Making Cloud Onboarding hassle-free and valuable

Usually, a large enterprise is not a blank canvas. There are processes and ecosystems in place already. This is especially true in regulated industries where the documentation and the protection from fraudulent behavior or intrusion are controlled by the regulative body. The result is that many of the suggested approaches of the cloud providers to use “on board” tools included in the service are not enough.

Security & Governance

Cloud Onboarding is about getting a cloud ready for functional use. The decision and evaluation whether a specific cloud provider fulfills the enterprises’ and its regulators’ requirements is something you better consider before contracting (or during contracting, see security controls in part one and not only when you try to hook the cloud up.

Using public cloud services or remote private clouds are new entry gates to threats. These must be controlled and secured on the physical and the logical layer. Securing the network is dependent on your connection (see part two)

Cloud security also means to include the new environments (IaaS, PaaS and SaaS) into your logging and monitoring infrastructure. You do not want to have a separate process or lower level of automation in detecting and acting on security threats or violations. This is a two-way road of you noticing events and alarming the provider as well as the other way around.

One specific risk to keep track of is that during onboarding, many roles are fulfilled only temporarily. During onboarding, the onboarding team and procurement individuals are named in security and governance processes. This works while tailing and boarding but needs to change to the operational role once production use begins. Often this is forgotten (just the good old paperwork and as long as there is one name) and not discovered until security incidents fail and governance findings are being made.

On the cloud governance part, I often observe a conflict. The internal IT governance tries to apply the tried and tested processes and assessments while the cloud team discards these completely as outdated. Let’s stick to the example from before – a break in the process of security events:

The cloud team that closes the contract is focusing on getting the contract done. Yes, there are some internal forms to be filled in and they do this by using their own names. The governance team has to date the unwritten rule that all outsourcers feed events automatically into their chosen tool. Since the cloud provider is no outsourcer and the form is happy with a name, the cloud team cuts out the governance team. This works until there is a security event on the weekend. The name in the process is not available as it is someone from the former cloud contract project which is now doing something else. The event has a huge impact on live customer data, and so on. A little bit of collaboration and openness could have solved that. Rather than a data push, a data pull could have been implemented and backed up by a contact point that is available 24/7. Not that much of an effort if you think about it.

Not collaborating will hurt all sides. The same can happen between IT and security. Once the regulator is creating a finding and the cloud service needs to be adjusted and business benefits are being delayed, everybody is in the same boat. Finger-pointing is no solution then and not before – the only solution is collaboration. Instead of saying no or insisting on the known way, be open and look at it and say maybe. Understand jointly what is possible and what is needed. A lot of the governance rules are based on an interpretation and this interpretation needs a renewal. Rather than cloud, classic IT and governance/security doing this separately ending in three or more different views, collaborate on this. Make this a joint goal.

Often a strategy advisor can help in such situations by coming in and explaining intentions, content and alternatives to both sides (separately and jointly). The cloud provider would be a bad choice to help with this discussion as the cloud provider’s agenda would dominate the approach. A partner with consulting capabilities knowing the cloud providers well could help customers in the same capacity as a strategy advisor.

The first step is to sit down and read and understand the enterprises’ current governance guidelines and its interpretation of legal and regulative requirements. Only then a discussion about how to comply and where adjustments are needed can take place. I recommend reading the Phoenix Project with a special view on the troubles and the transformation of John, the CISO. This will work only if we work together.

– Taking shortcuts constantly is not leading to the goal –

Let us discuss about operating cloud at scale and ensuring that cloud behaves like a natural ingredient to the IT ecosystem in the next blog of the series. Stay tuned.

Part 1: How to onboard a cloud solution provider

Part 2: The foundations of hooking up to a cloud provider

Part 3: Making Cloud Onboarding hassle-free and valuable

Part 4: Tips for Seamless Cloud Onboarding