Cloud Asset Management: Lessons Learned from the Finance Industry

Ido Neeman

In this post, I take a look at financial and cloud asset management side by side, and examine some of the fundamentals––from a business, security, and risk management perspective––that can make us better asset managers. By Ido Neeman, Co-founder and CEO of Firefly.

Assets Under Management (AUM) is a well-known term in the financial sector, and after years of involvement in both finance and technology (particularly infrastructure and security), it suddenly became apparent that there are many parallels from these seemingly disparate worlds. There is plenty the cloud asset management world can learn and apply from financial asset management, and vice versa.

In this post, I take a look at financial and cloud asset management side by side, and examine some of the fundamentals––from a business, security, and risk management perspective––that can make us better asset managers.

The Fundamentals of Asset Management

When it comes to asset management, to state the obvious, the ultimate goal is to maximize the ROI (return on investment) for any given asset.  Meaning, aside from ensuring that our assets do not depreciate in value, we essentially want to try and optimize and extract the utmost value.  

If we take a look at both the financial market and the cloud - both are changing every millisecond––in finance this can be due to changes and interdependencies in stocks, bonds, currencies, crypto, and a million of other factors that are constantly impacting the market.  The same goes for the cloud, it’s equally dynamic, and any change on anything from the services deployed, to the network, CPU, storage, noisy neighbors, security groups, and also manifold other factors, will have a direct impact on your cloud management.

In the same way that a war in the Ukraine and Russia can have a direct impact on global financial markets, an outage in one single availability zone, or a security breach in a known cloud service can impact the cloud ecosystem worldwide.  Of course, it also doesn’t have to be even such an extreme scenario––even minor changes can have a direct impact on local markets and environments.

Policy Management & Guardrails in Asset Management

That is why, as a highly regulated and well-established industry, the financial markets and those who are looking to participate in commerce are required to abide by the rules and regulations set forth by many bodies (and largely enforced by the SEC––Securities & Exchange Commission), to help minimize risk that can impact the global economy.  This is the first lesson that the cloud world can learn from global markets––guardrails.

When it comes to AUM, each asset manager has a risk & investment policy they need to abide by stringently. If a trader or analyst deviates from the policy, this requires intervention, before the SEC can get involved and even fine the deviating investment firm. These guardrails and controls are there to help protect organizations against fraudulent and other malicious activity.

This can be compared to the many different guardrails we have in place in the cloud––from our security policies to our availability policies––redundancy to security groups. Oftentimes the CISO or even Infrastructure lead will be required to apply policies when engineers deviate from the processes and practices defined, to not increase the cloud risk.

A good example from the financial world of guardrails, in the form of redundancy, is when you want to invest a long in a blue-chip company, but want to manage risk. To do so, you will also take a short on the entire NASDAQ, in the event that the blue chip stock plummets.  This enables you to have the reassurance of the short to back up the longer term investment if it goes off track.

In cloud services, this is in the form of building high availability into our applications through multiple availability zones and immutability in the form of DR and IaC. To ensure immutable operations, we need a modern approach for managing cloud resources. Codification of all of your cloud resources into IaC is an important enabler. Then, automatically applying change management policies during CI/CD processes, is a powerful guardrail for managing an immutable cloud. 

On Asset Drift & Avoiding Disaster

Just like with financial assets, where managing state is critical, this is also true for our cloud assets. If we create a portfolio with a certain distribution of risk, we want to ensure it isn’t drifting from its targets and this requires us to constantly monitor both our assets and the market––constantly moving targets.

These are best practices that are well-established in the DevOps / SRE and cloud practice.  We all understand that having fine-grained monitoring and observability of our assets is critical to avoiding disaster in the form of outages and failures.  And just like financial liability is huge, this also holds true for the cloud. For instance, load balancer misconfiguration with improper privileges can cause damage that you may not be able to recover from, and a huge loss in the financial world is quite the same. Sometimes, leaving a cloud environment without guardrails is like writing a blank check.

Therefore, just like all financial transactions need to be logged, cloud operations too need to be codified and logged––so that any potentially harmful drifts from the desired state can be caught and mitigated rapidly through today’s IaC and automation. When your cloud is not consistently monitored and managed, finding these types of potential liabilities becomes a needle in a haystack.

Cloud Resources are Eventually Assets - Treat Them Like It

While some of the guardrails and good practices are easier to apply, some things are harder, and we need to start with what we can achieve today, and constantly work on improving.  Cloud operations have been around for maybe fifteen years, financial asset management is a much more stable and mature world, having been around for 8 decades now. Let’s take a look at the lessons we can learn and apply today - to both our financial management and cloud operations.

Asset management requires smart people. In financial management there’s a well-known phrase “always have the smartest people in the room”.  What you will pay today in salaries, might prevent disaster tomorrow in lack of maturity or experience––that can be a liability.  This is true for financial management and cloud management.  In the spirit of Netflix, building talent density ensures you have the smartest people working on emerging cloud challenges and problems as the cloud continues to evolve.

Automation is required to scale. In the same way that all modern funds leverage algorithm trading, even when you have the smartest people in the room you still need to augment their talents with smart machines & tools, because human capabilities go so far. You can’t scale without machines, and this holds true for the cloud as well. Automation made possible what wasn’t possible before in terms of speed and safety for engineering velocity.  Don’t be afraid to introduce tools that make your engineers better at what they do, and free them up from human toil on repetitive tasks.

Guardrails are critical. I cannot stress enough the need for guardrails and protection in both worlds. Guardrails prevent disasters from human error or overwhelming complexity. They prevent good people from making simple mistakes. The financial market and cloud ecosystem have many similarities, and managing them takes skill and strategy. So even when you have the smartest people working on the toughest cloud challenges, and the best of breed tooling to support your work, don’t compromise on the guardrails.  These will provide a measure of protection and safety in a constantly evolving ecosystem and threat landscape for your highest value workloads, AKA your cloud assets.

Photo by Adeolu Eletu on Unsplash