As organizations have moved more and more critical applications, workloads and services to the cloud, I am often asked by clients to help them review their overall cloud strategy and architecture from a best practices and security point of view.
As we're several years into this cloud migration for most organizations, a lot of things have changed regarding how they leverage the cloud, the type of applications and services they need to be able to provide and how they control and monitor access to resources. No two organizations are exactly the same, but more often than not, the underlying fundamentals are consistent across organizations.
It’s a good thing to take a step back and reassess the state of your cloud deployment, much like you would your traditional infrastructure on a periodic basis, but it can be a challenge to figure out where to start…
I would suggest breaking this down into its core components and expanding from there as necessary to fully understand your strengths and weaknesses.
Cloud Best Practices and Security Review – Keep it targeted and simple
There is a tendency when looking at cloud deployments to immediately get overwhelmed with the terminology and breath of various technology options that are available. This tendency often slows down or even scares people away from full-blown architecture reviews, because of the diverse feature set that is either in use or convenient to use.
I’d contend that this is all the more reason to evaluate your success and improvement areas.
So how do you break this down into manageable components?
The first thing you may notice about the list above is that looks very similar to the same type of internal reviews most organizations have been doing as part of their overall strategic planning for many years, and that is because it is.
At the end of the day, whether you are leveraging your internal infrastructure, the cloud or in most cases, a hybrid of both, the core principals are very similar if not the same. The questions you need to ask and discuss, are the same and the challenges you may face are the same, they're just ‘in the cloud.'
As you go through the list and look at the core elements, the value starts to become a bit more clear. Reviewing and documenting the items above help to form a foundation of how you are leveraging the cloud and also help you to identify possible areas of improvement or areas that may require a second look.
A few examples:
What Can You Do?
Once you have shored up your documentation and understanding of how your organization is using the cloud, after the initial sense of questioning how you got into a mess in the first place, you need to put together a plan
One thing I would note is that as Cloud adoption continues to explode globally, the tools are catching up, whether they are existing tools which have been retrofitted to the cloud or new tools that have been developed for the cloud – there are a number of really good 3rd party and platform specific tools available to assist you in obtaining and reviewing all of the above items.
I'll pick on the two most significant cloud platform providers and mention that both AWS and Azure have tools built in that can help you pull some of this data. (Access may be dependent on your support level or by subscription)
https://aws.amazon.com/premiumsupport/trustedadvisor/
https://azure.microsoft.com/en-us/services/security-center/
There are of course other third-party tools that will pull ALL of the data above either for a specific cloud platform or across platforms……Oh, and for the Infrastructure folks, there are more and more mapping tools available that will help you create network diagrams as well!
Performing a best practices and security review will help your organization to understand the state of your cloud deployment and give you valuable data to build a roadmap for the future.