An Updated Blueprint for a Cloud-First World

*Originally published on

Integrators must understand how IT fits into the remote work equation in order to properly assess client needs in a cloud first world.

About ten years ago, someone I worked with when I was in corporate IT as a consultant, reached out to me to hire an outsourced IT firm. The unusual part was that this was a technology consulting company, and they had plenty of intelligent engineers that could run their infrastructure, but he wanted to focus them on revenue.  

Over the years, this client pushed my thinking. They went from being a standard firm to cloud first. We eliminated servers and moved to hosted applications and services: Office 365, Azure AD, online file storage, and even policy deployment. Their employees and engineers accessed what they needed from the LA office or at home in St. Louis or Montreal.  

This became our blueprint. Even clients who did not want to give up their in-office servers, we treated their setups as if they were hosted in the cloud, building access to the systems such that they work from anywhere in as secure a way as possible. In the investment world where most of our clients sit, many worked from anywhere and expected to do so. However, we still had to provide the same level of security and compliance. 

The lines between trusted and untrusted networks has become blurred. You could no longer rely on leveraging your firewall to protect your internal assets. Building Zero Trust Networks are a journey, not a destination. It became clear that there were a few areas we needed to build our protections around: endpoint, identity, systems, and data.


At the endpoint, we could no longer rely on traditional antivirus alone. That became bringing a knife to a gunfight. We needed to either back up AV with some additional help or replace it entirely. These next-gen AntiVirus systems, Endpoint Detection and Response solutions, or Managed Detection and Response (pick your poison) services allow you to eliminate traditional AV. 

These new solutions gave us greater visibility on what the client device was doing and the ability to protect against known and unknown threats. Initially, you may have a large number of false positives: things that they detected as malware but were part of the regular business operation. Over time these systems learned using machine-learning or deep-learning algorithms.

The next level out on the endpoint was to protect against malicious traffic through DNS or web filtering. Endpoints no longer behind the firewall could visit any internet site they wished (and so could the software they downloaded), good or bad.

Adding a filtering agent would allow the IT administrator or MSP to control the client’s sites. Especially useful for blocking connections to ransomware command and control sites where the malicious software downloads the encryption keys. 

On the more advanced level, layering in application allow-listing prevents unknown applications from launching. Ringfencing will stop known-good applications from doing things they shouldn’t do (does Word need to launch a PowerShell script?). 

Next, add in a Secure Access Service Edge or SASE (a sort of distributed cloud firewall that your endpoints connect to securely). You can control the traffic flow from that system, such as allowing access to services and disallowing other services.  Pair that with things like Microsoft’s conditional access policies, and you can lock down who has access to your clients’ O365 environments.

Identity in a Cloud-First World 

In a cloud-first world, our clients’ identities become even more critical. That file sync and share solution you use is accessible from anywhere. How can you tell if the person accessing your systems is who they say they are?  Passwords have been our primary mechanism. Unfortunately, passwords are inherently flawed because of the humans that make them. Generating and keeping track of random passwords for every system is complex. 

Excel is not a solution to this. That said, leveraging a multi-factor solution that fits your client’s risk profile is not only a good idea, but it should be a requirement for access to nearly everything (especially for us!). It has become trivial to phish credentials, giving you the confidence that your clients are who they claim to be.  

Building individual identity systems, each with its multi-factor solution, would become burdensome for anyone to manage.  Standardizing on a single multi-factor solution will help so that you don’t have to play MFA-Application Roulette each time you log into a site, or you can look at a single-sign-on system using a Federated identity. 

In the early 2000s, when I was still in corporate, we had just started creating these Identity Management Systems built around Active Directory. IT could step back and let HR provision their accounts as employees were onboarded, offboarded, or transferred by integrating them with HR systems. 

Ultimately, this may end up becoming the holy grail for the next generation of MSPs. The client’s representative fills out a form that automatically provisions the accounts, adds them to appropriate groups and application systems, and starts a ticketing workflow for any human finishing touches. I can dream, can’t I? 

Because identity becomes so crucial in a cloud-first company, defending that identity wherever possible is also essential to consider. For example, from what location is the person allowed to log in? If we are alerted that the identity connects from outside of their approved region, what should we do? 

Data in a Cloud-First World

Backing up data is critical for recovery from failure. Whether these are direct to the cloud, syncing local files, BDR appliances with cloud offsite, backing up SaaS applications, making and testing backups are still things we need to consider as part of our primary offering. 

For example, if a client loses their laptop (it’s encrypted, right?), they should still be able to get their information back and continue work. Similarly, if they accidentally delete that SharePoint folder or email message, you should be able to restore that. 

With backups – I believe in belts and suspenders. Sync the local main folders, add a laptop backup, back up the email accounts, and add email archiving. 

Also, if someone doesn’t need access to data, don’t give it to them! Give employees the information they need to do their job, but no more than required. The only way to do this is to have control over identities.


Configure your systems to ensure the right people (identity) and the correct devices (endpoint) are accessing the right information (data). In a cloud world, it is as easy to leak data as it is to collaborate; controlling what can be shared and by whom is something you should consider. Mapping out data flows in the environment will help document and understand what needs consideration. 

If you still have on-premises servers that you manage, ensure that you implement their protections (like Windows firewall) and close exposed ports to the Internet. I’m talking about you, RDP. 

Remote Work is Just Work 

So, what is so special about remote work? If systems are architected in a cloud-centric world using zero-trust concepts, then the answer is nothing. Remote work is just “work.” It’s the same as everything else. 

Now that you’ve gotten through the past 18 months helping your clients set up remote access (hopefully securely), you can start making incremental changes. Start tightening up what systems VPN users access (it shouldn’t be the whole network). Better yet, plan for its removal. That VPN system is the one gate holding back the hoards. And if you look across the news of this past year, you will encounter story after story about VPN systems with flaws that allow remote access without authentication. 

That steel reinforced door may have a pet access flap. Let’s plug all those holes. If you require a remote employee to access data inside your on-premises network, use a SASE approach and leverage its capability to securely connect to the office or the internal system.  

It’s challenging to do all of this at once. Start by adding layers of protection around Endpoints and Identities. Next, harden the configuration of your cloud and on-premises systems, then you will be ready for the more advanced stuff.