Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Sanjay Kalra
Sanjay Kalra
Connect Directly
E-Mail vvv

Shadow IT, IaaS & the Security Imperative

Organizations must strengthen their security posture in cloud environments. That means considering five critical elements about their infrastructure, especially when it operates as an IaaS.

Shadow IT, the use of technology outside the IT purview, is becoming a tacitly approved aspect of most modern enterprises. Yet, with the vast adoption of software-as-a-service and infrastructure-as-a-service (IaaS) approaches, shadow IT presents increased security challenges that can create major risk. To further complicate things, because organizations aren't centrally controlling these solutions and tools, their vulnerabilities often go undetected for far too long. If individuals and internal teams continue to introduce outside tools and solutions into their environments, enterprises will have to adopt a smart path to ensure they operate securely.

The evolution of shadow IT is a result of technology becoming simpler and the cloud offering easy connectivity to applications and storage. As this happened, people began to cherry-pick those things that would help them get things done easily. Internal groups began using Google Drive for team collaboration and storage; employees used their personal phones to access secured enterprise resources; development teams grabbed code from shared repositories. All of these use cases, and many more, are examples of finding and adopting usable, efficient, and cheap strategies to get things done.

A similar phenomenon is now common with platform-as-a-service and IaaS platforms (public clouds) — new development initiatives are taking place without being officially vetted by IT. Department-level initiatives are making speed and business goals the top priorities, and teams are applying complementary technology to support their needs. It's empowering for development teams and it adheres both to newer styles of development as well as legacy ones that use agile methodologies. The difference here is that an entire model is being used and it affects the infrastructure on which the organization operates. It's also opening up potential access to the private data that's created, stored, and transacted within that infrastructure.

In most things in life, there is a level of forgiveness, but technology isn't among them, and this is where shadow development efforts are problematic. The issue is that all technology and its resulting activity must adhere to companywide security goals and requirements. This can't be a case of asking for forgiveness after the fact because slip-ups can lead to disastrous results.

Enterprises in which shadow IT exists must find a way to instill security as part of all IaaS development processes, but in a way that still allows for speed and agility. Developers dig speed, and they also like it when their technology efforts directly support business goals. It's important to give them that without sacrificing security.

The issue requires creating a mindset around security that is embedded into the organization's DNA, one that is accompanied by specific, actionable approaches that are baked into the overall security operations. That's a tall order, but innovative organizations need to strengthen their overall security posture in cloud environments. To do that, however, requires that organizations consider five critical elements about their infrastructure, especially when it operates as an IaaS:

1. Don't Neglect Development's Need for Speed
Every organization that is technologically mature is simultaneously running three environments: development, quality assurance, and production. They each serve different aspects of the application continuum and are interdependent, but to maintain an adequate level of security, they must establish and adhere to specific security requirements. At some point, new applications and tools, ones brought into the organization through team-level and individual use, will find their way onto the dashboard of IT. There must be a set of requirements and best practices around security so these tools can be seamlessly added into the organization's environment with as little disruption as possible.

2. Change Is the New Normal
What's deployed in public clouds is ephemeral: Containerized applications or virtualized environments are brought up and down constantly and do not rely on fixed IPs and port numbers. Any ancillary shadow applications and tools that are tied to these resources must be monitored to ensure that their security controls coexist with those of the underlying cloud platform, especially as it changes quickly.

3. Respect the Complexity
The nature of what needs to be protected in the cloud is more complex and made of raw building blocks. Organizations adopt public clouds such as Amazon Web Services (AWS) in order to rapidly leverage innovative technologies available on demand without having to invest significantly in new skills. No two deployments on AWS are alike, and security solutions need to account for the fact that teams using shared repositories may be coming from different access points.

4. Prioritize Compliance
Although it may be a challenge to get teams to think about security when using shadow applications, invoking the need to be compliant can help. An organization often cannot operate when they are noncompliant with industry standards because rights and privileges are revoked, which can effectively kneecap the operational abilities of the company. Were this to happen, it could likely lead to companies completely banning shadow tools and services. Awareness of such draconian consequences can help drive home a message that security comes first.

5. Best Practices Are Best
As in all things, it's best to stick to the simplest course of action. Just as you would with any organizational priority, instill a culture of security throughout the company and educate best practices into the way teams and individuals operate. The more people know about the effects of poorly constructed versus proper security operates, the better chance you have that they will adhere on their own to the right way to do things.

Related Content:


Sanjay Kalra is Co-Founder and Chief Strategy Officer at Lacework, leading the company's overall strategy for innovation, business development, channel, strategic partnerships, and customer success, drawing on more than 20 years of success and innovation in the cloud, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/22/2019 | 7:16:20 AM
First sentence
Have not read the article but the first opening sentence of subject stands out - if anybody is in IT in almost any capacity and does not understand this simple thought ---- well, welding as a career is a good option. 
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.