Securing Born in the Cloud Businesses

Everyone’s had this recently. Organisations they partner with are becoming (justifiably) more stringent about their security. It creates some thorny problems though:

  • How do we get the security without bludgeoning our business to death?
  • How do you improve data protection without making your staff rage quit?
  • How do we align initiatives I make with broader security standards.

Born in the Cloud

When we’re talking about a Born in the Cloud Business (BITC) we’re talking about this sort of company:

  • Not much in the way of legacy systems.
  • Mostly SaaS based tools.
  • A boat load of BYOD.
  • Loosey Goosey office security 🙂

Larger organisations like working with businesses like these. They’re small, agile and generally full of rock-star grade experts in their field. But large organisations are also terrified of working with these sorts of companies. The locked-down SOE based work day they’re used to which provide them with a measure of confidence isn’t present in these BITC businesses. The large org wants all the warm fuzzy security but wants to keep the innovation and glint in their partner’s eye.

Security Standards

In Europe this is lot more mature than it is in Australia. There are two different standards that get bandied about:

Essential 8

Here, there are a set of guidelines that the Australian Signals Directorate have adopted and provide as advice. This is called the Essential 8 Maturity Model. It covers several areas and each one has four levels of maturity and organisation can reach (0-3). It was originally envisaged as a straightforward, practical approach to data security but has been “beefed up” to be a lot more complex over time.


Another standard is ISO 27001. This is a heavyweight standard to attain and can take 6-18 months depending on your complexity, maturity and size.

It covers a range of different technology and policy “controls” that should be applied. You an self-assert your compliance then have that audited externally.

Essential 8 Level 3 (the highest) is a sort of subset of the work you’d need to complete to get to ISO 27001. Essential 8 is used in Australian Federal and State Governments and ISO:27001 is a global standard.

What do I need to do?

We at jtwo have been on the journey of achieving both and we have some general advice on how to get going.

We aren’t security consultants and our professional indemnity doesn’t allow us to be so take this advice with a grain of salt. That should keep our insurers happy 🙂

So with that out of the way Its a big beast but here are some pointers on how to get started. We use Office365 with the E5 licensing so a lot of the tools we need to build this stuff out are there and we already pay for them.

Take it Seriously

You can’t fake this stuff. You have to embrace the idea of security in your bones or you won’t get anywhere. You have to think about the tools, processes and behaviours you use and think about them through a security lens. Once you’ve embraced the idea of security it all starts to look a bit more achievable.

Build Registers

In each of these security standards there are set of lists and registers you need to keep. They involve asset registers (physical and information based) and there’s lots of them. This is particularly the case with ISO27k1.

We use Office365 so we built each of these registers as SharePoint Lists. They are easy to use and they can be used in reporting too.

Embrace a SOE

Everyone hates them, they suck. They make it hard for you to be flexible and innovative. Developers hate them especially. But you should consider them part of your new world order. We use E5 licensing for Microsoft 365 and as part of this we get InTune and Defender. Rolling these out together can help you tick lots of boxes and actually be secure to boot.

MFA Everywhere, All at Once

You probably already do this, in fact if you don’t then do it as soon as you’ve read this. We use O365 and all the identities are in Azure AD. We’ve turned on MFA using Microsoft Authenticator and it does a lot of the heavy lifting.

Policies, Policies, Policies

You’ll need to write and maintain lots of policies. These are generally short (thankfully) but they need to be reviewed periodically and you need to record attestations that people have read, understood and agreed to the policies.

We build our policies as Word Documents and we built a PowerApp that lets people read and agree to the policies. The records for this go in our SharePoint lists for record keeping.


You need to enforce the use of policies, practices and tools. Consider making security compliance part of your staff meetings. Reward people for good behaviour and following policies. Gently (at first) nudge people towards good behaviour if they’re lagging behind.

Office365 and Purview are your friend

While many of the compliance activities you’ll need to do are policy and people based there’s a lot of technology stuff too. As a BITC business you have a lot of this at your fingertips. We use Microsoft 365 and Purview is part of the E5 licensing we have. Its got a bunch of great technology you can use to improve your security. It arranges it as a set of scores so you get the dopamine rush when you move the score up too. If you use M365 and have E5 you should definitely explore this. It will help greatly.

Data Classification

This is a big one and can be hard. Data classification is generally difficult but the Purview classification tools are able to use ML to do the classification work for you. Here’s what our Teams, email and other communication profile looks like…

We should probably tone down on the fruity language.

This is also what our data looks like from the perspective of sensitive information.

You can see that we use what might be considered sensitive information in the content of our comms. This will vary from org to org but you don’t have to do anything to get this, it works out of the box.

Standards Mapping

Another interesting capability is the standards mapping. You can choose a standard like E8L3 or ISO:27001 and apply that template to the controls you have in O365. This will give you a (probably massive) checklist of changes you need to make to meet those standarsd.

Microsoft also have their own standards for security which are applied to your controls. Here’s an example of how it provides a gauge on your security compliance:

Moving this score up will move you along with various standards at the same time.

How to Achieve Cloud Cost Savings by Avoiding These Cost Overruns

Any company that runs for long enough will inevitably run into cost overruns; the key, though, is to minimise the number of cost overruns and mitigate the damage from overruns that occur. However, one of the costliest overruns a company can face has to do with cloud migration. In this article, we will tackle the ten most important strategies for avoiding a devastating financial blowout.

Elements of a Cloud Migration

When it comes to cloud migration, you’re really spoiled for choice. The market is fiercely competitive, which is great news for you, but picking the right vendor for cloud migration can be a difficult and potentially frustrating experience—worse yet, picking the wrong one could cost you massively in the long run. Cloudstep seeks to take the pain out of the decision-making process while simultaneously ensuring you get the best deal for your company’s specific needs.

10 Ways to Avoid a Financial Blowout

01. Have your migration plans ready

Cutting costs on cloud migration is only a reality if the cloud-based system is effective. If your new cloud-based system (or the migration itself) is plagued with issues, it can lead to exorbitant cost overruns, which is why planning your migration and performance analysis is so important—and where Cloudstep’s state-of-the art analysis comes into play, including plans to suit companies both big and small.

By tracking KPIs (Key Performance Indicators) and making note of suboptimal performance, you can track and tweak your original plan as you go.  A cloud-based system is only useful if you can maximise the tangible benefits that come with moving to a cloud-based system. As an example, you should check out Cloud Infrastructure Monitoring Software so you can ensure everything is working to your expectations.

2. Implement continuous monitoring

This one is interesting, since it might not be immediately obvious why continually monitoring the migration period could potentially affect costs. Most companies have sensitive data that they would very much like to keep private. This could be anything from trade secrets to non-public financial data. It could also be employee data and a range of other things that aren’t intended for public (or rival) consumption.

If the cloud migration is botched, say, after a security breach, a hacker could steal this sensitive data and hold the company to ransom, abuse the information for their own (or their company’s own) benefit, or simply cause chaos as an act of malice or revenge by deleting the data. A topical security risk is that of the ransomware attack, which encrypts the data until a cryptocurrency ransom is paid. If a hacker is stealthy, you might not even know your sensitive data has been compromised until it’s too late.

03. Invest in automation

Automation makes our lives easy. We let automation set our clocks and alarms, we let automated processes trade stocks as bots, and we use automation to build most of our stuff. It has allowed our economy to boom while also reducing a lot of the need for back-breaking labour.

Cloud migration is no different. There already exists a variety of excellent tools and software to help you along the journey, including AWS Migration Services, Azure Migration Tools, Corent SurPaaS, and Carbonite Migrate. You can download our eBook for a more thorough understanding of the different tools that are available to you.

04. Reduce excess storage

We usually don’t think about it much these days, but since the dawn of the computer age to the early 2000s, the compression of a given file was given a lot of importance. Software packages like StuffIt and WinZip were created 30+ years ago to tackle bloated file archives using cutting-edge compression algorithms. The MP3, which helped lay the foundation for the digital music revolution triggered by iTunes and the iPod, was a game-changer. Compression on the internet is still useful to this day. Gone are the days where you need to turn a lossless picture file into a lossy jpeg when uploading online.

However, there is still a need for maintaining good compression techniques and minimising bloat when it comes to files your company has on hand. For instance, do you really need an uncompressed hour-long 4k video clogging up your server that’s purpose is as a training or onboarding video? (For reference, that’s a stupidly high 318 GB, although it’s an admittedly extreme example.) Video is highly compressible, and the same video would probably be just as serviceable in 1080p. If you used similar compression to YouTube, the file size plummets to about 1.65GB. But even if you kept the video at 4k with the same compression technique, you’d still only have 2.7 GB. If such video content is sensitive, you could put the entire video on YouTube but with a valid email to watch it. This would save you a lot of storage space and bandwidth, especially when there is a lot of content involved.

05. Identify overprovisioning

If you’re going on holiday, you don’t pack your entire wardrobe (unless your name happens to be Mark Zuckerberg). Instead, you pack according to your destination. Simple enough, right?

If you only need 16 GB of server space, why pay for 64 GB? If your answer is “I might need it later”, consider that the price per gigabyte of storage is always going down. Have enough space to cover your overheads, sure, but don’t overprovision unless you have a good reason for doing so. Your company’s hypothetical overprovisioning might well be logical, but for many it is not.

06. Correct inefficient code

Inefficient code is problematic on a number of levels. While unorthodox (i.e., bloated) code might be okay in some esoteric instances, inefficient code in cloud migration can be disastrous.

According to APMdigest, inefficient apps are causing some companies to overspend by millions of dollars. It is estimated by the end of 22 that $330 billion will be spent on the cloud, meaning that billions of dollars are being lost as the result of inefficient code. Having your code appraised now is a small price to pay to save your money and headaches down the line.

07. Assign an inventory owner

In the Cloud Asset API in Google Cloud, access control can be configured at the project level or organization level. In this environment, you can bestow certain individuals (or a group of developers) with access to all Cloud Asset Inventory resources within a project.

08. Manage shadow IT

The term shadow IT isn’t as well known as it should be, although almost anyone who works in a company with computers in it has probably either encountered or engaged in shadow IT. It also goes by a cavalcade of other names, including embedded IT, fake IT, stealth IT, rogue IT, feral IT, or client IT. Put simply, shadow IT is when employees who aren’t with the official IT department start implementing their own workarounds. Some have even created their own software just to bypass problematic official software.

While shadow IT can have its benefits in some aspects, including innovation and reactivity, it can also pose a risk to company control, security, and reliability. It is imperative that you keep any shadow IT efforts in check, as the road to hell is often paved with good intentions.

09. Review support contracts

Cloud service agreements can lock you into contracts that won’t do you any favours. Make sure you actually have an expert read through the terms of service to ensure you’re not breaking any rules but also that your support contract will actually get you out of a bind if something goes wrong.

10. Bring your own license

Google Cloud (and other cloud services) allows you to bring your own license (BYOL). That being said, as with any BYOL agreement, do your due diligence and ensure that you have read and understood the terms of conditions. To find out more information on how to comply with these terms and how to carry out the steps in correct order, please visit Google’s support article or the supporting documentation for any cloud service you may wish to use with a BYOL agreement.

How Cloud Computing Leads to Cost Savings

There are numerous ways in which cloud computing can reduce costs. In the following five sections, we will take a look at five of the biggest points.

Requires No Setup Investments

One of the biggest pain points for any company looking to archive data—or simply process it—is the logistical hurdles and upfront costs. Server maintenance and physical storage can add up quickly. By incorporating cloud technology to solve your storage and processing concerns, much of these upfront costs are offset. This is because the cloud space is very competitive. Moreover, the largest cloud-hosting companies in the world have done a fantastic job of cutting costs through technological innovation and scaling up to nearly unfathomably large degrees. Even the biggest companies in the world have outsourced their cloud-hosting needs to pre-established cloud-hosting companies rather than use their own proprietary server farms.

Optimal Hardware Utilization

This is sort of a follow-on from the previous point. Perhaps the best idea here is to use a simple analogy. Imagine a typical office with, say, two dozen workstations. For much of the day, the computers are either operating at partial capacity or not at all. With cloud storage, data is processed and stored across various nodes for built-in redundancy—in simple terms, that means your data is backed up and always retrievable (on a competently run cloud server). So not only is this a cheaper option for most companies but also a more secure one.

Energy Savings

Server farms often get criticised for their energy use; however, what is often overlooked is how scalability actually cuts down the total amount of energy required per byte stored. Indeed, the higher demand there is for cloud computing, the more incentive that cloud-hosting companies will have to innovate and create more optimal energy-saving techniques. In any case, traditional on-site storage and data-processing techniques cannot match the efficiency per byte stored/processed.

No In-house Team

Depending on your company’s size, this could be the straw that breaks the camel’s back. By migrating to the cloud, you no longer need to keep a dedicated team devoted to maintaining server racks and other such problems that arise when you’re not harnessing the incredible utility of the cloud. Regardless of whether you have a dedicated IT team or intermittent server inspectors, your operating costs tend to become quite bloated when you’re handling everything yourself.

Eliminates Redundancies

If you’ve ever had to deal with magnetic tape backups, you know how antiquated and frustrating the experience can be. After all, storing data on tape doesn’t just feel so 20th century; it is 20th century. Moreover, a lot of companies only create backups once a day! Imagine if your company lost an entire day’s work! By migrating to the cloud, creating redundancies and backups into your system isn’t something you need to worry about. Having said that, we do encourage to keep an onsite backup of your company’s most important files (just in case).


Throughout this article, we’ve looked at all the incredible benefits that a cloud-based system can have on your business, including energy savings, cost cuts, hardware optimisation, code improvements, and taking advantage of automation; however, you don’t need to take our word for it! Just take a moment to look at the chart below from Research and Markets.

This says it all, really. In five years, the cloud market is projected to more than double. Companies have realised how much money there is to save by embracing cloud technologies. Much of this growth also stems from cloud computing. Whether you model, analyse, or plan, Cloudstep has got everything you need to streamline your cloud-migration process, making it as pain-free and as efficient as you’d like it to be.

More About Us!

Check out our features page or download our free eBook to read further about how you can revolutionise your company’s infrastructure. The eBook is a must-read for anyone who is serious about increasing your company’s agility and scalability. We cover risk mitigation, digital transformation, and how to reduce your company’s overall IT expenditure.

Get eBook

We have plans starting at just $49 per month for an exploratory plan, all the way up to $1,499 for our comprehensive enterprise plan. We also have a free 30-day trial. Plus, unlike many companies, we won’t try to trick you into paying for your plan if you forget about the trial, as we will only ask for your billing information after your trial period has commenced.

Oils ain’t Oils and Neither are Calculators.

Some of you may remember the Castrol oil commercials on Australian television throughout the late 1980’s where they claimed than not all oils are created equally.  – If not indulge yourself in 43 seconds of nostalgic cinematic genius.

1988 CASTROL GTX2 Oils Ain’t Oils

Such is true with cloud pricing calculators. Whilst these are invaluable tools for putting together an order of magnitude estimate on a bill of materials, they do little to attract, engage and delight customers.

One of the main differences between a pricing estimate output from regular vendor calculators and a cloudstep model is that with a cloudstep model, all focus is placed on the consumer’s business and the cloudstep consulting partners’ unique relationship with them.

Why is cloudstep more than just a calculator?

  • Cloudstep models are multidimensional and provide a mechanism to accurately account for all the costs that represent the true total cost of ownership.
  • More than a spreadsheet – build 5 year forward projections for business as usual vs migration scenarios.
  • Cloudstep models on-premisses, IaaS, SaaS and PaaS solutions.
  • Model, manage and track phased migrations which involve multiple waves or batches of application migrations.
  • Measure actual vs projected expenditure, ingest Azure bills to identify and manage variances.

A pathway to mutually beneficial consulting engagements.

Cloudstep was built from the ground up by cloud consultants, that understand the need for consulting firms to build strong strategic relationships with their customers.

Cloudstep models unlock opportunity within businesses by building trust and credibility, thus leading to significant momentum gained with consumers. Cloudstep  is about adding value at every stage in your customer’s journey with you,  from the initial awareness or interest in alternate IT arrangements all the way through post-migration and ongoing measurement of IT operational expenditure.

Granularity and Complexity

Whilst it is true that high degrees of granularity often result in complexity, cloudstep has tooling to get started in as little as 10 minutes, designed to help consulting firms quickly engage with their customers business and begin to foster stronger relationships.

Cloudstep provides a means to have more meaningful conversations with prospects, creating genuine relationships with them. Quickly share relevant content that can be refined and built upon as you get to know your consumers’ unique needs.

Plan, Transition, Manage

Continue to engage with consumers, even long after their journey to the cloud.

Successful IT leaders understand If you don’t measure success in terms of what’s truly important to your organisation, you can’t work towards getting there.

Cloudstep makes it easy to measure actual vs projected expenditure, providing a means for your consulting team to continue to engage and offer strategic advice and services.

Cloudstep creates happy customers who turn into brand ambassadors and send more customers your way.

cloudstep – The value proposition for consulting firms.

Cloudstep is a tool for consulting firms, built by a consulting firm. It makes it easy to capture existing capital and operational IT expenditure for an organisation and make accurate comparisons against alternate IT delivery options.

We built cloudstep to make it easy to sell consulting engagements for professional services focused around cloud migrations.

Build 5 year forward projections for business as usual vs cloud migration scenarios based on evidence and hard costs, not speculation.

We understand the need for consulting firms to build strong strategic relationships with their customers.

Position your consulting firm as a trusted advisor with outputs that are easy to share, confidence inspiring and make it easy for CFOs and CIOs to stand behind.

Cloudstep models unlock opportunity within businesses by building trust and credibility. Cloudstep is about adding value at every stage in your customer’s journey with you, from the initial awareness or interest in alternate IT arrangements all the way through post-migration and ongoing measurement of IT operational expenditure.

Cloudstep creates happy customers who turn into brand ambassadors and send more customers your way.

Welcome 2020ne – “are we there yet?”

“are we there yet?…. are we there yet?….”

In vacations past, this was the back seat cry heard by many young parents as they sought the refuge of a far-away campsite or holiday house in search of some peace and quiet after a hectic and busy year.  Clearly, 2020 was no normal year and it takes the prize for giving us the single biggest reality check for generations.  Our near and mid-term futures whilst cautiously optimistic are still shrouded in a degree of uncertainty and we should still expect some unsettling times.  When will be able to say we have arrived at our destination, the end of COVID, and no longer be faced with the lingering “are we there yet?” back seat cry?

For many we invested in keeping as much of our operations as normal as we possibly could – we saw immediate investment in better working from home solutions and in expanded video-conferencing and collaboration tools and techniques, but not every business was well suited to implementing these new practices. In some cases, we had great foundations to build from, in others it just needed to be done. But at what cost and has it truly delivered what is needed?

For many, new programs of work were put on hold or cancelled altogether.  Top line revenue pressures forced many to introduce drastic cuts in operational expenditure, tough decisions were made. When thinking about 2021 and beyond we should continue to expect that there will be less, little or no new money for projects – and savings will need to be found to pay for reforms”

What programs of work did you put back on the shelf because there was no resources or there was no longer any money in 2021? 

Do you know how much an application truly costs and how much cost can be attributed to a “function” or “team” within your business?

Do you fully understand the cost and resource impact of change and will your CFO believe you?

Do you have the detailed financial awareness of different deployment options (on-premise, cloud, IaaS, PaaS or SaaS.

Are you giving consideration to where the next level of IT investment should be made – and when?

Do you need to rebuild the business case and demonstrate benefit and cost with confidence?

Do you know when you will arrive at your chosen destination – …are we there yet?

We were tackling these questions with cloudstep before our worlds were completely up-ended –  and it seems to me the answers that cloudstep can provide are more important to a business than ever before.

cloudstep helps CxO’s understand the financial impact of past, current and future IT investment decisions. It helps you compare different deployment scenarios and provides a month by month cashflow model of your total cost of reform and ownership.

To be fair – its not always about cloud – its about being better informed of the financial impact of future choice.

If you are reimagining your IT plans in 2021 and need to demonstrate value in change – not just the tech speak – then ask us or your IT partner about cloudstep.  Are we there yet?

daryl knight | partner at cloudstep