At one company I previously worked, there was a heavy usage of cloud resources and services. There was a huge cloud infrastructure set up before I joined, which is normal.
But, what was not normal was that just before I started, there was a person who joined the company. He got access to create resources and create services on the cloud, and then abruptly left the company. I didn’t expect anything fishy at this point.
His credentials were cancelled, so he could not access the company email or access the cloud from the company’s account.
However, the virtual machines he had set up, required a different username and a password which he created himself, which were different from his company credentials. So he could access the virtual machines and virtual disks without anyone in the company knowing about this.
What was even worse was that he was actually accessing that virtual machine and virtual disks that he had created before he abruptly left the company.
I could never have imagined. I only found out about this by just going through cloud services and understanding which service is doing what and which one is linked to which part of the project.
So this basically shows the risks of having cloud resources and services running on the cloud with no one knowing. I have seen it in 99% of the companies I have worked at. Most of the times, someone who created cloud services or someone who knows all about them left the company. So things just run and incur costs and no one knows anything about them.
Majority of the times, people who spun up (read: started) the services and left the company don’t have any malicious intentions. They just forgot to turn them off. But sometimes it can happen that a person wanted to use your company’s money to spin up cloud services for their personal needs. Whatever they may be.
So the lesson I learned from this story was that I must do cloud audits and cloud security audits regularly. These audits are very simple. Too simple.
All you have to do is look at all the resources and cloud services you are using and are turned on. Ask your team members to identify which one was started by who and create a list of cloud resources, against the person who started it, the person who is responsible for it, and the project it belongs to.
This is all. This will give you so much clarity. You will quickly turn off many unnecessary cloud services.
By identifying which cloud resource belongs to which project or which person. You can know whether this project is still ongoing. You will know whether the person who created those services, created them for the company’s project and whether it was just a test run so you can easily switch off unnecessary load.
You’d be surprised how much money you can save just by switching off resources that should not be on anymore. It might be that you will discover that some resources and services were created by someone who left the company. And those resources and services are not needed anymore.
At one company I was able to save above £10,000. If you need help with cloud audit or cloud security audit, get in touch with me, I can show you.
Zain Daniyal is a Data Strategy Consultant.