience for Australian financial services firms between 2019 and 2021

1 %

Actual improvement

Security is an enterprise’s ability to prevent or reduce the risk of a data breach or malicious activity.


Resilience is how able that enterprise is to respond and recover once damage has occurred.

Best practice #4: Strengthen your disaster recovery plans

Disaster recovery plans are of little use if they can’t be executed effectively under the pressure of a major outage. Reduce the need to have all key personnel available and executing complex procedures to minimise this risk.


One large bank brought us a disaster recovery plan that was 220 steps long and lived on a spreadsheet. We created an end-to-end automated recovery engine that performs the necessary steps for a complete recovery, like shutting down databases, starting workloads, configuring the network, and bringing up systems.

Unrecognizable female scientist working with supercomputer, focus on server cabinet with wires in background

Best practice #5: Adopt RPO and RTO methods

Recovery point objective (RPO) is a measure of how old your most recent backup must be in order to enable normal operations to resume in the event of system failure or data loss.

Recovery time objective (RTO) is the time an application, system, or process can be down before it causes significant damage to the business—plus the time spent restoring the application and its data.

Given that cyber-attackers will often strive to encrypt backups as well, the only way to guarantee an RPO is to use WORM storage: write once, ready many. Even with WORM storage, risks still remain. After a recent attack, it took a large US credit bureau seven days to work through its WORM backups to find the most recent uncorrupted version.

Aerial view of Zambezi, Botswana.

Pressure on enterprises to deploy agile, scalable infrastructure has never been higher— but neither have the risks from failing to consider and plan for security and resilience from the outset.

Learn more about how to embed security and resiliency in your cloud migration, including five key actions to support secure cloud modernisation.