Expert Tips for Your Business Cloud Management Strategy
Security, education and managing the sprawl are what the cloud computing experts want you to consider for your business cloud management strategy.
We asked some of the top tech pros in the business, as well as business owners who have found success working with cloud platforms for insight into cloud management as we close out 2022 and look ahead to 2023.
There was no argument that cloud computing offers powerful business solutions, scalability and secure data storage. Our experts were excited to share their thoughts and tips on how best to utilize cloud computing, prepare for migration, equip staff for changes, secure your data and what to expect in the future.
[Answers have been edited for length and clarity.]
Set Yourself Up for a Successful Migration
If you haven’t already migrated to a cloud platform, there is work to be done. David Colebatch, CEO of Tidal Migrations boils it down to three key points:
1. Architect for scale
Arm your teams with self-service requests for cloud accounts and subscriptions. Treat accounts as a billing and security construct that allows you to assign budgets to each project team. When they're done with their project, simply shutdown the accounts. This is how you can limit sprawl while also empowering teams to be self-service.
2. Inventory all the things
Create a single-pane-of-glass inventory for all your applications, both on premises and in the cloud. Change is a constant, yet many enterprises lack the data driven insights about their applications and where components need to be upgraded or replatformed to run more efficiently. Identify your application owners, analyze their source code and architectures and drive cloud-native architectures.
3. Consolidate your IP addresses across clouds and on-premises
Sprawl is hard to measure if you don't have a consolidated inventory of IT assets to begin with. Consider adopting modern tools, like the Tidal LightMesh IPAM solution to create a consolidated inventory of all your IP addresses across AWS, Azure and Google - as well as on-premises.
“1 . Establish business outcomes to why you are going to the cloud
A cloud migration simply for the sake of doing a cloud migration can be fraught with unexpected challenges. Without any defined outcomes and guardrails, you risk underestimating the spend – leading to stalling – before any reasonable migration gets off the ground.
Before you move anything, know why you are moving it, what the transition plan is, alignment across key stakeholders and the agreed upon results you are looking to achieve. A successful migration must drive tangible business outcomes over an established timeframe with well-defined phases. Start by defining acceptable phased solutions to potential challenges and headwinds. For example, does your organization have difficulty in accessing and sharing data as needed? How secure are the application resources and the related data, which is stored, and do you have the ability to scale on storage based on needs?
In essence, drive the migration based on how you can drive efficiencies, enable cloud applications roll-out and have the ability to scale based on needs to manage investments. With a clear purpose, you can implement the appropriate strategy and framework that will get the best results and minimize the risk of your cloud migration running off the tracks.
2. Underpin the migration with automation
Automation of SaaS and IaaS can better optimize cloud architectures for cost, security, operations, performance and availability. It is ideal, considering the ever-changing resources of the cloud and the ability to do more with a swift update. It accelerates the ability to leverage better resources with the lowest risk for change with optimized costs.
3. Create a dedicated cloud solutions and engineering center of excellence
Cloud solutions and engineering centers of excellence are a great asset for keeping your cloud migration on track. It can help re-align cloud and on-premises efforts, and offer greater visibility during the migration and the actual running of the cloud once it is stood up. It formalizes all the best practices outlined above into something you can act on”
Be Patient with the Implementation Procedure
"Just because you're using cloud computing to make your company more agile doesn't imply you should rush through the implementation process. Implementing changes more quickly may increase the risk of overburdening yourself and your team. Instead of making sweeping changes across the board, it may be more manageable to focus on just one or two areas of the business that could benefit from some tweaking and see how they fare with the help of cloud computing.
Initially, introduce strategy implementation and suitable adjustment over time. As soon as you feel comfortable, you should shift your focus to other areas of your business where the utilization of this functionality and capabilities might be beneficial.”
Training for Cloud Technology
To ensure you are creating an environment where employees feel comfortable with your processes (which will help with buy-in and compliance,) training is essential.Todd Graham, Vice President of IT Operations at ScanSource, recommends an instructor-led approach in addition to helping your staff get certified.
“The journey to the cloud is in full swing and organizations are implementing key IT strategies from hybrid to full cloud migrations. Cloud has transformed what we do in IT, and the business continues to move at an incredible pace. The cloud options are numerous and changing rapidly, so staff must be ready, not only for one cloud provider, but multiple.
For IT departments to be successful in supporting their business partners, we need to be ready for the network to come and should be preparing our organizations to have a technical edge, both personally and professionally. This preparedness comes from developing a robust cloud training, covering security, virtualization, cloud networking, DevOps, and cost management. Each cloud platform is different, and understanding their features and functions will be key, especially given the technical intricacies. We recommend the following training pathways:
Instruction Approach: Instructor-led training, whether in person or virtual, is the best approach where real interaction takes place between the instructor and student. Peer group discussions are also a great way to learn where IT professionals can share real-world experiences in their success and failure in the cloud. Self-study and improvement should always be a mainstay in the IT environment and part of continuing education.
Certification: Certifications like security and cloud fundamentals should be a part of cloud training. However, each individual learns differently and the path to certifications should be part of an employee’s career path discussion.”
Of course, once you have implemented a business cloud strategy, you have to manage it. “Cloud sprawl” means you have more data than you can track or manage effectively. Avoiding it should be part of your plan.
“By nature, SaaS collaboration systems enable open and rapid sharing and collaboration. This can accelerate and transform productivity within and across organizations, but with systems as dynamic as Microsoft 365, Google Workspace, Salesforce, and others, it is important that operations, security, and compliance teams can keep up with their oversight and management responsibilities. Sprawl is the enemy of governance and administration. At its core, sprawl just means more than the team can effectively manage.
Organizations should look to how they can apply time-tested and forward-looking concepts like data ownership, workspace and content classification, access reviews, and automated lifecycle management to make sure the pace of innovation and transformation within organizations can move forward without increasing risk. They should also pay special attention to how to leverage cross-organizational external collaboration capabilities (which can especially accelerate business velocity) while enhancing security and compliance at the same time. It is possible, but requires extensive planning and a good understanding of the features and limitations provided by first party services.”
"The mass cloud migration of IT systems has created an illusion of maturity for the cloud computing industry. In reality, many businesses are struggling to keep up with this accelerated growth and complexity. For those looking to be cloud environment ready in 2022, there are a few steps to keep in mind.
Consider vertical clouds.
Rapid market evolution has pushed businesses to rethink their approach to the cloud, resulting in the expansion of verticalized clouds as organizations seek to build ecosystems that fit their specific needs. Cloud enterprise customers have learned that industry cloud use means they can reduce the resources required for certification and compliance, and can enjoy smooth data transfers in available zones, thereby increasing business opportunities.
Expand your data protection services.
The benefits of vertical clouds, while many, in no way mitigate a company’s data protection responsibilities. Varying and increasing customer expectations means an enterprise intent on using cloud must continue anticipating and servicing those needs, such as offering Multi Factor Authentication and Modern Data Protection services. This is also an opportunity to do things that aren’t possible on-premises. Maybe immutable storage is out of reach in your data center – it is easier than ever in the cloud. Same for offline retrieval storages – cloud archive-class storage offerings make this easy. You never want to have to balance compliance and recoverability with the cost of a cloud solution.
Align your cloud plans with your vendors’ resources.
As organizations move to a multi-cloud environment, they should be pushing their vendors to provide a single platform or dashboard. The last thing you want is to end up in silos. Companies should attempt to work off a single dashboard for monitoring and reporting, so they get a consistent view of the business.
Managing how you use the cloud for your business is key to avoiding sprawl and cloud waste or duplication of services. Careful monitoring also has implications for security and that needs to be a shared responsibility. Jeff Martens, Co-Founder & CEO at Metrist, Inc. explains:
Evaluate your monitoring strategy and ensure you have coverage of your cloud dependencies. Third-party, cloud-hosted dependencies have become a major source of downtime. When teams fail to include direct monitoring of cloud dependencies, they often spend the first 10-20 minutes of an incident trying to answer the question of "is it us or is it them?" Setting up your own monitoring is critical because status pages tend to only report on the most severe and broad-reaching outages, while other issues go unreported despite impacting customers. Just today, Github was failing for some users across North America, with complaints landing on Hacker News and other online communities, but their status page was never updated.. Stripe, AWS, and CircleCI are all recent examples of dependency failures that took down their customer's apps.
"Sprawl goes hand in hand with visibility and control. You need to have visibility into the sprawl. You need to have distributed controls so the sprawl does not affect the closely guarded ones. And finally there is automation. You eliminate sprawl by automatically organizing your cloud assets so you can meaningfully reason it out. Self organizing assets is going to be a big theme.
Every time you have a new CSP, there is work to be done, mistakes to be made. When CSP says security is a shared responsibility, the bulk of the shared responsibility falls on the customer. It is important to bring your own controls to any cloud so that you can meet your shared responsibilities.
The top cloud security concern is misconfiguration. Shared responsibility means that configuring the cloud for security is squarely on you. And that’s a lot of work that never gets done properly. This is where automation helps people keep a good posture. The first part though is to realize that the cloud is as safe as you make it to be. It’s not inherently safe, that’s part of the shared responsibility that people don’t realize they have. Cloud is new, it is dynamic, ephemeral, and high pace. The way to deal with threats and create access controls is very different from what people are used to."
“Although cloud transformation has been great for business overall, it has not been without drawbacks. One of the major downsides is that data protection has not kept pace with data democratization. Research by Laminar Security showed that one in two organizations have experienced a cloud data breach in the past two years.”
According to Amit Shaked, CEO and co-founder at Laminar, the solutions data protection individuals are using haven’t adjusted to this new public cloud environment, which makes work much more challenging than ever before. Additionally, the majority of data protection teams are unaware of the sensitive data that they have stored in the public cloud.
“To keep cloud environments up to date and stop cyber adversaries, it is essential that organizations use solutions that offer visibility, context, accountability, and alert data protection teams of data leaks. The solution should be able to continuously and automatically discover and categorize data for full visibility, security and control that data to reduce data risk, find data leaks, and fix them without stopping data flow. These simple approaches can go a long way in preventing devastating breaches in 2022 and beyond.”Patrick Kopins, COO of OvalEdge, offers the following about the importance of careful monitoring for the sake of security :
“Cloud security basics maybe best begins with understanding who has access to the console or hypervisor controlling the cloud environments. In many cases, organizations need to connect their cloud console to their identification and authorization mechanism (e.g., Active Directory), so that they can control who has what access to instantiate new cloud resources or manage existing ones.
Determining who can provision or use or configure cloud storage is also another basic security practice. Everyone has read about unsecured cloud storage endpoints, that were only protected with the privacy of a particular URL, and then, when someone identifies it, those data are exposed. Organizations need a clear way of determining who can create these storage instances, who uses them, what access controls they require, and how to manage data retention and disposal. Further, organizations may very well need some practices to identify what amounts to shadow IT, since anyone with a credit card can create a public cloud account and start provisioning their own storage (or other cloud resources).
Maybe the other most essential cloud security basic practice is understanding how cloud resources get regular security treatment. In some cases, like a compute instance, you still need to configure and patch the system in question. For others, like database services, you don’t. Also, cloud environments have some different qualities with respect to vulnerability scans or penetration testing (what is internal vs. external in such a situation?). As an organization adopts cloud practices for its IT, its ongoing security practices should adapt to follow.”
“Use of cloud services has grown wildly over the past decade. Especially in the wake of the COVID-19 pandemic with companies undergoing a complete digital transformation to enable employees to work from home. Securing these cloud services has become even more imperative in day-to-day operations, and while many of the native security features of these services can be robust and effective, others may not check all the boxes leading many organizations looking for third party security tools to supplement their workforce. Tools such as static code analyzers, vulnerability management, and security information and event management (SIEM) tools for example.
As organizations continue to move towards more complex cloud environments, visibility into system level activity across the many environments is imperative and not always the easiest things to monitor consistently. Therefore the focus must be a healthy balance of defensive security posturing (which focuses on reactive measures, such as patching software and finding and fixing system vulnerabilities) as well as System Hardening (securing a system's configuration and settings to reduce IT vulnerability and the possibility of being compromised) and finally, centralizing system activity in a manner where detection of any kind of attacks or anomalies can be quickly identified via SIEM logging, monitoring, or built in cloud security tools. In AWS these would be tools like Security Hub, GuardDuty, Detective, CloudTrail, etc.
Cybersecurity will always be a moving target and the same goes for securing the cloud, which means that organizations will constantly be re-evaluating and redeploying their cybersecurity strategies. The good news is that we’re already starting to see cloud providers like AWS, Azure, GCP, etc. moving quickly to offer some very robust, native security solutions giving organizations the ability to monitor for potential attacks with several different services, including a web application firewall, network-level firewall and Denial of Service (DDoS) prevention defenses to help protect endpoints hosted on their platforms.
Built-in security features of these cloud providers and indeed many other SaaS solutions will become more and more effective and useful as we go. AI will no doubt play a crucial role in the defense of attacks, both in alerting as well as blocking them, as will the continued automation and rotation of encryption keys, passwords, private keys, etc. Because let’s face it, while delivering a secure product is incredibly important, at the end of the day, organizations would much rather focus on delivering features rather than spending all of their precious time worrying about every security pothole in the road.”
“A common theme among CISOs we talk to is a general lack of visibility around how customer data records are moving in their cloud environments and how they are missing a good governance strategy for access to that data. There is also a general agreement that the state of the art with mainstream cloud security technologies creates a lot of busy work that focuses on infrastructure security which is necessary but not sufficient to achieve their real charter - information security. What can you do with this insight?
Whether you are already in the cloud, planning to expand your cloud footprint, be sure to:
- Understand your data assets
You cannot protect what you cannot see. Use a tool to discover all your data assets for you and who has access to those assets. If you are manually identifying your most valuable data assets, it’s time to invest in an automated tool that takes care of this for you.
- Reduce data and access sprawl
you have two big reasons to do this: cloud cost management which is top-of-mind for cloud engineering teams in the short term and reducing data proliferation which is one of the highest priorities for security teams.
- Consolidate tools
if you have three separate tools to get your data visibility, access paths and risks your team will spend a lot of time working on integrating them rather than using them to reduce your overall risk. This lets you reduce spending, free up your time and improve your data risk posture.”
Previously, the buzzwords around cloud included "private," public" and "hybrid." While those aren't disappearing, they are getting refined. One of the key developments is in industry specific clouds. Brian Campbell, principal at Deloitte Consulting LLP explains:
“As IT professionals look to 2023, Industry Clouds are firmly in focus. They provide the flexibility to leverage industry-specific solutions that solve business needs in a way that does not require significant platform work or core systems redesign, thus accelerating time to value.
Key to utilizing industry clouds is to first focus on a tight partnership with business owners to understand where there is the greatest need for technology to provide more functional, scalable, and customizable solutions to accelerate enterprise strategy. Next, understand the increasingly complex landscape of Industry Cloud solution providers (e.g., hyperscalers, SaaS providers, ISVs, GSIs, startups…) and short-list those to evaluate which is the best fit for your business.
Once you’ve made a decision, focus on secure implementation, as well as customization and engineering resources in the areas where there is the greatest differentiation value, in partnership with the business. Lastly, embrace an open dialogue and consistent system of evaluating where else to leverage Industry Clouds over time.”
Additionally, as we move into the final part of the year, it's important to make sure that your cloud environment is ready to handle the demands of the future. Here are some expert tips on how to keep your cloud environment up to date from Boris Jabes, CEO and Co-Founder of Census, a data integration platform:
1. Keep your software updated
One of the most important things you can do to keep your cloud environment healthy is to make sure that all of your software is up to date. This includes both the operating system that your VMs are running on and any applications or tools that you're using within the cloud. Outdated software can introduce security vulnerabilities and stability issues, so it's crucial to keep everything updated. You should also have a plan in place for patch management and updates, so you can ensure that all of your systems are kept up to date on a regular basis.
2. Perform regular backups
Another key part of maintaining a healthy cloud environment is to perform regular backups. This will help you recover from any problems that might occur, such as data loss or system failure. There are a variety of different backup options available, so you'll need to choose the one that best meets your needs. You should also have a recovery plan in place, so you know exactly what to do if something does go wrong.
3. Be prepared for disasters
Despite your best efforts, there's always a chance that something could go wrong in your cloud environment. That's why it's important to be prepared for any disasters that might occur. Make sure you have a plan in place for dealing with disruptions, such as power outages or network problems. You should also have a backup of your data and systems, so you can recover quickly if something does happen.
Amol Dalvi, VP of Product, at Nerdio, offers the following tips regarding how readers can get their cloud environment ready for what’s next, particularly when it comes to keeping your data and systems safe:
While using your mobile phone for receiving text messages for 2FA is an absolutely important thing to do, using Authenticator apps is far more secure. Microsoft, Google and others have excellent solutions. I strongly recommend considering auth apps to up your security game. Unfortunately, SIM swapping is real and we can no longer assume using a text message for second factor authentication is hacker proof.
Elevate a user's access only when they need it and for as long as they need it. Use solutions like Microsoft's PIM. Most admin users don't need all the admin privileges all the time. Reduce the attack surface by allowing an admin to request elevated access when they need it.
Desktop virtualization is another way to elevate your security posture. Since the desktop itself runs in the cloud, it is easy secure the entire desktop (think registry entries, Outlook profile, even desktop wallpaper settings), all the apps and thus data users have access to. Pricing has come down substantially over the years making Desktop as a Service (DaaS) a worthwhile investment without long-term commitments.
- Review Your Cloud Strategy
First and foremost, take a step back and review your overall cloud strategy. What worked well in 2022? What didn’t work so well? Are there any changes you need to make for 2023? By taking stock of where you are now, you can develop a plan for where you want to be in 2023.
- Migrate Legacy Applications
If you have any legacy applications that aren’t running in the cloud yet, now is the time to migrate them over. Not only will this help reduce costs, but it will also ensure that these apps are able run on newer platforms and stay supported by vendors going forward.
- Implement New Technologies
Take advantage of all the new features and capabilities that have become available from major cloud providers over the past year or two – things like serverless computing, containerization, edge compute resources, etc… By implementing these technologies now (or at least getting started with them), you position yourself well for an easy transition into full-fledged use down the road when they mature even further.
Our final tip comes from Corey Donovan, President of Alta Technologies Inc on how to handle the excess IT created by cloud moves while generating a way to help cover costs and avoid contributing to the local landfill.
"With rampant supply chain shortages for IT hardware right now, it is a great time to get cash back on your data center assets in order to help cover your transition costs from moving workloads to the cloud.
IT refurbishers are thirsty for equipment right now, as they’ve become a key alternate supply chain for many IT managers who can’t wait months for back-ordered OEMs to deliver brand new equipment. As a result of the IT equipment shortage, used IT asset prices are rising, benefiting those who are liquidating equipment with higher returns on their trade-ins."