Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/17/2019
10:00 AM
Kaus Phaltankar
Kaus Phaltankar
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Life-Changing Magic of Tidying Up the Cloud

Most companies' cloud security operations would benefit significantly from clean-up, alignment, and organization.

In 2019, most organizations are using the cloud. However, many businesses are paying for cloud services without a strategic plan that maximizes productivity and competitive returns while managing security and compliance benchmarks.

Like a new two-car garage that seems attractively spacious and infinitely useful at first (before it's overrun by tools, workbenches, and projects in progress), most cloud operations would benefit significantly from clean-up, alignment, and organization. It is essential for these companies to have insight into where their data is stored and who has access to what information.

In keeping with pop culture's recent focus on killing clutter that's hurting performance and joy, here are a few principles to tidy up and organize how your teams use powerful cloud resources.

1. Organize privileges.
For the sake of speed and cross-training, many companies have "flat" data access controls, giving practically any employee access to assets such as source code, customer data, and sensitive corporate financial info for the sake of multitasking and cross-training. This makes it hard to put reasonable controls on access and prevent unchecked risk, especially given employee turnover. Decide how much granular access controls you need over data. If your business is in retail, for example, your data requires different handling than electronic health records or attorney-client files.

2. Reevaluate risk and number of third parties.
The more partners, the higher the risk — that's just reality. So, to keep the attack surface/risk surface more manageable, assess which partners are truly necessary. In cases where providers can be consolidated pared them down to those willing to demonstrate a more serious commitment to security.

3. Map cloud usage to tame clutter.
Enterprises can license internal departments and users with cloud accounts to enable their teams to apply additional cloud-powered horsepower and fluidity to their respective missions. But the flip side of this is that cloud use can grow in silos, going astray from centralized oversight and policies. The key for these larger companies is to evaluate how internal teams are using the cloud. Taking inventory of what information is being stored and where it is essential to keep information secure. For example: How is the finance or HR team using Google Drive? How is the help desk or DevOps team using cloud services.

4. Securely dispose of what's old.
Just like shredding boxes of past bank statements or wiping an old PC's hard drive brings peace of mind, companies should securely tidy up by discarding any abandoned, orphaned, or partially (indefinitely) uncompleted projects in the cloud or on corporate networks. Developers, business development leaders and marketers often build proof-of-concept apps, databases, or other items that are fed live production/customer data, and that data might not be securely removed or wiped when the project is phased out. Because the cloud is so fluid, it's easy to securely dispose of these occurrences, once you account for them in policies and planned actions.

5. Organization takes teamwork.
Once you have done the heavy-lifting of cleaning out your cloud/IT footprint, slash the hours and lift upkeep going forward by creating a cross-functional team — for example, the heads of business units relying on the cloud in your organization (sales, IT, finance, developers). Get their commitment to meet regularly over lunch or coffee to talk through their cloud usage needs, priorities, concerns, and lessons learned. When everyone is on the same page, disconnects that cause a lot of duplication, silos, and clutter are eliminated.

In life and technology, organization follows accumulation. Like attics, workshops, and garages, cloud spaces are seized on by technical and business leaders across an organization for the sake of getting things done. Only when assets grow and activity increases does it become apparent that there might be a lot of clutter, waste, or potentially dangerous conditions in different areas. Fortunately for those of us charged with keeping IT organized and humming, automated and process-driven controls can help make tidying up happen every day. This gives SecOps teams more time for security and compliance management.

Related Content:

Kaus Phaltankar is the CEO and Co-Founder at Caveonix. He most recently served as a Senior Vice President for Dell Technologies. Before that, Kaus was Global President of Virtustream Security Solutions, a Dell Technologies company, where he was an evangelist and a technology ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
rapide
50%
50%
rapide,
User Rank: Apprentice
6/22/2019 | 4:17:36 PM
Clearly agree with this article
Clearly agree with this article. Before moving all of a company's IT services to the cloud, you need to think carefully about the needs.
Knowing who needs what.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14905
PUBLISHED: 2020-03-31
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS co...
CVE-2020-11441
PUBLISHED: 2020-03-31
phpMyAdmin 5.0.2 allows CRLF injection, as demonstrated by %0D%0Astring%0D%0A inputs to login form fields causing CRLF sequences to be reflected on an error page.
CVE-2020-1712
PUBLISHED: 2020-03-31
A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sen...
CVE-2019-10180
PUBLISHED: 2020-03-31
A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could...
CVE-2019-14880
PUBLISHED: 2020-03-31
A vulnerability was found in Moodle versions 3.7 before 3.7.3, 3.6 before 3.6.7, 3.5 before 3.5.9 and earlier. OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise.