The Permanent Exception

Edition #8: The Permanent Exception

We've all been there. An emergency exception granted to push to production on time. A firewall rule opened for a specific integration need. Budget controls extended for an urgent project. Additional access granted to resolve a critical issue.

Not every situation fits the mold of our standards and controls. There will always be exceptions to the rule. But how often do you go back and reassess them?

This unintentionally becomes The Permanent Exception - when temporary workarounds are approved without any mechanism to revisit, evaluate, or remove them later. Teams solve immediate problems by granting exceptions but don't ask the critical question: when will we revisit this? Every approval becomes permanent by default.

Organizations focus on solving the immediate problem but skip the harder questions about what comes after.

Preventing this requires systematic exception management through the Standards Practice from the 5 Practices of Cloud Governance:

→ Build clear exception processes - define justification requirements and approval criteria upfront
→ Require expiration dates - every exception must have a scheduled review or end date
→ Enable periodic review - establish workflows to reassess exceptions before they expire
→ Track and learn from patterns - exceptions that repeat indicate where standards need updating
→ Connect exceptions to improvement - use exception data to evolve your standards over time

When exception processes include systematic review from the start, temporary stays temporary.

- Keep on Herding, Bob

What's Happening in Cloud Governance 📡

How Nestle's Cloud Team Manages Multicloud & Security: Diego M. Costa shares how Nestle's platform team of nearly 100 manages cloud environments for 2,000+ brands across multiple regulatory environments. Key insights include landing zones as governance enablement, security scoring as team KPIs, and orchestrating governance through process, people, and tools rather than just documentation. Their approach demonstrates how to scale governance without becoming a bottleneck.

Best practices for cloud governance at scale (AWS re:Inforce 2023): While from 2023, this AWS session remains highly relevant with 10 governance best practices across cloud environments, controls management, and developer enablement. Key insights include using accounts as security boundaries with proper OU structure, implementing policy-as-code with peer review mechanisms, layering defenses with preventive/proactive/detective controls, and continuously testing control effectiveness. The session demonstrates how proactive controls using CloudFormation hooks can shift security left, stopping misconfigurations before deployment and placing remediation responsibility directly with developers rather than creating central bottlenecks.

11 Steps To Audit Your Salesforce Security: Danny Gelfenbaum's practical audit checklist covers critical Salesforce security areas from connected apps and MFA enforcement to records sharing models and password policies. Key governance-focused steps include reviewing which external apps have org access, auditing sharing settings for sensitive objects, using Health Check to optimize security baselines, and ensuring proper role hierarchy implementation. A useful reminder that configuration risks don't just exist in cloud infrastructure - SaaS platforms like Salesforce require systematic security audits to prevent unauthorized access, overprivileged users, and policy drift.

50 Cloud Security Stats You Should Know In 2025: Expert Insights compiles critical statistics showing that 45% of breaches are now cloud-based, with 80% of companies experiencing at least one cloud security incident in the past year. The top challenges remain security (85%), lack of expertise (83%), and managing cloud spend (81%). Misconfiguration continues as the primary risk, with 96% of organizations facing significant challenges implementing cloud strategy. Only 20% assess their cloud security posture in real-time, and concerningly, 22% still rely on manual assessments. The data reinforces that governance gaps - from IAM misconfiguration to lack of visibility into access settings - remain fundamental cloud security challenges requiring systematic approaches rather than point solutions.

Get Involved 👋

Join the conversation on LinkedIn about this newsletter edition.