This furious cadence of innovation surrounding cloud service provider (CSP) capabilities screams better, faster, cheaper. These are the benefits of cloud adoption. A great business enabler, the cloud offers some very compelling use cases for consumption of cloud services. However, if adopted too hastily, the cloud can be the source of frustration for years to come. In this article, I’d like to offer a look-before-you-leap approach to cloud adoption. Governance, billing, identity and supportability are the four key foundational elements to determining cloud readiness.
Establish corporate governance for use of cloud. A typical cloud policy should outline minimum security requirements, data protection requirements, service level agreements, roles and responsibilities and general acceptable use of cloud service provider services.
Consider how your organization currently consumes cloud services. Hint, most organizations fall into the following categories. IaaS public cloud, IaaS hybrid public cloud or SaaS public cloud. Make sure to consider the organization my use multiple clouds in the future.
Develop formal governance that clearly outlines acceptable cloud usage, required data protections, minimum service level agreements to include incident reporting and notification, roles and responsibilities and minimum-security requirements for each cloud “as a service” type.
Acceptable cloud usage – Identify compliance boundaries, data sovereignty requirements, acceptable cloud service providers.
Required data protections – specify which types of organizational data is allowed in the cloud and whether encryption is required in transit, at rest or in use.
Minimum SLA – availability requirements, incident reporting and notification, vulnerability remediation timelines.
Roles and Responsibilities – Cloud service providers realized early on the importance of formalized roles and clearly defined responsibilities associated with sharing the management of cloud services with the organizations that wish to consume them. Formalizing and defining roles and responsibilities for the Cloud Service Provider (CSP) and for the subscriber led to what’s known as the shared responsibility model. In the cloud shared responsibility model, there are some responsibilities that belong solely to the cloud service provider, solely to the subscriber and some that are shared by both. Depending on the type of services consumed, responsibilities may shift placing more responsibility on the CSP or on the subscriber. Having a strategy for identifying and addressing these responsibilities is critical to being cloud ready.
Minimum Security Requirements – Secure Baselines, inventory/malware/av/appsec agents, system logging events and centralized logging ingestion points, password requirements (complexity/history/length/MFA), user account management (integration with centralized identity, SSO, disable on inactivity, identity reuse) periodic review of active user accounts – compare against new hire/term list.
Much like cell phone and electricity companies, cloud providers charge their customers rates for units of service utilization. A typical monthly invoice could include flat rate subscription fees and additional per minute, hour or day charges for bandwidth, compute or storage. If an organization intends to charge this utilization back to particular groups within the enterprise or project codes, proper planning must take place up front. Many cloud service providers have the capability to identify which workloads and elements should be billed to which charge back codes but the more cloud service providers an organization uses the more complicated this becomes. As part of your organizations cloud strategy, you will want to identify how this will be accomplished across your cloud service providers. There is software available to manage billing and charge back, but spend your time reviewing your need, maybe you can get by without it.
Another issue that comes up a lot is shadow IT. Normally organizations are in the cloud and may not be aware. Armed with a company credit card or manager’s reimbursement approval, employees are using cloud to meet their deliverables without going through IT. While this may be fine for emergency situations, these often turn into an ongoing requirement. Establishing a partnership with procurement to identify these reimbursements will allow for more efficient management of that cloud spend. On many occasions, the structure for reimbursement has become the structure for the chargeback model.
With each new cloud service and each new cloud provider, we get another new set of credentials to manage. With each new credential comes the risk of losing another password forgetting another user id. There are great end user password manager solutions for remembering all these without using sticky notes or writing usernames and passwords into your journal. LastPass and 1Password are just two of the many freely available cloud-based password managers. Password Safe is another if you do not like your passwords in the cloud. These free solutions work fine for micro companies or individuals, but for the medium sized businesses and large enterprises, centralized identity and Single Sign on (SSO) are necessary components of the user lifecycle management.
Centralized Identity – Before committing to a cloud solution, take inventory of your current identity strategy and what centralized identity features the potential cloud service provider(s) supports. Three of the most common identity technologies used to integrate with cloud service providers (CSP) are SAML, LDAP and some level of Active Directory integration. Each CSP is different in features and functionality, so make sure you understand each CSP identity integration capabilities, their pros and cons. Multifactor (MFA) and two factor (2FA) authentication are becoming much more common among cloud service providers. Make sure to review these MFA and 2FA implementations for their benefits and ease of deployment.
Roles and Responsibilities – Many CSP’s support role-based access control (RBAC). Users and groups can be defined and access can be assigned granularly. Some basic roles within Infrastructure as a Service (IaaS) offerings like Amazon Web Services (AWS) and Microsoft Azure are Global Admin, Backup Admin, Billing Admin, User Admin, User, Power User. When reviewing CSP identity capabilities and roles, try to understand how the roles your organization requires would fit with the available CSP roles.
Privileged Account Management – The term privileged account refers to an account with a level of access most users don’t get. Traditional examples of privileged accounts would be the Administrator account on Windows or the Root account on Linux. Sometimes these identifiers use a challenge response like a cryptographic key or password or both to authenticate to a system and sometimes these credentials are shared. Privileged Account Management refers to the management of these passwords, crypto keys and certificates. Securely sharing these “secrets” is the core requirement of any privileged account management software. When reviewing CSP’s, understand how secrets can be managed within the CSP or outside of the CSP environment
Often missed, but crucial to the success of any cloud adoption is supportability. I know it’s corny but, arms are required to brace and support an object, so I use the acronym ARM to build my support plans. Understanding how your organization will solve for availability, reliability and maintainability of cloud services or components will be key to determining if you need training, a third party or if you are cloud ready. While not a comprehensive list of topics for each supportability category, below are a few suggestions to get you rolling.
Availability – The availability section of the support plan reviews CSP capabilities for data backup, physical redundancy and availability for core required components, disaster recovery for desired workloads, databases and services.
Reliability – Understand how your organization would perform hardware and software inventory, patch management and change management for these cloud systems or cloud services.
Maintainability – Review existing budget and staffing resources, training and existing staff core competencies. Understand how existing admins would perform their duties on these new cloud services or environments. Understand how incident response would be handled administrative activities, incident response.
- Do we have enough staff? Do we have the right staff?
- Do we have enough budget?
- How do we manage these systems? Do we need to plan to do something different?
- How do we do incident response on these systems? Do we need to plant to do something different?