An $80 million fine is enough to get any CIOs attention. And that’s precisely what financial services provider Capital One got whacked with August, 2020 after the U.S. Office of the Comptroller of the Currency levied in the wake of a massive data leak propagated against the company’s Cloud infrastructure. “The OCC took these actions based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public Cloud environment and the bank’s failure to correct the deficiencies in a timely manner,” wrote the OCC in the press release. The fine was the penalty for a 2019 incident where a former Amazon Web Service (AWS) employee leaked a treasure trove of sensitive customer data online after Capital One failed to properly secure an AWS S3 storage bucket holding millions of credit card applications.
The Capital One incident underscores the critical importance of integrating Cloud assets into a broader technology orchestration effort to give IT managers and security operations teams a complete picture of their IT estates. Integrating and orchestrating Cloud infrastructure for IT teams is no longer optional; the price of failure is steep and the risks are growing as attackers focus more energy on public Cloud as an easy-to-access attack vector.
All of this said, integrating Cloud infrastructure into an orchestration system requires consideration and thought, since Cloud is such a diverse and varied environment. Each organization has its own unique Cloud characteristics and ways of setting up workloads and infrastructure. Here are three core considerations for any organization looking to more tightly integrate management of Cloud assets with existing asset and configuration management systems like ITAM, CMBD, UEM, and SAM.
What are the goals for orchestrating Cloud services?
Asking this question helps you determine what the goals of your integration project will be and what potential outputs or workflows might be required. For example, if your compliance team needs to get a better handle on Cloud usage, then your integration with Cloud infrastructure assets will need to check all the compliance boxes for SOC2, ISO27001, GDPR, and CCPA/CPRA. If your Cloud integration and orchestration is necessary for onboarding new employees and providing them the ability to spin up new Cloud instances or create development environments, then Cloud infrastructure will need to be integrated with SSO or authentication, HR and software development or engineering workflows in the asset management system. If your security team wants a single pane of glass for viewing the status of all IT assets and understanding potential risks, then you will want to integrate Cloud into additional integrations for security platforms (SIEM, SOAR, VM, etc.).
Key Step: To determine these goals, gather all key stakeholders and get their inputs on what information about your IT estate they would like to have to make their jobs better.
How will you build a complete/accurate census of all your Cloud infrastructure?
Without a way to acquire accurate and complete data about Cloud infrastructure, any technology orchestration system integration starts from a major disadvantage. Many legacy ITAMs actually struggle to integrate and include data from the physical world of laptops, mobiles and boxed software running on servers and laptops. Introducing Cloud brings in a whole new set of complications and challenges to integration because Cloud infrastructure is ephemeral, constantly moving, and not necessarily tied to a physical device (even if it is tied to an IP address). So you need to understand what the potential integration paths might be for Cloud. A good starting point is determining whether your orchestration system already has good Cloud infrastructure data acquisition capabilities. In most cases, this will require an agentless architecture. This tends to be more flexible and allows a more agile approach to adding Cloud infrastructure data sources from public Clouds like AWS and Microsoft Azure, and public PAAS providers like Heroku or RedHat.
Key Step: Answering this question logically requires due diligence on what is possible with existing systems and what capabilities an orchestration system has or can be augmented with for improved information capture. Once you have a good idea of what is status quo and what is possible, then the implementation team should construct detailed flow diagrams laying out a visual map of the data acquisition process. Make sure that these maps support the desired use cases and goals for integrating Cloud IT assets into the broader orchestration system. Make sure to consider future Cloud infrastructure possibilities to avoid product lock-in.
How can you leverage this new integration for more strategic and business value?
By creating a unified view of your entire IT estate that can drive improved security and productivity workflows for IT, security, finance, and HR, technology orchestration can be a major unlock for strategic value. This is particularly true for integrating Cloud infrastructure, which is the fastest growing portion of the IT estate in terms of costs and deployments. In fact, a budding area of expertise in this area is FinOps, which is a short-hand for Cloud Financial Management. FinOps brings a DevOps mentality to the financial aspects of Cloud deployments and tries to create the same types of automations and workflows for Cloud infrastructure as we see in standard DevOps CI/CD processes. The goal is more proactive management of Cloud infrastructure but also viewing Cloud as a lens through which key business decisions can be objectively assessed by viewing consumption patterns and customer use cases. This is just one example but there are likely many that pop up once Cloud becomes integrated with an orchestration solution for the enterprise, and by extension, exposed to other business systems like ERP (finance), HRIS (HR) and SIEM (security).
Conclusion: Enterprise Technology Orchestration for Cloud and beyond
Beyond these three considerations lies a whole new universe of use cases for organizations that truly embrace ETO as strategic single-source-of-truth for the IT estate. Add bi-directional syncing to ETO-Cloud integrations and you have created a powerful near-real-time compliance and auditing tool that can replace expensive standalone Cloud auditing products or radically streamline painful processes like SOC2 audits. In addition, Cloud is morphing into actual functions with services like AWS Lambda, that are even smaller IT components. This means that IT’s responsibility to manage Cloud assets will only grow more complicated so IT teams will need to consider, sooner rather than later, how to unify their IT estate in a single system to make their lives easier and project strategic value.