Friday, April 24, 2020

How to Gain Control Over a Multi-Cloud Environment

Here's my contribution to an information week article that will publish soon.

What's the best way for an organization to gain control over a multi-cloud environment?
    The purpose of gaining control is to manage risk. Period. An effective risk management framework looks at the priority and impact for each element and makes a decision about how to handle the risk. Start with what requirements apply to what assets. Subsequently implement uniform requirements and test security and compliance controls before authorizing production. Starting with a known good state, continuously validate the environment looking for a deviation from your acceptable risk.

    The six executed steps of the NIST Risk Management Framework (RMF) are usually shown in a circular pattern. Wash, rinse, repeat:
    1. Categorize System
    2. Select Controls
    3. Implement Controls
    4. Assess Controls
    5. Authorize System
    6. Monitor System  
    Why does this technique work so well?

    An organization looking to gain control of their cloud footprint already feels the pain from their distribution of assets and differences in technology stacks and features. A solid risk management framework as required by every regulation, standard, and security best practice framework. ISO. PCI. HIPAA. GDPR. Name drop… Keep going. Why? It's because getting everything set up properly the first time is difficult. But managing over time? Much more difficult. Governance is the new gold rush.

    Is there anything else an organization can do to make a multi-cloud environment more manageable?

    Gartner performed a comprehensive study of risk management frameworks several years ago. Their conclusion? It doesn't matter which one you implement. You need to implement one. Complex environment? Cloud computing? Multiple geographies? Focus on risk management. Decide how to identify and measure risk, quantify, and produce truly actionable results. The report of 15,000 entries doesn't help me. Show me where to focus and specifically tell me why.  

    What's the biggest mistake enterprises make when trying to gain better control over a multi-cloud environment?
      The single biggest mistakes enterprises make:
      1. Failing to prioritize and rank impact your findings. This is the purpose of a risk management framework.
      2. Failing to take any action as you look for perfect information, solutions, decision points. Analysis paralysis. Take the problem, break it down into small chunks, and delegate.
      3. Ignoring blind spots because you don't have enough technical depth or visibility across the multi-cloud environment.
      Is there anything else you would like to add?

      Measure. Act. Measure again. Figure out how to incorporate risk management into your entire environment.