The Inner Circle

I'm just curious - 

Has anyone come across any best practices, recommendations for decommissioning cloud-hosted assets?

Thanks,
Anthony Smith

------------------------------
Anthony Smith
CyberAdvisor
Ford
------------------------------

Anthony,

It depends on the assets, how they are cloud-hosted - IaaS, PaaS, Serverless, etc. - and what kind of decommissioning planning went on at the beginning.

I was able to find a good summary from SEI, section 4.1.4 - 4.1.5, https://resources.sei.cmu.edu/asset_files/TechnicalReport/2019_005_001_551472.pdf

If cloud hosting was a run on IaaS, run encrypted, backup encrypted, leave undecipherable behind. 
What will you leave behind?
What is the risk? Impact?
How are you treating portability?

If running other XaaS, did you build in safeguards to mitigate the risks? Like spreading jigsaw puzzle pieces across a table.

If mid-project with no exit planning, begin the adjustments you need to make to make any left behind data unreadable/unusable.

All providers have a data retention policy in their agreements. Make sure those are read and fully understood.

Consider all cloud hosting temporary and plan accordingly.




------------------------------
Michael Burke
------------------------------

Original Message:
Sent: Jun 07, 2021 10:54:18 AM
From: Anthony Smith
Subject: Decommissioning cloud-hosted assets

I'm just curious -

Has anyone come across any best practices, recommendations for decommissioning cloud-hosted assets?

Thanks,
Anthony Smith

------------------------------
Anthony Smith
CyberAdvisor
Ford
------------------------------

Ok thanks, I'll check out the link.
'
I may draft a decom guideline and if so, I may post it in this forum for feedback.

But off the top of my head, the doc may cover the following:

a) implement a tagging process/strategy
b) verify data lifecycle (for cloud) aligns with our on-prem data decom process
c) ensure cryptoshredding process is in place
d) define a process that addresses removal/review of cache content (primarily sensitive/confidential data)
e) proper removal of network config settings, tear down of VPCs, etc
f) review/removal of user/privileged accounts 
g) backup of source code
h) api portability review/update, etc
i) vulnerability scanning before data/source code is archived??
j) spin down unused resources/services, etc
k) structured/unstructured data is in an industry-usable format...

------------------------------
Anthony Smith
CyberAdvisor
Ford
------------------------------

Original Message:
Sent: Jun 10, 2021 07:47:13 AM
From: Michael Burke
Subject: Decommissioning cloud-hosted assets

Anthony,

It depends on the assets, how they are cloud-hosted - IaaS, PaaS, Serverless, etc. - and what kind of decommissioning planning went on at the beginning.

I was able to find a good summary from SEI, section 4.1.4 - 4.1.5, https://resources.sei.cmu.edu/asset_files/TechnicalReport/2019_005_001_551472.pdf

If cloud hosting was a run on IaaS, run encrypted, backup encrypted, leave undecipherable behind.
What will you leave behind?
What is the risk? Impact?
How are you treating portability?

If running other XaaS, did you build in safeguards to mitigate the risks? Like spreading jigsaw puzzle pieces across a table.

If mid-project with no exit planning, begin the adjustments you need to make to make any left behind data unreadable/unusable.

All providers have a data retention policy in their agreements. Make sure those are read and fully understood.

Consider all cloud hosting temporary and plan accordingly.




------------------------------
Michael Burke

Original Message:
Sent: Jun 07, 2021 10:54:18 AM
From: Anthony Smith
Subject: Decommissioning cloud-hosted assets

I'm just curious -

Has anyone come across any best practices, recommendations for decommissioning cloud-hosted assets?

Thanks,
Anthony Smith

------------------------------
Anthony Smith
CyberAdvisor
Ford
------------------------------

Sounds like complex work :) with no easy answers.

Best regards
TJ

------------------------------
Tomasz Janczewski
Warsaw
------------------------------

Original Message:
Sent: Jun 10, 2021 10:38:46 AM
From: Anthony Smith
Subject: Decommissioning cloud-hosted assets

Ok thanks, I'll check out the link.
'
I may draft a decom guideline and if so, I may post it in this forum for feedback.

But off the top of my head, the doc may cover the following:

a) implement a tagging process/strategy
b) verify data lifecycle (for cloud) aligns with our on-prem data decom process
c) ensure cryptoshredding process is in place
d) define a process that addresses removal/review of cache content (primarily sensitive/confidential data)
e) proper removal of network config settings, tear down of VPCs, etc
f) review/removal of user/privileged accounts
g) backup of source code
h) api portability review/update, etc
i) vulnerability scanning before data/source code is archived??
j) spin down unused resources/services, etc
k) structured/unstructured data is in an industry-usable format...

------------------------------
Anthony Smith
CyberAdvisor
Ford

Original Message:
Sent: Jun 10, 2021 07:47:13 AM
From: Michael Burke
Subject: Decommissioning cloud-hosted assets

Anthony,

It depends on the assets, how they are cloud-hosted - IaaS, PaaS, Serverless, etc. - and what kind of decommissioning planning went on at the beginning.

I was able to find a good summary from SEI, section 4.1.4 - 4.1.5, https://resources.sei.cmu.edu/asset_files/TechnicalReport/2019_005_001_551472.pdf

If cloud hosting was a run on IaaS, run encrypted, backup encrypted, leave undecipherable behind.
What will you leave behind?
What is the risk? Impact?
How are you treating portability?

If running other XaaS, did you build in safeguards to mitigate the risks? Like spreading jigsaw puzzle pieces across a table.

If mid-project with no exit planning, begin the adjustments you need to make to make any left behind data unreadable/unusable.

All providers have a data retention policy in their agreements. Make sure those are read and fully understood.

Consider all cloud hosting temporary and plan accordingly.




------------------------------
Michael Burke

Original Message:
Sent: Jun 07, 2021 10:54:18 AM
From: Anthony Smith
Subject: Decommissioning cloud-hosted assets

I'm just curious -

Has anyone come across any best practices, recommendations for decommissioning cloud-hosted assets?

Thanks,
Anthony Smith

------------------------------
Anthony Smith
CyberAdvisor
Ford
------------------------------