Working at a number of different customers I experience the good, the bad and the ugly when it comes to cloud security and how it is managed…..or not.
One of the most effective approaches I find is to perform a security assessment of the environment and target the ‘quick wins’ to rapidly improve security and limit the chance of reputational damage compliments of someone walking straight into your organisaton’s sensitive data.
Typically the concern with this approach is that you are inadvertently applying change and where there is change you often get resistance from people. This can be because people are getting found out in particular areas such as having over privileged access etc or the cry for a Waterfall approach to the change because that is what they are used to. If that does not reduce the speed of change then to support the archaic approach of a Waterfall delivery they may want a fully fledged support model from day 1 .
I often find it a challenge to balance that mindset of others where “Waterfall is dead” and that if we want to deliver something any time within the next few weeks or months “agile approach is now”. I continue to be amazed with how instituatilsied people can be at times albeit massively frustrating to what I am trying to do and where the world is going. Do they not see it is about ‘on demand’ or ‘now, now, now’ The flexibility is a necessity when competing with other organisations or trying to offer better value to customers!
Never the less just like the concept of cloud where you have faster provisioning of services and shared responsibility it’s always an educational challenge to bridge the mindset of the masses with why cloud makes sense.
Then there is the whole concept of teams HAVING to work closer together when they consume cloud services. With the adoption of cloud it becomes very evident that teams will be stepping on each others toes when they begin to use said services as those services often bridge the responsibilities of multiple teams. I could probably write a blog purely on that.
My point is, there is a clear pattern of how we move forward in IT today. We have adapted the project approach from Waterfall to Agile. We have identified the blockers of these faster deliveries and tried to resolve it by teams working together i.e. Developers & Operations became DevOps closely followed by Security who were last to the mix which has now become SecDevOps or DevSecOps! Ultimately we are heading in the correct direction which is great.
The biggest challenge I see when I consult and advise at various orgnisations whether in the public or private sector regardless of industry such as finance, media, healthcare etc the biggest challenge is a combination of people (teams), their politics, skills gap and process. To be fair each sector has their own nuances but generally I find people and skill set to be the biggest hurdle.
My take away would be to ensure you have a small team of individuals who are ‘cloud ready’ who will focus on how your organisation will adopt cloud services. Identify what services you wish to consume for day 1. Once the technical configurations have been addressed you then figure out the touch point with business teams such as the onboarding process. Choose a representative “champion” from each business function that is a stakeholder of the service so they can relay the information to their team on how their team will engage with the cloud service.
Remember there is no end stage only continual development or improvement when it comes to cloud. This means the life cycle is never finished we just build out what we currently have to improve process and functionality. Simple right!?
The important thing is get the message right and have it circulated throughout the organisation. Good messages are:
- We are now operating in a cloud first approach.
- We must work closer together.
- Ask yourself how can we make this work rather than face the change with fear.
- Get involved is the best way forward
- What do we need to do to support this
All positive messages right! Good luck!