Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/17/2019
10:00 AM
Kaus Phaltankar
Kaus Phaltankar
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Life-Changing Magic of Tidying Up the Cloud

Most companies' cloud security operations would benefit significantly from clean-up, alignment, and organization.

In 2019, most organizations are using the cloud. However, many businesses are paying for cloud services without a strategic plan that maximizes productivity and competitive returns while managing security and compliance benchmarks.

Like a new two-car garage that seems attractively spacious and infinitely useful at first (before it's overrun by tools, workbenches, and projects in progress), most cloud operations would benefit significantly from clean-up, alignment, and organization. It is essential for these companies to have insight into where their data is stored and who has access to what information.

In keeping with pop culture's recent focus on killing clutter that's hurting performance and joy, here are a few principles to tidy up and organize how your teams use powerful cloud resources.

1. Organize privileges.
For the sake of speed and cross-training, many companies have "flat" data access controls, giving practically any employee access to assets such as source code, customer data, and sensitive corporate financial info for the sake of multitasking and cross-training. This makes it hard to put reasonable controls on access and prevent unchecked risk, especially given employee turnover. Decide how much granular access controls you need over data. If your business is in retail, for example, your data requires different handling than electronic health records or attorney-client files.

2. Reevaluate risk and number of third parties.
The more partners, the higher the risk — that's just reality. So, to keep the attack surface/risk surface more manageable, assess which partners are truly necessary. In cases where providers can be consolidated pared them down to those willing to demonstrate a more serious commitment to security.

3. Map cloud usage to tame clutter.
Enterprises can license internal departments and users with cloud accounts to enable their teams to apply additional cloud-powered horsepower and fluidity to their respective missions. But the flip side of this is that cloud use can grow in silos, going astray from centralized oversight and policies. The key for these larger companies is to evaluate how internal teams are using the cloud. Taking inventory of what information is being stored and where it is essential to keep information secure. For example: How is the finance or HR team using Google Drive? How is the help desk or DevOps team using cloud services.

4. Securely dispose of what's old.
Just like shredding boxes of past bank statements or wiping an old PC's hard drive brings peace of mind, companies should securely tidy up by discarding any abandoned, orphaned, or partially (indefinitely) uncompleted projects in the cloud or on corporate networks. Developers, business development leaders and marketers often build proof-of-concept apps, databases, or other items that are fed live production/customer data, and that data might not be securely removed or wiped when the project is phased out. Because the cloud is so fluid, it's easy to securely dispose of these occurrences, once you account for them in policies and planned actions.

5. Organization takes teamwork.
Once you have done the heavy-lifting of cleaning out your cloud/IT footprint, slash the hours and lift upkeep going forward by creating a cross-functional team — for example, the heads of business units relying on the cloud in your organization (sales, IT, finance, developers). Get their commitment to meet regularly over lunch or coffee to talk through their cloud usage needs, priorities, concerns, and lessons learned. When everyone is on the same page, disconnects that cause a lot of duplication, silos, and clutter are eliminated.

In life and technology, organization follows accumulation. Like attics, workshops, and garages, cloud spaces are seized on by technical and business leaders across an organization for the sake of getting things done. Only when assets grow and activity increases does it become apparent that there might be a lot of clutter, waste, or potentially dangerous conditions in different areas. Fortunately for those of us charged with keeping IT organized and humming, automated and process-driven controls can help make tidying up happen every day. This gives SecOps teams more time for security and compliance management.

Related Content:

Kaus Phaltankar is the CEO and Co-Founder at Caveonix. He most recently served as a Senior Vice President for Dell Technologies. Before that, Kaus was Global President of Virtustream Security Solutions, a Dell Technologies company, where he was an evangelist and a technology ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rapide
50%
50%
rapide,
User Rank: Apprentice
6/22/2019 | 4:17:36 PM
Clearly agree with this article
Clearly agree with this article. Before moving all of a company's IT services to the cloud, you need to think carefully about the needs.
Knowing who needs what.
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19551
PUBLISHED: 2019-12-06
In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the User Management screen of the Administrator web site. An attacker with access to the User Control Panel application can submit malicious values in some of the time/date formatting and time-zone fields. These fields are not b...
CVE-2019-19552
PUBLISHED: 2019-12-06
In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site, i.e., the/admin/config.php?display=userman URI. An attacker with sufficient privileges can edit the Display Name of a user and embed malicious XSS code. When another user...
CVE-2019-19620
PUBLISHED: 2019-12-06
In SecureWorks Red Cloak Windows Agent before 2.0.7.9, a local user can bypass the generation of telemetry alerts by removing NT AUTHORITY\SYSTEM permissions from a malicious file.
CVE-2019-19625
PUBLISHED: 2019-12-06
SROS 2 0.8.1 (which provides the tools that generate and distribute keys for Robot Operating System 2 and uses the underlying security plugins of DDS from ROS 2) leaks node information due to a leaky default configuration as indicated in the policy/defaults/dds/governance.xml document.
CVE-2019-19627
PUBLISHED: 2019-12-06
SROS 2 0.8.1 (after CVE-2019-19625 is mitigated) leaks ROS 2 node-related information regardless of the rtps_protection_kind configuration. (SROS2 provides the tools to generate and distribute keys for Robot Operating System 2 and uses the underlying security plugins of DDS from ROS 2.)