Are You Cloud First or Cloud-by-Accident?

Are You Cloud First or Cloud-by-Accident?

Deciding whether to use cloud services is no longer the central IT question.

Every enterprise, even security-conscious government departments, use the cloud. The key question is this: are you operating on a cloud-first strategy? Your answer to this question will shape the rest of your IT strategy. Let’s zoom out for a moment to put the cloud-first decision in context.

Will You Be a Technology Leader or Lag Behind?

In 2019, more and more companies are describing themselves as technology companies. We see banks describing themselves as tech companies first. Established industrial brands such as General Electric are investing heavily in digital technology and earning great returns in the process. Decide whether you’re going to keep up with your competitors as a leader.

If you don’t make a move, you’re going to fall into the technology laggard position. That does reduce risk and uncertainty to a degree. However, you’ll face greater expenses in maintaining aging infrastructure and recruiting staff. For example, recruiting staff to maintain mainframes is quickly becoming impossible.

Let’s assume you’ve decided to focus your strategy on technology leadership. Now, let’s look at how the role a cloud-first approach plays.

What Is a Cloud-first Strategy?

A cloud-first strategy assumes that software, infrastructure, and other technology services should be obtained via the cloud. This is an increasingly popular strategic choice. A 2018 industry survey of 997 IT professionals found that 96% of organizations are using the cloud. Going forward, new projects and products will have to be planned with this cloud environment as a given.

The cloud-first strategic orientation shapes decision-making throughout the IT organization. Here are some ways this strategy plays out in practice:

  • New product launches: When your company launches a new product or significant release, your cloud-first strategy supports rapid growth.
  • Cybersecurity: Your department will need to develop new capabilities to effectively support the cloud. This means your staff may need new software tools to maintain control over cloud services and providers.
  • Vendor management: Your expertise in contracts, monitoring, and relationship management will become much more important with a cloud first strategy.
  • IT staff professional development: Your IT budget will need to shift to provide funding for courses and certifications related to cloud services. For example, AWS certifications may need to become a top priority for your staff.
  • IT project planning: Provide new direction to your project management office to emphasize cloud systems.
  • Legacy systems: For older companies, you’ll need to develop a program to transition your legacy on-premises systems to the cloud.

Now, if you’re making a strategic move to “cloud first,” you may have some concerns about cybersecurity. Those are perfectly reasonable issues to raise, so let’s tackle them next.

How to Manage the Risks of a Cloud-first Strategy

When you move most if not all your technology to the cloud, there are new risks to consider. For instance, how will you monitor the cybersecurity risks and exposures taken on by cloud providers? How will you manage usage and licenses? There are three interlocking methods to address cloud-first risks.

1. Define your risk appetite

Your risk appetite defines your tolerance for problems. The flip side of a low-risk tolerance is you miss out on innovation. Your risk appetite also influences your cloud vendor selection process. For example, you may have a limited appetite to work with small cloud companies.

2. Identify your IT risks

In this step, you create a list of IT risks that may be impacted by a cloud-first strategy. Here are some typical risks to get your process started:

  • Availability risk: What level of availability can the cloud provider offer? For mission-critical use cases, we recommend verifying this information with third parties such as consultants and other customers.
  • IT attack surface area: Define all the applications and points of attack where an attacker could damage your company’s assets.
  • Cybersecurity: Dig into the details of the cloud provider’s cybersecurity program. Find out about the qualifications and experience of the cyber staff. For instance, how many of the provider’s staff have ISACA certifications?
  • Reputation risk: Assess the cloud provider’s reputation and evaluate whether you want to associate your company with it. This category requires a judgement call based on your risk appetite and the provider’s recent history (e.g. open lawsuits and reported hacking incidents)
  • Technical risk: Define your ability to tolerate technical problems while you pursue innovation. Your technical risk appetite will likely vary by application and use case. If a cloud vendor brings significant innovation to the stable, you might be willing to accept some technical growing pains as a tradeoff.

3. Assess risk mitigation and remaining risk

Now that you understand the risk landscape and your willingness to tolerate risk, consider the residual risk. This means assessing the likelihood of suffering a loss, given all the controls and safety measures in place.

What if you don’t like the risk exposure that remains with your cloud-first strategy? Well, you may want to take additional efforts to reduce your risk.

Three Reasons Why Identity Management Enables Your Cloud-first Strategy

You might not have considered identity management as an enabler for your cloud-first strategy. Here are three reasons why it’ll help you to succeed.

1. Track SaaS usage

When you first purchase a software as a service (SaaS) product, it’s tough to estimate your spending accurately. Will all your sales staff use the product? How do you know if you’re spending too much?

The answer lies in using identity management software to monitor SaaS usage. With Avatier Single Sign-On, SaaS usage is automatically monitored. That means you can easily see which SaaS products are being used by employees.

2. Leverage easy-to-implement identity management solutions

With all the identity management products on the market, how do you make a good choice? Make a short list of key features to guide your decision. We recommend you look closely at the available integrations; with built-in integrations, you can save time.

A product’s integration options include:

  • IT concepts: Extend Avatier’s capabilities with IT Concepts to automate workflows and manage service levels.
  • Creasoft: This integration partner provides consulting support and expertise to customers in Mexico.

3. Reduce Administrative Burden on ManagersYour managers are busy with their regular duties. If you constantly pester them with identity management changes, they’re going to become frustrated. Use Group Enforcer to take this duty off their hands.

Written by Nelson Cicchitto