What to consider when handing new employees the keys to the cloud

Handing over the keys to the new driver in the family? Daunting. Handing over the keys to cloud instances at your company to a new hire? Perhaps just as daunting.

A new employee’s first day is a big deal for everyone, and especially for the IT department, which is responsible for setting up the appropriate permissions and access controls for all of the organization’s cloud-based applications. It’s a massive responsibility, given the potential risks if those same permissions are not properly supervised. A 2024 Tenable report found that 23% of cloud identities, both human and non-human, have “critical” or “high severity” excessive permissions.

Jay Martin, CISO at IT solutions and services provider Blue Mantis, told IT Brew that the industry is in a “fairly immature state” when it comes to handling cloud permissions and that having a standardized process around it is critical.

“The last thing you want to do is onboard an administrative assistant on the HR side into your financial system,” Martin said. “So, there’s practices that need to be set up in advance.”

Tips and tricks. Neeraj Methi, VP of cybersecurity solutions at Myriad360, told IT Brew that organizations should avoid just letting anybody have the ability to create and renege on cloud-related permissions and implement a formalized process instead.

“Define a process, open tickets, and have a trail behind everything which is being requested and denied, so that you have an idea where all these access are,” Methi said.

Kurt Seifried, chief innovation officer at the Cloud Security Alliance, added that organizations should remember that vendors are constantly adding capabilities that could shake up how things are done.

“Your cloud vendor, especially somebody like Amazon, Microsoft, Google, or Zoom even, [is] constantly adding features and security,” Seifried said. “You gotta keep up with that.”

Pitfalls. Once an employee is successfully provisioned, the fun doesn’t stop there. Seifried told IT Brew that there are many mistakes that can be made around access permissions once set. For example, for employees who are no longer with the company, Seifried’s “lockout procedure” for Google accounts used to mean suspending the account, changing the password, and un-suspending it to hand over access to managers. That changed after he realized former employees could potentially still access the account through credentials saved on Google’s account recovery feature.

“Lessons were learned,” Seifried said.

Martin added that organizations should be mindful of appropriately adjusting cloud instance access when employees switch roles in their company, an area he said customers tend to do poorly in.

The argument for automation. Some companies have begun to automate the process around cloud provisioning. Methi told IT Brew that it could help bolster productivity as users are able to access cloud credentials faster and eliminate room for human error.

“If you’re doing it manually, how effective could [you] be [at] keeping track of it?” Methi said, adding that the task could become a “nightmare” for some organizations.

Karthik Ranganathan, co-founder and co-CEO of Yugabyte, an open-source distributed SQL database company, told IT Brew that the cloud provisioning process at his company is mostly automated. Ranganathan said that Yugabyte is able to constantly update its processes around onboarding and has made it a significantly shorter experience for new hires.

“Now we’re talking hours,” Ranganathan said. “So, employee starts on Monday. By Monday afternoon, we’re sending them email. They have Slack. They have everything.”

Regardless if a company chooses to partly or fully automate the cloud provisioning process, Martin said it is always important to have a formal process in place.

“You can automate as much of this as you want with technology, but the first step really is to make sure that that process is vetted, that process is documented, that you have the proper workflow,” Martin said.