The Inner Circle

Expand all | Collapse all

Decommissioning cloud-hosted assets

  • 1.  Decommissioning cloud-hosted assets

    Posted 5 days ago
    I'm just curious -

    Has anyone come across any best practices, recommendations for decommissioning cloud-hosted assets?

    Thanks,
    Anthony Smith

    ------------------------------
    Anthony Smith
    CyberAdvisor
    Ford
    ------------------------------


  • 2.  RE: Decommissioning cloud-hosted assets

    Posted 2 days ago
    Anthony,

    It depends on the assets, how they are cloud-hosted - IaaS, PaaS, Serverless, etc. - and what kind of decommissioning planning went on at the beginning.

    I was able to find a good summary from SEI, section 4.1.4 - 4.1.5, https://resources.sei.cmu.edu/asset_files/TechnicalReport/2019_005_001_551472.pdf

    If cloud hosting was a run on IaaS, run encrypted, backup encrypted, leave undecipherable behind.
    What will you leave behind?
    What is the risk? Impact?
    How are you treating portability?

    If running other XaaS, did you build in safeguards to mitigate the risks? Like spreading jigsaw puzzle pieces across a table.

    If mid-project with no exit planning, begin the adjustments you need to make to make any left behind data unreadable/unusable.

    All providers have a data retention policy in their agreements. Make sure those are read and fully understood.

    Consider all cloud hosting temporary and plan accordingly.




    ------------------------------
    Michael Burke
    ------------------------------



  • 3.  RE: Decommissioning cloud-hosted assets

    Posted 2 days ago
    Ok thanks, I'll check out the link.
    '
    I may draft a decom guideline and if so, I may post it in this forum for feedback.

    But off the top of my head, the doc may cover the following:

    a) implement a tagging process/strategy
    b) verify data lifecycle (for cloud) aligns with our on-prem data decom process
    c) ensure cryptoshredding process is in place
    d) define a process that addresses removal/review of cache content (primarily sensitive/confidential data)
    e) proper removal of network config settings, tear down of VPCs, etc
    f) review/removal of user/privileged accounts
    g) backup of source code
    h) api portability review/update, etc
    i) vulnerability scanning before data/source code is archived??
    j) spin down unused resources/services, etc
    k) structured/unstructured data is in an industry-usable format...

    ------------------------------
    Anthony Smith
    CyberAdvisor
    Ford
    ------------------------------



  • 4.  RE: Decommissioning cloud-hosted assets

    Posted 6 hours ago
    Sounds like complex work :) with no easy answers.

    Best regards
    TJ

    ------------------------------
    Tomasz Janczewski
    Warsaw
    ------------------------------