Securing Born in the Cloud Businesses

Everyone’s had this recently. Organisations they partner with are becoming (justifiably) more stringent about their security. It creates some thorny problems though:

  • How do we get the security without bludgeoning our business to death?
  • How do you improve data protection without making your staff rage quit?
  • How do we align initiatives I make with broader security standards.

Born in the Cloud

When we’re talking about a Born in the Cloud Business (BITC) we’re talking about this sort of company:

  • Not much in the way of legacy systems.
  • Mostly SaaS based tools.
  • A boat load of BYOD.
  • Loosey Goosey office security 🙂

Larger organisations like working with businesses like these. They’re small, agile and generally full of rock-star grade experts in their field. But large organisations are also terrified of working with these sorts of companies. The locked-down SOE based work day they’re used to which provide them with a measure of confidence isn’t present in these BITC businesses. The large org wants all the warm fuzzy security but wants to keep the innovation and glint in their partner’s eye.

Security Standards

In Europe this is lot more mature than it is in Australia. There are two different standards that get bandied about:

Essential 8

Here, there are a set of guidelines that the Australian Signals Directorate have adopted and provide as advice. This is called the Essential 8 Maturity Model. It covers several areas and each one has four levels of maturity and organisation can reach (0-3). It was originally envisaged as a straightforward, practical approach to data security but has been “beefed up” to be a lot more complex over time.


Another standard is ISO 27001. This is a heavyweight standard to attain and can take 6-18 months depending on your complexity, maturity and size.

It covers a range of different technology and policy “controls” that should be applied. You an self-assert your compliance then have that audited externally.

Essential 8 Level 3 (the highest) is a sort of subset of the work you’d need to complete to get to ISO 27001. Essential 8 is used in Australian Federal and State Governments and ISO:27001 is a global standard.

What do I need to do?

We at jtwo have been on the journey of achieving both and we have some general advice on how to get going.

We aren’t security consultants and our professional indemnity doesn’t allow us to be so take this advice with a grain of salt. That should keep our insurers happy 🙂

So with that out of the way Its a big beast but here are some pointers on how to get started. We use Office365 with the E5 licensing so a lot of the tools we need to build this stuff out are there and we already pay for them.

Take it Seriously

You can’t fake this stuff. You have to embrace the idea of security in your bones or you won’t get anywhere. You have to think about the tools, processes and behaviours you use and think about them through a security lens. Once you’ve embraced the idea of security it all starts to look a bit more achievable.

Build Registers

In each of these security standards there are set of lists and registers you need to keep. They involve asset registers (physical and information based) and there’s lots of them. This is particularly the case with ISO27k1.

We use Office365 so we built each of these registers as SharePoint Lists. They are easy to use and they can be used in reporting too.

Embrace a SOE

Everyone hates them, they suck. They make it hard for you to be flexible and innovative. Developers hate them especially. But you should consider them part of your new world order. We use E5 licensing for Microsoft 365 and as part of this we get InTune and Defender. Rolling these out together can help you tick lots of boxes and actually be secure to boot.

MFA Everywhere, All at Once

You probably already do this, in fact if you don’t then do it as soon as you’ve read this. We use O365 and all the identities are in Azure AD. We’ve turned on MFA using Microsoft Authenticator and it does a lot of the heavy lifting.

Policies, Policies, Policies

You’ll need to write and maintain lots of policies. These are generally short (thankfully) but they need to be reviewed periodically and you need to record attestations that people have read, understood and agreed to the policies.

We build our policies as Word Documents and we built a PowerApp that lets people read and agree to the policies. The records for this go in our SharePoint lists for record keeping.


You need to enforce the use of policies, practices and tools. Consider making security compliance part of your staff meetings. Reward people for good behaviour and following policies. Gently (at first) nudge people towards good behaviour if they’re lagging behind.

Office365 and Purview are your friend

While many of the compliance activities you’ll need to do are policy and people based there’s a lot of technology stuff too. As a BITC business you have a lot of this at your fingertips. We use Microsoft 365 and Purview is part of the E5 licensing we have. Its got a bunch of great technology you can use to improve your security. It arranges it as a set of scores so you get the dopamine rush when you move the score up too. If you use M365 and have E5 you should definitely explore this. It will help greatly.

Data Classification

This is a big one and can be hard. Data classification is generally difficult but the Purview classification tools are able to use ML to do the classification work for you. Here’s what our Teams, email and other communication profile looks like…

We should probably tone down on the fruity language.

This is also what our data looks like from the perspective of sensitive information.

You can see that we use what might be considered sensitive information in the content of our comms. This will vary from org to org but you don’t have to do anything to get this, it works out of the box.

Standards Mapping

Another interesting capability is the standards mapping. You can choose a standard like E8L3 or ISO:27001 and apply that template to the controls you have in O365. This will give you a (probably massive) checklist of changes you need to make to meet those standarsd.

Microsoft also have their own standards for security which are applied to your controls. Here’s an example of how it provides a gauge on your security compliance:

Moving this score up will move you along with various standards at the same time.

Single Cloud or Multi-Cloud: The Ultimate Debate

Today, we’re going to talk about a hotly debated topic in the tech industry – whether to pick a single cloud provider or go for a multi-cloud strategy. As someone who’s been in the industry for a while, I’ve seen companies go back and forth on this topic, and I think it’s time to weigh in with some of my observations.

Let’s start with the basics. A single cloud provider means that your company uses one cloud provider to host its applications, services, and data. On the other hand, a multi-cloud strategy means that you use multiple cloud providers for the same purpose. Sounds simple, right? Well, not exactly.

While the idea of using multiple cloud providers might seem like a good way to hedge your bets, the reality is that it can quickly become a headache for your organisation. One of the biggest challenges is the overhead that comes with establishing a presence in more than one cloud provider. Each provider has its own set of tools, services, and pricing models, which means that you need to invest time, money, and resources in learning and maintaining all of them. Not to mention the added complexity of managing data across multiple clouds, which can result in increased latency, security risks, and compliance issues.

For smaller organisations, a keep-it-simple approach might be best. According to a recent survey by LogicMonitor, 87% of SMBs are using a single cloud provider, and only 13% are using a multi-cloud strategy. This is because smaller companies typically have limited resources and cannot afford to spread themselves too thin. By using a single cloud provider, they can focus on their core business and avoid the added complexity of managing multiple cloud environments.

But what about larger organisations with more resources? Surely, they can handle a multi-cloud strategy, right? Well, not so fast. A recent report by Flexera found that 93% of enterprises have a multi-cloud strategy, but only 16% of them have the expertise to manage it. This means that most organisations are struggling to keep up with the demands of a multi-cloud environment, which can lead to increased costs, downtime, and security risks.

So, what’s the solution? While it’s tempting to go for a multi-cloud strategy to take advantage of the best features of each provider, the reality is that it’s not always worth the overhead. Instead, companies should focus on finding the right cloud provider that meets their specific needs and invest in developing the skills to manage it effectively.

At we created a simple three step ‘Business Case in a Box’ process that leverages our unique tooling to help organisations big or small answer these questions. Starting with a rapid assessment to provide lightweight, express validation of cloud intention through exploration and validation of different migration scenarios. The output of this assessment identifies any organisational knowledge gaps followed by focused analysis to prepare the organisation for a successful migration.

The decision to pick a single cloud provider or a multi-cloud strategy should not be taken lightly. While multi-cloud might seem like a good idea in theory, the overhead and skills requirements can quickly become overwhelming for most organisations. Like many things in life its not a simple case of one size fits all. Investing time upfront in validation of your requirements, assessment of candidate cloud providers and planning your migration could spare you a lot of sleepless nights. Thanks for reading!

Cloud Migration: Why Your Business Needs a Robust Business Case

Today I want to talk to you about an important topic that can make or break a company’s success in the digital age: migrating infrastructure to the public cloud. As the world becomes increasingly digital, businesses must adapt to survive. And one of the most significant changes a company can make is moving their infrastructure to the public cloud.

Now, I know what you’re thinking. “But, why should I move my data to the cloud? Isn’t it just another buzzword that’ll fade away in a few years?” I’m here to tell you that not only is the cloud here to stay, but it can also be a game-changer for your business. In this article, I’ll explain why establishing a business case for cloud migration is crucial, how to choose the right cloud provider, and why cost shouldn’t be the only factor to consider.

First things first, let’s talk about why you should even bother migrating to the cloud. The answer is simple: scalability and flexibility. The cloud offers a level of agility that on-premise solutions simply can’t match. With the cloud, you can scale your resources up or down as needed, pay only for what you use, and access your data from anywhere in the world. This level of flexibility can be a game-changer for businesses of all sizes, allowing them to respond quickly to changing market conditions, improve operational efficiency, and reduce costs.

Now that we’ve established why the cloud is important, let’s talk about choosing the right cloud provider. There are plenty of cloud providers out there, from big names like AWS, Azure, and Google Cloud to smaller private cloud players. But how do you decide which one is right for you? There are many factors to consider when choosing a provider, including cost, security, reliability, supportability, and ease of use. However, I want to stress that cost should not be the only factor you consider. While it’s important to stay within your budget, choosing the cheapest provider could end up costing you more in the long run if the provider doesn’t meet your needs. Instead, focus on finding a provider that can offer the right mix of features, support, and security that your business requires.

Of course, simply choosing a cloud provider isn’t enough. You need to validate your choice to ensure that it truly aligns with your business case. So, what exactly does a business case entail? Essentially, it’s a comprehensive analysis of your current infrastructure, your business needs, and your goals for the future. It involves exploration of different migration scenarios, identification and comparison of costs to identify the validity and viability of one choice vs another. This will help you identify the areas of your IT landscape that could benefit the most from a cloud migration and determine which cloud provider can best meet your needs.

A robust business case is essential to secure the buy-in of key stakeholders in the organisation. This includes executives, investors, and board members. The business case should outline the ongoing financial operational benefits of migrating to the public cloud, in addition to the softer benefits such as improved scalability, and increased agility. By presenting a solid business case, you can effectively communicate the value proposition of the migration and gain the support of those who hold the purse strings.

At we created a simple three step ‘Business Case in a Box’ process that leverages our unique tooling to explore different migration scenarios and build a business case. Starting with a rapid assessment to provide lightweight, express validation of cloud intention. Our tooling allows you to develop a A board-ready business case, comprised of the capital and operational costs that are important and specific to your organisation. Once you’ve identified the optimum business case, the output of this assessment identifies any organisational knowledge gaps followed by focused analysis to prepare the organisation for a successful migration.

Establishing a business case for your cloud migration and choosing the right provider are crucial to the success of your cloud journey. Don’t rush into any decisions without first conducting thorough analysis. Remember, cost is just one piece of the puzzle. Keep your business goals and needs in mind, and you’ll be well on your way to a successful cloud migration.

The Cloud Migration Pitfalls You Need to Know: Why Understanding Your Applications is Critical

2 / 2

Public cloud migration for a while has been the the buzzword on everyone’s lips. Often described as a no brainer for organisations where their core business is not managing IT systems. Sure, there are plenty of good reasons to take your organisation’s applications to the cloud: lower costs, better scalability, and increased flexibility. But here’s the thing – it’s not all sunshine and rainbows, and there are definitely some pitfalls you need to be aware of.

One of the most critical factors to consider when migrating applications to the cloud is having a solid understanding of those applications, their relationships with one another, and the infrastructure that underpins them. This is essential if you want to avoid a disruptive migration that could have significant impacts on your organisation’s operational performance.

According to a recent study conducted by Harvard Business Review, a poor understanding of applications and infrastructure is one of the leading causes of disruption during a cloud migration. The study found that only 38% of IT leaders had a clear understanding of their organisation’s applications, while only 26% understood the relationships between applications and infrastructure. These statistics are worrying, especially when you consider that a failed cloud migration can have real and lasting consequences.

For instance, a poorly planned migration can result in application downtime, data loss, and security breaches, all of which can lead to significant financial losses and damage to your organisation’s reputation. These consequences can be particularly devastating for small and medium-sized enterprises (SMEs), which may not have the resources to recover quickly from such disruptions.

So, what can you do to avoid these pitfalls? Well, first and foremost, you need to ensure that you have a thorough understanding of your organisation’s applications and infrastructure. Sounds easy right? This means conducting a comprehensive inventory of your applications, documenting their dependencies and relationships, and mapping out your infrastructure architecture. Where do you start? How do you know where to focus your attention? How do you make this a cost effective exercise?

At we created a simple three step ‘Business Case in a Box’ process that leverages our unique tooling to answer these questions. Starting with a rapid assessment to provide lightweight, express validation of cloud intention. The output of this assessment identifies any organisational knowledge gaps followed by focused analysis to prepare the organisation for a successful migration.

As is with anything that is outside the scope of your core business, It’s wise to also consider working with a trusted cloud service advisor that can provide your organisation with expert guidance and support throughout the migration process. This will help ensure that your migration is seamless and that your applications and data are migrated securely and efficiently.

As a wrap, migrating your organisation’s applications to the public cloud can be a fantastic way to save costs and increase flexibility. However, it’s essential to recognise that this process comes with its own set of challenges and pitfalls. To avoid disruption of your business, it’s critical to have a solid understanding of your applications and infrastructure, as well as to work with a trusted cloud service advisor. With careful planning and execution, you can ensure a successful migration and reap the benefits of the cloud without putting your organisation’s operational performance at risk.

AWS EventBridge Triggering SSM Automation IAM Role Error

I recently wanted to create an Amazon EventBridge rule that will schedule an SSM Automation document.

A rule watches for certain events (cron in my case) and then routes them to AWS targets that you choose. You can create a rule that performs an AWS action automatically when another AWS action happens, or a rule that performs an AWS action regularly on a set schedule.

EventBridge needs permission to call SSM Start Automation Execution with the supplied Automation document and parameters. The rule will offer the generation of a new IAM role for this task.

In my case I received an error like below:

Error Output

The Automation definition for an SSM Automation target must contain an AssumeRole that evaluates to an IAM role ARN.

If you recieving this error you can create the role manually using the following CloudFormation Template.

AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation template IAM Roles for Event Bridge | SSM Automation

    Type: AWS::IAM::Role
        Version: '2012-10-17'
        - Effect: Allow
          Action: sts:AssumeRole
      - arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole
      Path: "/"
      RoleName: EventBridgeAutomationServiceRole