We Walk Together: A Risk Management Journey In The Cloud

Over the past four years, Horangi has had the great privilege of working with some of the biggest and most influential companies in Southeast Asia. Horangi CTO and Co-Founder Lee Sult highlights the lessons he's learned in the cloud adoption journey.

Over the past four years, Horangi has had the great privilege of working with some of the biggest and most influential companies in Southeast Asia. We have had front row seats for the creation of internal cybersecurity teams in the face of talent shortages, we have seen sweeping change to engineering processes and helped some customers migrate from traditional enterprise processes to more scalable cloud services as cloud infrastructure becomes more prolific. Through all of this, we have learned how to work with customers to craft cybersecurity strategies that fit their needs as they experiment with or migrate to the cloud. 

Thanks to such great collaboration with our customers, we’ve learned a few lessons: 

  1. Almost everyone is migrating to cloud infrastructure, experimenting with it or at least thinking about how it can help their business.
  2. A company might not be a software company, but they will probably need to hire or engage a technical team with at least DevOps and Software Engineers if they want to digitize. 
  3. The shortage of DevOps, Software Engineers, and Cybersecurity Specialists in the region means that organizations need additional solutions to manage this migration.
  4. The risk postures of these organizations are changing, but many do not realize how the fundamental nature of identifying, preventing, and mitigating risks are changing as well.

As a cybersecurity company, we would like to focus on the last point and explain how a company’s risk posture may change as they adopt cloud technologies. 

Adopting The New Speed of Deployment

First and foremost, cloud technology is very effective for improving redundancy and implementing disaster recovery for most tech stacks. If it is possible to define your “cloud infrastructure as code”, such as using a technology like AWS CloudFormation, it may be possible to stand up a production-ready duplicate of your entire infrastructure in minutes. Horangi operates a serverless infrastructure and we have tested this capability ourselves. Compared to my previous experience with older on-prem Windows domains, it is awesome. 

I once worked with a team of over 200 people who flew in from all over the globe to redeploy a large number of bare metal transaction servers and implement end-to-end encryption. We set what we believed was an industry-best at 11 days while we all worked around the clock. It was challenging, we did well and it was a rewarding experience but it was not something that could be done more than once. Absent a crisis, it would be more likely to take closer to 90 days to complete the same set of tasks.

With an effective cloud infrastructure, it is possible for a single DevOps professional to redeploy your entire stack before their first cup of coffee is empty. Also, this can be done from anywhere. At Horangi, we redeploy quite often to support our engineering process so I’m sure someone from our DevOps team has done it from the comfort of their sofa, at least once. There’s also a legend floating around about DevOps averting a crisis from the back of a rideshare — still not sure what that whole story was about, but great job team!

Having such power and convenience at one’s fingertips obviously raises a lot of security concerns. However, it’s not much different than your existing enterprise admin being able to VPN or RDP into the network for rapid access to the primary domain controller. We all have to trust at least one person with the keys to your kingdom. The difference is, if something gets messed up, it only takes a few minutes to revert to a previous version and/or redeploy everything if your infrastructure is defined as code.

In addition, AWS IAM roles allow for a lot of granularity in the separation of powers and implementation of a role-based access strategy. The options are more user friendly and quite a bit more granular than that of old-school on-prem Windows domains. To be fair, I haven’t used Active Directory in almost 5 years and I’m sure there have been improvements and similar features may exist for Active Directory’s identity management. 

The Shift to Remote Work

A more tangible demonstration of a change in risk posture that is less cybersecurity-related is supporting remote work. It has been a busy year rife with emergencies from the Hong Kong riots, the volcanic eruption outside Manila, the recent flooding in Indonesia, and of course the virus that has the world worried. All of these incidents have caused many organizations to adopt temporary work-from-home policies for a variety of safety concerns. In traditional enterprises where digitization has not yet become the norm, it can be very difficult to support remote workers and it is downright impossible to support remote work in sectors like construction or manufacturing. Our region is experiencing the most severe impacts on operations from COVID-19 and the full extent of the damage has yet to be seen.

For companies that are 100% in the cloud and have a strong technical team, the experience of asking your team to work from home can be nearly painless. In Horangi’s case, as much as we love our office space(s) and our strong culture, we can also work remotely rather easily. Our tech stacks and productivity tools are entirely cloud-based meaning that most of our employees only need a stable internet connection to collaborate and do their work in a first-class way. This also allows us to support a flexible work schedule as a normal course of business which is a luxury that many start-ups have become accustomed to. 

Most of our customers, and indeed most of the market, is somewhere in the middle of their migration to the cloud. For example, some customers have migrated to G Suite or Office 365 but a majority of their core technical infrastructure are still physical servers residing in a local data center which requires a local VPN. This can cause connectivity issues for travelers or international teams and may be subject to local outages depending on the quality of the data center. If you’ve ever tried to get work done over an MPLS or VPN from a remote vacation, you will remember the pain.

Other customers have moved to a robust Continuous Integration and Continuous Development process for their engineering team thereby demonstrating a great capacity to increase organizational maturity. However, sometimes these customers struggle to migrate away from older on-prem Active Directory and productivity tools to something more scalable.  We theorize that this is an indication that the technical teams at these organizations are ready to innovate but other teams in the organization may not be. To add another layer, these types of difficulties in the migration process are compounded for everyone due to the shortage of talent. 

This is where community and partnerships come in. It’s been amazing to see the growth and camaraderie in both the cybersecurity and cloud engineering communities since we started Horangi. I often find myself on the phone with other founders and executives helping them determine the severity of a cybersecurity issue or helping them determine when the right time to invest in a security program may be. They often help us understand problems within their industry so that we may work together to mitigate looming risks. 

To do our part, we’ve grown our cloud security consultation capabilities and continue to perform research on market-specific challenges. Horangi Warden, our Cloud Security Posture Management (CSPM) product built around these learnings, is aimed to help our customers manage their vulnerabilities and gain visibility into their cloud infrastructure. 

If you are looking for some advice or have some questions, we would love to hear from you. In the meantime, stay safe out there!

Lee Sult

Lee Sult is the CTO & Co-Founder of Horangi. He is a veteran of the cybersecurity field who is driven to find hard problems, solve them, and explore different cultures and their points of view.

Subscribe to the Horangi Newsletter.

Be the first to hear about Horangi's upcoming webinars and events, up-and-coming cyber threats, new solutions, and the future of cybersecurity from our tech experts.