The Perimeter Has Vanished. Here’s a 90-Day Plan to Help You Adapt
June 4, 2019
4 minute read
It was easy once.
Like a kingdom ruled by an absolute monarchy, our great IT leader, the CTO, could deploy rules that would govern the perimeter of our castle.
The IT kingdom provided the services to be used. Our strategically placed, high vertical walls ensured these were the only services the people of the kingdom had access to. There was one way to share files, one username, and one password. The concern for piggyback intruders was minimal as we could visibly see who was trying to compromise the walls.
But just like castles fell in the 1300s because of the evolution and enhancement of gunpowder, our technology perimeter has fallen with the evolution and enhancement of SaaS and cloud-based services.
The “ease of use” design elements present in nearly all SaaS and cloud platforms have given all of your co-workers the ability to set up and use these services without in-depth technology training. This has created a rapid expansion of services that you as the IT administrator can no longer see or secure.
Throughout history, even recent history, we can trust that evolution will continue to disrupt the way we work. As technology has evolved, we embrace innovation.
As much as we would all love unlimited budgets to embrace the perfect security model, we all recognize there is a practical evolution to our own versions of perfection.
Without our walls, without the perimeter to limit access to services, we must evolve to introduce cloud enablement. We must implement new ways to provide protection so we can embrace the cloud with minimal risk to the kingdom.
Over the next 90 days, let’s take an objective-based approach to evolving our perimeter management.
Objective #1: We will discover and inventory 100% of cloud services and cloud assets.
The result of this objective is the following:
- Create a measured baseline of what we know by creating an inventory of what we have.
- Create prioritization for future phases of your cloud enablement strategy.
- Drive governance for immediate high risks and how these risks might be resolved.
Start with the core question of “What cloud services do we use?”
Understanding what your company is already using is a minimum requirement to begin to prioritize and manage your landscape. With this question, you can survey your teams to find these services.
Audit your accounting records for reoccurring subscription services to cloud or SaaS providers. Audit employee reimbursement transactions to find where employees may have paid for services directly. Leverage any existing web monitoring you have in place to search well-known cloud/SaaS providers. Create a list of services you discover, including who the primary contact for the service is, what the service is used for, and what type of information is stored there.
Once you understand this expanded landscape, you can pivot or accelerate to resolve the challenges ahead of you.
Objective #2: We will understand and administer 100% of people access (user access).
The result of this objective is the following:
- Removal of any former employee or unnecessary access to services.
- Formal processes to provide and manage access to services.
- New metrics for privileged user access such as:
- Number of people with elevated access
- Number of orphaned accounts
- Password policy effectiveness
Again, start with a core question: “How can I remove unauthorized access to services?”
This is important to ask because whoever provided access to this service likely did not consider that access would ever have to be removed, nor are they removing unneeded access. By highlighting that there is an unmeasured, unknown high risk in privileged access management, you can drive your team to gain access to discover services and gain administrative access to these services.
Since the teams already leveraging SaaS and cloud are not maintaining metrics specific to access management, you can further caution the unknown high risks by advertising the gap in reporting. Ensuring that you and your organization can centrally report on access management is the only way to provide transparency in this area and truly measure how much risk your organization has.
Objective #3: We will select and procure a tool to provide continuous visibility into cloud services and people access.
The result of this objective is the following:
- Automate future needs to rediscover cloud services and cloud assets.
- A dashboard for measuring key risk indicators in cloud enablement including:
- Unauthorized access to business data
- Abuse of authorized access
- File access or file sharing against configured data loss policies
- Baselines and targets for future phases of your cloud enablement strategy including:
- Targets for undetermined risks you have not considered
- Baselines for ways to increase the efficiency and uptime of service use
Our primary question for objective #3 is “How can I show transparency of our cloud footprint?”
Your peers should be aware of everything you know or do not know about the cloud and SaaS use in your organization. As an IT leader, it’s important to continuously provide this information. Other business leaders are looking to you to understand how to best use these services and what types of risks are associated with them.
You can provide this transparency by reporting what you know and potential challenges in the current state. For example, which cloud services or SaaS platforms are you aware of, but do not currently have administrative access to? What are the top five immediate risks to your organization because of how cloud services or SaaS have been used? What are the immediate projects required to mitigate risks recently discovered in your cloud and SaaS platforms?
Jump into your next 90 days with this actionable plan. At first glance, these three objectives may seem simple and attainable. Ninety days may seem like too much time to accomplish this.
But as I said earlier, “We can trust that evolution will continue to disrupt the way we work.” In this case, we can trust the evolution of our people in that they’ve evolved to avoid any IT administration of their cloud services. As you and your team step forward to discover these services, prepare yourself for the quantity, complexity, and duplication that has been created in the landscape surrounding you.