In 2019, most organizations are using the cloud. However, many businesses are paying for cloud services without a strategic plan that maximizes productivity and competitive returns while managing security and compliance benchmarks.
Like a new two-car garage that seems attractively spacious and infinitely useful at first (before it's overrun by tools, workbenches, and projects in progress), most cloud operations would benefit significantly from clean-up, alignment, and organization. It is essential for these companies to have insight into where their data is stored and who has access to what information.
In keeping with pop culture's recent focus on killing clutter that's hurting performance and joy, here are a few principles to tidy up and organize how your teams use powerful cloud resources.
1. Organize privileges.
For the sake of speed and cross-training, many companies have "flat" data access controls, giving practically any employee access to assets such as source code, customer data, and sensitive corporate financial info for the sake of multitasking and cross-training. This makes it hard to put reasonable controls on access and prevent unchecked risk, especially given employee turnover. Decide how much granular access controls you need over data. If your business is in retail, for example, your data requires different handling than electronic health records or attorney-client files.
2. Reevaluate risk and number of third parties.
The more partners, the higher the risk — that's just reality. So, to keep the attack surface/risk surface more manageable, assess which partners are truly necessary. In cases where providers can be consolidated pared them down to those willing to demonstrate a more serious commitment to security.
3. Map cloud usage to tame clutter.
Enterprises can license internal departments and users with cloud accounts to enable their teams to apply additional cloud-powered horsepower and fluidity to their respective missions. But the flip side of this is that cloud use can grow in silos, going astray from centralized oversight and policies. The key for these larger companies is to evaluate how internal teams are using the cloud. Taking inventory of what information is being stored and where it is essential to keep information secure. For example: How is the finance or HR team using Google Drive? How is the help desk or DevOps team using cloud services.
4. Securely dispose of what's old.
Just like shredding boxes of past bank statements or wiping an old PC's hard drive brings peace of mind, companies should securely tidy up by discarding any abandoned, orphaned, or partially (indefinitely) uncompleted projects in the cloud or on corporate networks. Developers, business development leaders and marketers often build proof-of-concept apps, databases, or other items that are fed live production/customer data, and that data might not be securely removed or wiped when the project is phased out. Because the cloud is so fluid, it's easy to securely dispose of these occurrences, once you account for them in policies and planned actions.
5. Organization takes teamwork.
Once you have done the heavy-lifting of cleaning out your cloud/IT footprint, slash the hours and lift upkeep going forward by creating a cross-functional team — for example, the heads of business units relying on the cloud in your organization (sales, IT, finance, developers). Get their commitment to meet regularly over lunch or coffee to talk through their cloud usage needs, priorities, concerns, and lessons learned. When everyone is on the same page, disconnects that cause a lot of duplication, silos, and clutter are eliminated.
In life and technology, organization follows accumulation. Like attics, workshops, and garages, cloud spaces are seized on by technical and business leaders across an organization for the sake of getting things done. Only when assets grow and activity increases does it become apparent that there might be a lot of clutter, waste, or potentially dangerous conditions in different areas. Fortunately for those of us charged with keeping IT organized and humming, automated and process-driven controls can help make tidying up happen every day. This gives SecOps teams more time for security and compliance management.