Importance of cloud strategy

Eyal Estrin ☁️
6 min readDec 21, 2020

Why do organizations need a cloud strategy and what are the benefits?

In this post, we will review some of the reasons for defining and committing an organizational cloud strategy to print, what topics should be included in such a document and how a cloud strategy enables organizations to manage risks involved in achieving secure and smart cloud usage to promote business goals.

Terminology

A cloud strategy document should include a clear definition of what is considered a cloud service, based on the NIST definition:

· On demand self-service — A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider

· Broad network access — Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations)

· Resource pooling — The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth

· Rapid elasticity — Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time

· Measured service — Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service

The cloud strategy document should include a clear definition of what is not considered a cloud service — such as hosting services provided by hardware vendors (hosting service / hosting facility, Virtual Private Servers / VPS, etc.)

Business Requirements

The purpose of cloud strategy document is to guide the organization in the various stages of using or migrating to cloud services, while balancing the benefits for the organization and conducting proper risk management at the same time.

Lack of a cloud strategy will result in various departments in the organization consuming cloud services for various reasons, such as an increase productivity, but without official policy on how to properly adopt the cloud services. New IT departments could be created (AKA “Shadow IT”), without any budget control, while increasing information security risks due to lack of guidance.

A cloud strategy document should include the following:

· The benefits for the organization as result of using cloud services

· Definitions of which services will remain on premise and which services can be consumed as cloud services

· Approval process for consuming cloud services

· Risks resulting from using unapproved cloud services

· Required controls to minimize the risks of using cloud services (information security and privacy, cost management, resource availability, etc.)

· Current state (in terms of cloud usage)

· Desired state (where the organization is heading in the next couple of years in terms of cloud usage)

· Exit strategy

Benefits for the organization

Cloud strategy document should include possible benefits from using cloud services, such as:

· Cost savings

o Switching to flexible payment — customer pays for what he is consuming (on demand)

· Information security

o Moving to cloud services, shifts the burden of physical security to the cloud provider

o Using cloud services allows better protection against denial-of-service attacks

o Using cloud services allows access to managed security services (such as security monitoring, breach detection, anomaly, and user behavior detection, etc.) available as part of the leader cloud provider’s portfolio

· Business continuity and disaster recovery

o Cloud infrastructure services (IaaS) are good alternative for deploying DR site

· Infrastructure flexibility

o Using cloud services, allows scale out and scale in the number of resources (from Web servers to database clusters) according to application load

Approval process for consuming cloud services

To formalize the use of cloud services for all departments of the organization, the cloud strategy document should define the approval process for using cloud services (according to organization’s size and maturity level)

· CIO / CTO / IT Manager

· Legal counsel / DPO / Chief risk officer

· Purchase department / Finance

Risk Management

A cloud strategy document should include a mapping of risks in using cloud services, such as:

· Lack of budget control

o The ability of each department, to use credit card details to open an account in the public cloud and begin consuming services without budget control from the finance department

· Regulation and privacy aspects

o Using cloud services for storing personal information (PII) without control by a DPO (or someone in charge of data protection aspects in the organization). This exposes the organization to both breach attempts and violation of privacy laws and regulation

· Information security aspects

o Using cloud services accessible by Internet visitors exposes the organization to data breach, data corruption, deletion, service downtime, reputation damage, etc.

· Lack of knowledge

o Use of cloud services requires proper training in IT, development, support, and information security teams on the proper usage of cloud services

Controls for minimizing the risk out of cloud services usage

The best solution for minimizing the risks to the organization is to create a dedicated team (CCOE — Cloud Center of Excellence) with representatives of the following departments:

· Infrastructure

· Information security

· Legal

· Development

· Technical support

· Purchase department / FinOps

Current state

The cloud strategy document should map the following current state in terms of cloud service usage:

· Which SaaS applications are currently being consumed by the organization and for what purposes?

· Which IaaS / PaaS services are currently being consumed? (Dev / Test environments, etc.)

Desired state

Cloud strategy document should define where the organization going in the next 2–5 years in terms of cloud service usage.

The document should answer these pivotal questions:

· Does the organization wish to continue to manage and maintain infrastructure on its own or migrate to managed services in the cloud?

· Should the organization deploy private cloud?

· Should the organization migrate all applications and infrastructure to the public cloud or perhaps a combination of on premise and public cloud (Hybrid cloud)?

And lastly, the strategy document should define KPIs for successful deployment of cloud services.

Exit strategy

A section should be included that addresses vendor lock-in risks and how to act if the organization chooses to migrate a system from the public cloud back to the on premise, or even migrate data between different public cloud providers for reasons such as cost, support, technological advantage, regulation, etc.

It is important to take extra care of the following topics during contractual agreement with public cloud provider:

· Is there an expected fine for scenarios if the organization decides to end the contract early?

· What is the process of exporting data from a SaaS application back to on premise (or between public cloud providers)?

· What is the public cloud providers commitment for data deletion at the end of the contractual agreement?

· How long is the cloud provider going to store organizational (and customer) data (including backup and logs) after the end of the contractual agreement?

About The Author

Eyal Estrin is a cloud and information security architect, the owner of the blog Security & Cloud 24/7, with more than 20 years in the IT industry. You can connect with him on Twitter and LinkedIn

--

--

Eyal Estrin ☁️

Author | Cloud Security Architect | AWS Community Builder | Public columnist | CISSP | CCSP | CISM | CDPSE | CISA | CCSK | https://linktr.ee/eyalestrin