Every business is now a technology company in some way, and just like computers made it into the office a few decades ago, now the cloud is becoming a staple for almost every business. Having worked in many, many client environments, the move to the cloud typically always happens the same way. A department or project manager decides to launch their cloud adoption, which leads to an Azure or AWS tenant being created. Some instances are provisioned, network routes setup, and the deployment grows organically from there.
The result of such organic growth tends to be disorganization. Naming conventions are brought in later on, tools are decided on the fly, and even if you use infrastructure-as-code, I've seen many cases where one group is using Terraform, while another is using CloudFormation, and of course there's the break-fix instances where people go into the web console and change things manually. Almost no company older than a couple of years old out there doesn't have a legacy environment or two. The bottom line is that in almost every case, a corporate cloud deployment never meets all the best practices.
The importance of best practices
Organic growth is important, but best practices have been established to ensure that things like security and privacy are taken into account from the onset. Even if the goal is to follow these practices, they too evolve and change over time, and legacy resources are rarely brought up to speed. Tools change too, and whereas serverless computing is all the rage these days, that didn't use to be the case just a few years ago, and some new buzzword will likely become the center of attention soon. This makes it hard to have a large, unified cloud strategy.
This is what a cloud audit process provides. It's crucial to go through all the resources in all the cloud environments, and make sure nothing fell through the cracks. But what kind of things can be found from such an audit?
First, there's the obvious: security. Are instances being patched? Are firewall rules locked down properly? Are VPNs being used correctly? Is data being encrypted? These are all questions that need to be answered, and since most businesses don't even have an accurate account of all their cloud resources currently deployed, how can you know if these resources are secure?
But a cloud audit can also help save a lot of money. In almost every environment I've dealt with, there were resources that were still provisioned, but no one was using. Even for resources that are being used, there are often ways to drastically reduce costs, by using reserved instances for example.
A cloud audit can also pin-point less obvious issues. All cloud providers have ways to monitor performance, but those tools are rarely utilized well. It's easy to have bottlenecks, for example an over-taxed instance, without realizing it. Your web app could be much slower than it could be. Logs gathering is another common item missing from many deployments.
A recurring need
Most businesses, especially those that have had a breach in the past, understand the need for regular security audits. But cloud audits should also be a recurring affair. Cloud providers introduce new features all the time, and add new tools that can improve your experience all the time. But your role is running your business, not keeping track of every news item from Amazon or Microsoft. That's why bringing in an outside consultant on a regular basis is worthwhile.
The traditional guideline is that a cloud audit should happen once a year, and possibly more often if you're running a heavy workload in the cloud, such as a SaaS offering. While such an audit will never catch every possible item of value, it does give you a lot of actionable items that can both save you money and ensure a more safe and secure environment for your users.