So, you’ve upgraded to the cloud…now what?

Shifting to the cloud is no mean feat, but success depends on what comes next. CIOs must balance technical demands with training needs
Cloud floating over water

Any experienced sailor knows it’s easy to launch a vessel – the hard part is keeping it afloat once you’re out at sea. The same can apply to chief information officers (CIOs) who’ve successfully upgraded their business to the cloud.

Finding your sea legs quickly as wave after wave of problems hit – including creaking legacy technology, belligerent employees and the ever-present threat of cyberattacks – is key to post-cloud survival.

Helen Ashton helped power fashion giant ASOS through several technological shifts, moves which ultimately made them the market leader in online shopping, earning £3.26bn last year. Now founder of Shape Beyond, a business transformation consultancy, Ashton says the key to success at ASOS was full migration to the cloud.

However, new technology only brings the expected benefits when people are kept on board with the processes needed for success.

“Businesses either plan for months in minute detail or they jump straight in to work on the sexy stuff, such as analytics or digital CX,” says Ashton. “But success comes from winning hearts and aligning incentives. It is amazing how easily focus can shift through overzealous project management to ticking off activities on the plan rather than keeping sight of delivery of the outcomes identified as indicators of success.”

Businesses either plan for months in minute detail or they jump straight in to work on the sexy stuff, such as analytics or digital CX

You can use some of the cloud’s metrics and data to demonstrate quick wins and progress. However, the key to ongoing cloud success is to share data in a way that empowers staff to problem solve within the business, creating a sense of shared responsibility that allows all parties to see bottlenecks and show who needs help and why, says Ashton.

Bucket spills

Before you share all your data internally, make sure a hole in your S3 bucket isn’t sharing it everywhere else. 

A simple S3 bucket exposure from an unknown public source leaked personal details of 120 million Brazilians – including banks, credit details and voting history – partly because an administrator had renamed the index.html by accident. In separate examples, a mobile app developer exposed 500,000 documents from a finance app and a cannabis retailer leaked 30,000 of its customers’ details, which all led to considerable fallout and organisations falling foul of data privacy regulations. 

“We’ve seen incidents on a frequent basis where cloud databases have been set to be publicly accessible, when they needed to be private,” says Javvad Malik, lead security awareness advocate at KnowBe4. “Similarly, having the appropriate authentication controls in place is vital to prevent account takeovers which exploit weak credentials.”

To prevent leaks, look for gaps where cloud migration shifts data centre responsibility from the traditional sysadmin to site reliability engineers and DevOps teams, says Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center. “This shift creates a potential gap between those familiar with the application security requirements and those versed in cloud security topics. This can lead to situations where storage misconfigurations in the form of unsecured S3 buckets result in significant data leakage.”

Patch management is also an area of risk, particularly when long-running servers are upgraded but containerised microservices haven’t been redeployed, says Mackey. “If the pre-existing patch compliance dashboard was based on logging into all systems, it will need to be updated for a containerised deployment.”

Training needs

While you’re taking the lead, your team can only follow if they’ve been trained correctly. In the haste of initial deployment deadlines, the required level of understanding is often lacking across the team, says Mackey. While this should be remedied with training, security access should be kept on a need-to-know basis, not just given to those at senior levels, even if that requires diplomacy.

“Training efforts should focus on how to operate a cloud service using principles of least privilege. Once training is complete, a comprehensive review of gaps in implementation should be performed and any issues remediated.”

While not everyone needs access, staff should still be aware of all security settings and why they’re in place, with drill tests to ensure all such settings are as they should be. “A culture of security needs to be built that understands the risks of the cloud,” says Malik. “Use internal and external data sources to determine the root causes for most attacks against cloud infrastructure, and invest in the appropriate human, procedural and technical controls.”

It’s also important to know when to hand over control to the system. If you don’t automate quickly it can create sluggish staff, put off new hires and create extra labour and therefore costs. 

“If you don’t automate, organisations become less agile or adaptable to change and teams may also demotivate because of repetitive tasks,” says Sergio Loureiro, cloud security director at Outpost24, a cybersecurity specialist. “Today, when it is hard to find a skilled workforce, automation is a competitive advantage. Finally, customer perception can be impacted by longer response times.”

The human factor

Despite all the technological risks, many problems will come from humans. Even at ASOS, human nature states people always want to keep the status quo, says Ashton. “In more traditional businesses, there is a strong possibility of ‘adoption indigestion,’ which can derail cloud’s anticipated benefits if not effectively managed. There is no silver bullet solution here. It is a mix of training, communicating the benefits, real-time support, and measuring process and outputs to identify issues and successes.”

A culture of security needs to be built that understands the risks of the cloud

While cloud software does a lot of the work for you, keep peace of mind by inviting occasional outside input, says Andrew Whaley, senior technical director at Promon, white hat hackers that test large-scale organisations. “Businesses still need to check that security has been applied correctly. Periodic assessments by third party pen testers is a good way to check this.”

Testing how watertight your vessel is inside and outside of the water, while ensuring all those on deck understand the direction of travel, is key to charting a clear and positive course for your business on the cloud.