Image: iStock/Rawpixel

In my capacity as a system administrator, I’ve definitely seen the benefits of cloud services which my organization implemented before the pandemic. Not only do we rely on Microsoft 365 apps, we are safely and securely able to use local applications such as Microsoft Teams, which connect to cloud-based servers even while off the VPN. Two-factor authentication using tokens and certificates is a key enabler to this functionality.

SEE: Managing the multicloud (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

Not every company has had as much success with efficient cloud solutions, and the unfortunate tumult of hundreds of corporate bankruptcies attests that businesses must be as nimble and effective as possible in the solutions they provide to help their employees do their jobs.

Efficient cloud operations wouldn’t necessarily have saved all of the businesses that went broke, but they can indeed assist surviving companies where it counts.

I talked with Josh Quint, senior director of cloud solutions provider ServerCentral Turing Group, a cloud and disaster recovery company, to learn more.

Scott Matteson: How long do you recommend backups of data be retained?

Josh Quint: We recommend maintaining a synthetic full backup plus six days forward incremental backups in a performance storage tier and maintaining a full backup for a rolling 28 days on a capacity storage tier. This provides two critical benefits:

  1. Companies will have the most-needed data readily available in case of an immediate need for a restore request.
  2. This will lower the total costs of the backup services by aging out older data to the capacity storage tier where they remain available, albeit with a bit more lead time required to restore.

Scott Matteson: Compliance is a key element in off-site operations. What sort of auditing mechanisms and gap analysis methodologies do you recommend?

Josh Quint: The most important aspect of audits and gap analysis is to use anything and everything you have at your disposal and be sure you actually do it. Pay attention to invoices, watch services in use, note service performance, etc. You can buy one of a thousand different tools to give you information and insights here–even those that will proactively take scripted actions for you. However, if you don’t act on the insights or don’t have a process to intelligently use the insights to improve your processes–and validate the automated suggestions taking place –it won’t matter what you use.

SEE: Top cloud providers in 2020: AWS, Microsoft Azure, and Google Cloud, hybrid, SaaS players (TechRepublic)

Scott Matteson: Do you have any examples of formal governance and security processes related to cloud operations for best efficiencies?

Josh Quint: There are myriad suggestions and examples for governance and security. We recommend putting focus on the following key items:

  1. Be sure encryption is in place for all data, whether it’s at rest or in flight, and that the keys are stored and maintained independent of the production and backup data systems.
  2. Maintain an air gap between your performance storage tier for short-term, incremental backups and your capacity storage tier for long-term archival.
  3. Be sure that backup strategies are in line with your compliance requirements so that gaps in data and expectations of data do not exist.

Scott Matteson: Do you have any examples of the daily use of cloud automation processes and services that companies should focus on?

Josh Quint: Four key areas where cloud automation processes can prove extremely valuable are:

  • Automated data replication between different geographic sites
  • Scaling up applications during peak business hours
  • Shutting down or scaling back dev environments when not in use
  • Routing application endpoints through cloud-based WAF for automated security

Tactical best practices

  • Conduct regular audits of cloud services to verify use and proper configuration.
  • Implement formal governance processes for assignment of and accountability for cloud resources.
  • Implement formal security processes for ongoing management and compliance with your company’s security requirements and best practices. This includes ensuring all data is secure and encrypted when at rest and in flight.
  • Implement and validate formal and comprehensive backup processes for all applications and data.
  • Utilize cloud automation processes and services (infrastructure as code, etc.) when and where possible. The benefits of the cloud exist when environments are as close to cloud native as possible.

Strategic best practices

  • Maintain continuous and consistent alignment between your cloud platforms and your business objectives. Verify them regularly.
  • Know your cloud economics. Carefully assess whether or not applications can run cost effectively in the cloud at the SLA and performance levels your business needs. If they can’t, have a plan for them.
  • Know the parameters of and requirements for your minimum viable cloud. What is the absolute minimum you need to successfully operate your business in the cloud? This will inform your business continuity strategy and requirements.
  • Conduct a security, governance, and compliance gap analysis. What areas are at risk? Are they addressable with current resources and processes?
  • Understand your data utilization. Will egress fees for accessing and using your data become cost prohibitive? If so, begin planning for that point in time.

The pandemic effect on the cloud

Nitin Agale, SVP of marketing and strategy at Securonix, a security operations and analytics platform provider, had these tips to share:

The COVID-19-induced explosion of the global remote workforce has accelerated wide-scale adoption of cloud-first architectures. Organizations require greater scalability, flexibility, performance, and cost savings to operate remote workforce environments and are looking to the cloud to achieve these benefits.

While the transition is necessary, it brings new challenges in enterprise security. Organizations must implement cloud-specific procedures and processes to navigate an evolved threat landscape. To do this effectively, organizations need to:

  1. Ensure their cloud provider or solution meets minimum compliance requirements (SOC2, Type 2).
  2. Ensure sessions with their cloud services are protected with strong encryption.
  3. Implement strong cloud authentication with multi-factor and step up authentication, as needed for critical applications.
  4. Implement role-based access control (RBAC) limiting access to need basis only.
  5. Ensure that logging is enabled to capture activities that must be monitored.
  6. Implement event monitoring to alert suspicious activities.
  7. Monitor permissions for sharing and downloads on sensitive data for insider threats.
  8. Monitor admin privileges and activities for misuse.
  9. Monitor for account logins to detect DDoS and account hijacking and misuse.
  10. Ensure API’s for communication with cloud services are secured.

Avoid data silos in your cloud deployments

Scott Weller, co-founder and CTO of SessionM, a Mastercard company, said:

“Few organizations have a single cloud anymore–in the age of microservices and services-oriented architectures, hybrid and multi-clouds have become the norm. While there are several benefits to hybrid- and multicloud deployments, one of the best things a company can do for their clouds is find ways to bring them closer together.

“Some organizations try to do this through a data lake approach or a central repository of data, but these projects frequently fail to deliver due to business context being disconnected from the data. Data siloed–without full business context–is nearly impossible to put to use effectively. If you want to create action and outcomes from your cloud data, unlocking data and freeing it from the different silos within large organizations is absolutely essential.”