Blog Layout

Faster isn't always better. Is it time for a cloud speed limit?

Cloud Speed Limit = Pain Relief for Cyber Security and the Organization

Several interesting points are made in the article "Amazon, Microsoft Cloud Leaks Highlight Lingering Misconfiguration Issues." I can't help but think about how IT asset management can help alleviate some of the pain caused by cloud assets not being adequately managed.



"A string of household names lately have been responsible for misconfigured cloud storage buckets overflowing with wide-open data – once again shining a light on a cybersecurity problem for which there seemingly is no plug."


Is it reasonable to expect cybersecurity to know about every asset? No. Why? An accurate IT asset inventory is only possible when the entire asset lifecycle is managed. IT asset lifecycle management is orchestrating the collection and validation of data from the activities involved in the request, evaluation, approval, receiving, deployment, monitoring, and disposal of IT assets. There is a "plug," and the "plug" is Cloud Asset Management. Is the Cloud Asset Manager directly responsible for plugging the holes? No. That responsibility rests with the appropriate role of an IT administrator. The Cloud Asset Manager's responsibility is to ensure the proper, accurate data is captured to monitor operations.



"And indeed, the [data] leaks are caused by a variety of misconfigurations rather than any bugs …"


I believe there is a bug, and it is in the processes or the design of the software. The organization requires insight into the cloud service provider's operations. IT standards exist for many reasons, and one reason is an attempt to reduce complexity through well-defined configurations. An IT standard for a laptop defines the laptop's configuration. The same can be applied to cloud components. But cloud components are not only configured by the organization's staff; the cloud service provider also configures them. Therefore, vendor management is critical for cloud assets. Cloud Asset Management embraces vendor management and all tasks necessary to evaluate vendor compliance.



"Overall, 81% of organizations have experienced a security incident related to their cloud services over the past 12 months, with almost half (45%) suffering at least four incidents, according to Venafi."


One benefit of cloud services is the speed of deploying assets. But this benefit is a double edge sword. With speed comes the possibility of more mistakes. Isn't it time for a speed limit? Cloud Asset Management designs speed bumps with the buy-in from those driving over the speed bumps and, of course, speed monitoring. I started my career as a software engineer, and no software engineer wants to be burdened by meaningless processes. This perspective is why the Cloud Asset Manager must work closely with the cloud engineers to educate them on the purpose and value speed bumps bring to the organization. The security of cloud assets cannot rest solely with the cyber security team, nor should it.



"The increase in complexity of cloud-based and hybrid infrastructure, along with a lack of visibility into that infrastructure, has caused the increase in incidents …"


The lack of visibility is because the IT assets exist behind someone else's wall. When our assets were in our data center, we relied on our tools and processes. Cloud Asset Management establishes contractual agreements by the vendor to gain transparency into the vendor's cloud operations. Cloud complexity will only increase as technology advances, delivering more functionality and, thus, more sophistication. Complexity will only increase with the adoption of IoT and the fog layer.



"Yes, misconfigured cloud storage is one of the primary reasons for data leaks — I do believe that this is a trend …"


Cloud Asset Management brings IT standards that must apply to cloud storage configurations. An IT standard for a server has a well-defined configuration, and any request outside that configuration requires approval. Cloud Asset Managers work with IT to design the most efficient approval process and to capture configuration data. Without tools, one has to rely on other methods to obtain information. These methods include acquiring information from cloud service providers.



"Shadow" data — stored in cloned databases test environments, unmanaged backups, and data analysis pipelines — is the main threat …"


Someday, "shadow IT" may just become "IT." Why? Because cloud assets are quickly and cheaply acquired. Cloud Asset Management broadens its reach beyond IT and engages with departments and business units. Just because the IT department can easily be bypassed does not mean the organization's liabilities can be. Cloud technologies further decentralize IT with executive management's permission by distributing IT's budget to other departments and business units. While one can debate the wisdom behind decentralizing IT, one cannot debate the liability risk of using technology. And that is why Cloud Asset Management must provide its services to anyone using cloud services.


Faster isn't always better. Is it time for a cloud speed limit?

"Part of the issue continues to be the division of responsibilities between cloud providers and the business customers."


Cloud Asset Managers, like IT asset managers, bridge the gap between IT and the business. Cloud technology has made it easier to deploy and use IT services without the assistance of the IT department. ITAM is the solution to aligning IT with the business. Cloud Asset Managers fill this gap by managing the cloud service providers to protect the organization's compliance requirements and maximize the value of the cloud investments.


"Principle of least privilege must be adopted for every aspect of the data"


Cloud Asset Management defines the end-user roles to understand what technology is required by that role and what data access that role requires. Roles will also determine the type of IT, ITAM, and cyber security training required. Defining end-user roles has always been an ITAM best practice. Roles define the technology needed to set IT standards. Cloud end-user roles cover a wide range from the casual computer user to the technology specialist. Role definitions for technical people are critical because of the complexity of cloud services and the ease of configuration.


Conclusion

Cloud Asset Management brings you accurate inventory and vendor management. An accurate inventory is not only a requirement for cyber security but also ITAM, FinOps, compliance, and the service desk. For an inventory to be accurate, it must be continuously updated as the state of assets changes. These updates require lifecycle management of cloud assets, starting with "I think I need it" through and past disposal.

Faster isn't always better. Is it time for a cloud speed limit?

Vendor management is an ITAM best practice but is rarely practiced, except for IT asset managers who manage the disposal of hardware assets. A critical difference between Cloud Asset Management and SAM or HAM is the requirement to manage a product AND a service. SAM and HAM primarily focus on managing products – software and hardware. Managing hardware leases would be more closely related to what a Cloud Asset Manager does; however, the services provided by the lessor are not as continuous as the cloud service provider's services. Like the data center, the organization can depend on the vendor's service 24/7. The organization requires transparency of the vendor's operations to meet compliance requirements, business objectives, and cyber security objectives. These requirements are only achieved through vendor compliance.

ITAM IQ Is Your Gateway to Modern ITAM


Our expertise enables individuals to advance their ITAM program for the future by providing next level IT Asset Management best practices knowledge. These practices create a symbiotic relationship between ITAM and departments such as IT Security, IT, Finance, and HR by working in tandem to provide heightened information quality which significantly reduces risks, creates greater financial benefits, further enhances compliance, and increases efficiencies.

Where to next?

  • ITAM and IT Security team collaborating on the best way to keep their organization's data safe.

    ITAM and Cyber Security

    We will show you how ITAM can be IT Security's proactive arm.

    Learn more →
  • Share by: