Working with the Cloud After the Pandemic Reset Everything

The pandemic didn't invent remote work, and it didn't invent cloud computing. What it did was compress a decade of adoption into about six weeks of panic and then lock it in. Five years later, the bills from those decisions are coming due — sometimes literally, on an invoice — and I want to write honestly about what worked, what didn't, and where we're pointing customers now.

For context: we were running infrastructure for customers before and after the pandemic, and we watched the before-and-after play out in real time across hundreds of environments. What follows is a pattern book, not a theory.

What Actually Happened in 2020

In the first few weeks, the story was identical everywhere. IT teams had to get every employee working from home, immediately, without a proper plan. The usual playbook — a slow rollout, a pilot group, a proper network capacity review, a security posture update — was replaced with "ship laptops and VPN everything tonight."

The first wave of decisions was mostly about access. VPN concentrators got upgraded overnight, M365 rollouts that had been on the five-year plan happened in a week, Teams and Zoom bloomed, and identity providers got a workout they were never sized for. Second wave was data. File shares that lived happily on a file server in an office building suddenly needed to be reachable from everyone's kitchen. SharePoint Online, OneDrive, and Google Drive absorbed terabytes of corporate data that had never been inventoried.

Third wave was applications. Line-of-business apps that had been internal-network-only for a decade got exposed through reverse proxies, Citrix farms, or outright SaaS migrations that were technically supposed to take a year. A lot of those migrations never got properly finished. They just stayed in the rushed state forever.

What Aged Well

A few things we pushed customers toward in 2020 still look like the right call today.

Identity-first architecture. Moving everyone's login story to a proper cloud identity provider (Entra ID, Okta, or Google Workspace depending on the shop) with MFA on everything was the single best decision anyone made. Every subsequent win — SaaS consolidation, secure app access, conditional access policies, zero trust — only works if identity is solid.

Cloud email and collaboration. If your company was still running Exchange on-prem in 2020, you learned the hard way. M365 and Google Workspace scaled with the demand without you thinking about it. Five years in, almost nobody regrets this move.

Collaboration-first file storage. OneDrive and SharePoint Online, or Google Drive, became the default document homes. With version history, ransomware recovery, and proper DLP policies, this has mostly held up.

Always-on endpoint management. Intune, Jamf, and the equivalents became essential when the domain controller was no longer in the same building as the laptop. Organizations that got serious about endpoint management in 2020 spent less on help desk calls for the next three years.

What Aged Badly

And now the bills.

Lift-and-shift IaaS migrations done in a panic. A lot of shops took production workloads that were fine on-prem and moved them straight into AWS or Azure VMs because it felt like "cloud was safer." Five years later, those workloads are still running as they did on-prem, still pinned to a single region, still with the same operating model — but now at 2x to 3x the operating cost. The migration didn't modernize anything. It just relocated the problem and added an egress fee.

VPNs that never went away. The emergency VPN capacity that was meant to be a six-month bridge is still there. The conditional access policies that were supposed to replace it never got fully rolled out. The result is a hybrid access model that nobody designed, nobody fully documents, and nobody trusts.

Shadow SaaS. When everyone was locked at home, teams signed up for whatever tools got them unblocked. Nobody tracked it. Five years later, IT discovers that a department has 14 different SaaS subscriptions, three of them holding customer PII, none of them running through SSO. Consolidation is now a project in its own right.

Security posture debt. When you're shipping laptops tonight, you don't have time to write a least-privilege IAM policy. Everyone got admin because it was easier. Service accounts got reused. Backup strategies got deferred. The debt on this stuff is real, and it doesn't pay itself off.

Where We're Pointing Customers Now

Here's the honest recommendation we're giving customers in 2025 who want to clean up what the pandemic left behind.

Run a cloud workload audit, not an optimization project. Go workload by workload. For each one, answer four questions: is it still the right platform, is it still configured the way it would be configured today, is the cost defensible versus alternatives, and would you lift-and-shift it again knowing what you know now? A lot of workloads fail one or more of these. Repatriation of steady-state workloads back to private cloud is a real trend and a real money-saver for the right workloads.

Finish the zero-trust migration you started in 2020. Conditional access, device posture, application proxies, and secure web gateways actually work now. The VPN should be the exception, not the rule, and a lot of organizations still have that backwards.

Consolidate the SaaS portfolio. Run every SaaS subscription through SSO or cancel it. Tools without SSO in 2025 are telling you they aren't serious.

Put collaboration data under lifecycle policy. The OneDrive and Google Drive tenants that absorbed your corporate data in 2020 are now full of documents nobody has touched in four years, including some that should not exist anymore. Retention policies, sensitivity labels, and deletion workflows are not exciting, but they are the cheapest form of compliance insurance.

Rebuild the DR plan with the new topology in mind. Most DR plans were written for a data center that doesn't exist anymore. Rewrite them for the environment you actually have, and test them.

The Meta-Lesson

The biggest mistake of the pandemic era wasn't any one technology decision. It was not going back and cleaning up. The decisions made under duress were meant to be temporary. Treating them as permanent is how you end up with an architecture you never would have designed on purpose and a cost structure you never would have approved in a calmer moment.

If you inherited any part of the 2020 scramble, you have permission to redesign it from scratch. The right-sized environment in 2025 looks very different from the emergency-sized environment of 2020, and the savings and security posture improvements from doing the work are real.

Three Takeaways

1. Identity-first was the win. If you did one thing right in 2020, this was it. Build on it.
2. Lift-and-shift without modernization is a cost trap. Audit the workloads that were rushed to public cloud and be willing to move some back.
3. The pandemic architecture was never meant to be permanent. Treat it as a draft, not a deliverable, and finish the work.