As organizations have moved more and more critical applications, workloads and services to the cloud, I am often asked by clients to help them review their overall cloud strategy and architecture from a best practices and security point of view.

As we're several years into this cloud migration for most organizations, a lot of things have changed regarding how they leverage the cloud, the type of applications and services they need to be able to provide and how they control and monitor access to resources. No two organizations are exactly the same, but more often than not, the underlying fundamentals are consistent across organizations.

It’s a good thing to take a step back and reassess the state of your cloud deployment, much like you would your traditional infrastructure on a periodic basis, but it can be a challenge to figure out where to start…

 I would suggest breaking this down into its core components and expanding from there as necessary to fully understand your strengths and weaknesses.

Cloud Best Practices and Security Review  – Keep it targeted and simple

There is a tendency when looking at cloud deployments to immediately get overwhelmed with the terminology and breath of various technology options that are available. This tendency often slows down or even scares people away from full-blown architecture reviews, because of the diverse feature set that is either in use or convenient to use.

 I’d contend that this is all the more reason to evaluate your success and improvement areas.

 So how do you break this down into manageable components?

• Network Architecture
  • Address Space Allocation
  • Communication Flows into and out of the cloud
  • Cloud Security Zones (“DMZ’s”, VPC Separation, etc)
• Application Presence
  • Inventory
  • Data Flow / Dependencies
  • High Availability
  • Auto Scaling
• Security
  • Security Group / Rule Review
  • IAM Role / Permissions Audit
  • Logging (Flows and Applications)
• Management
  • Administrative Access
  • Multi-Factor Authentication
  • Remote Access
• Cost Management

What Can You Learn?

The first thing you may notice about the list above is that looks very similar to the same type of internal reviews most organizations have been doing as part of their overall strategic planning for many years, and that is because it is.

 At the end of the day, whether you are leveraging your internal infrastructure, the cloud or in most cases, a hybrid of both, the core principals are very similar if not the same. The questions you need to ask and discuss, are the same and the challenges you may face are the same, they're just ‘in the cloud.'

 As you go through the list and look at the core elements, the value starts to become a bit more clear. Reviewing and documenting the items above help to form a foundation of how you are leveraging the cloud and also help you to identify possible areas of improvement or areas that may require a second look.

A few examples:

•  Have you planned out your network addressing the cloud to be able to handle future growth? Have you over allocated?
•  Do you have 50 unique cloud instances and each one is using its security group or access rules? Probably not a scalable solution in the long term. If you had 50 servers in your datacenter, in most cases, you would not have 50 separate firewalls to protect them….
•  Have you set up tools (either platform specific or third party) to help with log consolidation and visibility?
•  Once you start to look at these items and document your findings, it becomes pretty clear, pretty quickly where you are doing well and where you may need to take a second look and improve.

 What Can You Do?

Once you have shored up your documentation and understanding of how your organization is using the cloud, after the initial sense of questioning how you got into a mess in the first place, you need to put together a plan

•  Taking your discovery findings and turn them into actionable tasks to present back to your team or organization. It will be readily apparent where you are doing well and where you need to improve.
•  Prioritize your gaps based on security concerns, organizational risk and scalability to meet your future cloud needs
•  Set reasonable goals for resolving issues – You may have moved to the cloud very quickly as an organization, but if you have to go and re-architect your High Availability implementation it's going to take time….
•  Use the lesson learned from discovery and improvement planning to fine tune your Cloud Strategy in the future (don’t make the same mistakes twice)

Don't Do It All Manually

One thing I would note is that as Cloud adoption continues to explode globally, the tools are catching up, whether they are existing tools which have been retrofitted to the cloud or new tools that have been developed for the cloud – there are a number of really good 3^rd party and platform specific tools available to assist you in obtaining and reviewing all of the above items.

 I'll pick on the two most significant cloud platform providers and mention that both AWS and Azure have tools built in that can help you pull some of this data. (Access may be dependent on your support level or by subscription)

https://aws.amazon.com/premiumsupport/trustedadvisor/

 https://azure.microsoft.com/en-us/services/security-center/

 There are of course other third-party tools that will pull ALL of the data above either for a specific cloud platform or across platforms……Oh, and for the Infrastructure folks, there are more and more mapping tools available that will help you create network diagrams as well!

Conclusion

Performing a best practices and security review will help your organization to understand the state of your cloud deployment and give you valuable data to build a roadmap for the future.