Vulnerabilities / Threats

10:30 AM
Sanjay Kalra
Sanjay Kalra
Connect Directly
E-Mail vvv

Shadow IT, IaaS & the Security Imperative

Organizations must strengthen their security posture in cloud environments. That means considering five critical elements about their infrastructure, especially when it operates as an IaaS.

Shadow IT, the use of technology outside the IT purview, is becoming a tacitly approved aspect of most modern enterprises. Yet, with the vast adoption of software-as-a-service and infrastructure-as-a-service (IaaS) approaches, shadow IT presents increased security challenges that can create major risk. To further complicate things, because organizations aren't centrally controlling these solutions and tools, their vulnerabilities often go undetected for far too long. If individuals and internal teams continue to introduce outside tools and solutions into their environments, enterprises will have to adopt a smart path to ensure they operate securely.

The evolution of shadow IT is a result of technology becoming simpler and the cloud offering easy connectivity to applications and storage. As this happened, people began to cherry-pick those things that would help them get things done easily. Internal groups began using Google Drive for team collaboration and storage; employees used their personal phones to access secured enterprise resources; development teams grabbed code from shared repositories. All of these use cases, and many more, are examples of finding and adopting usable, efficient, and cheap strategies to get things done.

A similar phenomenon is now common with platform-as-a-service and IaaS platforms (public clouds) — new development initiatives are taking place without being officially vetted by IT. Department-level initiatives are making speed and business goals the top priorities, and teams are applying complementary technology to support their needs. It's empowering for development teams and it adheres both to newer styles of development as well as legacy ones that use agile methodologies. The difference here is that an entire model is being used and it affects the infrastructure on which the organization operates. It's also opening up potential access to the private data that's created, stored, and transacted within that infrastructure.

In most things in life, there is a level of forgiveness, but technology isn't among them, and this is where shadow development efforts are problematic. The issue is that all technology and its resulting activity must adhere to companywide security goals and requirements. This can't be a case of asking for forgiveness after the fact because slip-ups can lead to disastrous results.

Enterprises in which shadow IT exists must find a way to instill security as part of all IaaS development processes, but in a way that still allows for speed and agility. Developers dig speed, and they also like it when their technology efforts directly support business goals. It's important to give them that without sacrificing security.

The issue requires creating a mindset around security that is embedded into the organization's DNA, one that is accompanied by specific, actionable approaches that are baked into the overall security operations. That's a tall order, but innovative organizations need to strengthen their overall security posture in cloud environments. To do that, however, requires that organizations consider five critical elements about their infrastructure, especially when it operates as an IaaS:

1. Don't Neglect Development's Need for Speed
Every organization that is technologically mature is simultaneously running three environments: development, quality assurance, and production. They each serve different aspects of the application continuum and are interdependent, but to maintain an adequate level of security, they must establish and adhere to specific security requirements. At some point, new applications and tools, ones brought into the organization through team-level and individual use, will find their way onto the dashboard of IT. There must be a set of requirements and best practices around security so these tools can be seamlessly added into the organization's environment with as little disruption as possible.

2. Change Is the New Normal
What's deployed in public clouds is ephemeral: Containerized applications or virtualized environments are brought up and down constantly and do not rely on fixed IPs and port numbers. Any ancillary shadow applications and tools that are tied to these resources must be monitored to ensure that their security controls coexist with those of the underlying cloud platform, especially as it changes quickly.

3. Respect the Complexity
The nature of what needs to be protected in the cloud is more complex and made of raw building blocks. Organizations adopt public clouds such as Amazon Web Services (AWS) in order to rapidly leverage innovative technologies available on demand without having to invest significantly in new skills. No two deployments on AWS are alike, and security solutions need to account for the fact that teams using shared repositories may be coming from different access points.

4. Prioritize Compliance
Although it may be a challenge to get teams to think about security when using shadow applications, invoking the need to be compliant can help. An organization often cannot operate when they are noncompliant with industry standards because rights and privileges are revoked, which can effectively kneecap the operational abilities of the company. Were this to happen, it could likely lead to companies completely banning shadow tools and services. Awareness of such draconian consequences can help drive home a message that security comes first.

5. Best Practices Are Best
As in all things, it's best to stick to the simplest course of action. Just as you would with any organizational priority, instill a culture of security throughout the company and educate best practices into the way teams and individuals operate. The more people know about the effects of poorly constructed versus proper security operates, the better chance you have that they will adhere on their own to the right way to do things.

Related Content:


Sanjay Kalra is Co-Founder and Chief Strategy Officer at Lacework, leading the company's overall strategy for innovation, business development, channel, strategic partnerships, and customer success, drawing on more than 20 years of success and innovation in the cloud, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/22/2019 | 7:16:20 AM
First sentence
Have not read the article but the first opening sentence of subject stands out - if anybody is in IT in almost any capacity and does not understand this simple thought ---- well, welding as a career is a good option. 
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version that could allow a malicious user with local access to execute code with administrative privileges.
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.