Shadow IT, the use of technology outside the IT purview, is becoming a tacitly approved aspect of most modern enterprises. Yet, with the vast adoption of software-as-a-service and infrastructure-as-a-service (IaaS) approaches, shadow IT presents increased security challenges that can create major risk. To further complicate things, because organizations aren't centrally controlling these solutions and tools, their vulnerabilities often go undetected for far too long. If individuals and internal teams continue to introduce outside tools and solutions into their environments, enterprises will have to adopt a smart path to ensure they operate securely.
The evolution of shadow IT is a result of technology becoming simpler and the cloud offering easy connectivity to applications and storage. As this happened, people began to cherry-pick those things that would help them get things done easily. Internal groups began using Google Drive for team collaboration and storage; employees used their personal phones to access secured enterprise resources; development teams grabbed code from shared repositories. All of these use cases, and many more, are examples of finding and adopting usable, efficient, and cheap strategies to get things done.
A similar phenomenon is now common with platform-as-a-service and IaaS platforms (public clouds) — new development initiatives are taking place without being officially vetted by IT. Department-level initiatives are making speed and business goals the top priorities, and teams are applying complementary technology to support their needs. It's empowering for development teams and it adheres both to newer styles of development as well as legacy ones that use agile methodologies. The difference here is that an entire model is being used and it affects the infrastructure on which the organization operates. It's also opening up potential access to the private data that's created, stored, and transacted within that infrastructure.
In most things in life, there is a level of forgiveness, but technology isn't among them, and this is where shadow development efforts are problematic. The issue is that all technology and its resulting activity must adhere to companywide security goals and requirements. This can't be a case of asking for forgiveness after the fact because slip-ups can lead to disastrous results.
Enterprises in which shadow IT exists must find a way to instill security as part of all IaaS development processes, but in a way that still allows for speed and agility. Developers dig speed, and they also like it when their technology efforts directly support business goals. It's important to give them that without sacrificing security.
The issue requires creating a mindset around security that is embedded into the organization's DNA, one that is accompanied by specific, actionable approaches that are baked into the overall security operations. That's a tall order, but innovative organizations need to strengthen their overall security posture in cloud environments. To do that, however, requires that organizations consider five critical elements about their infrastructure, especially when it operates as an IaaS:
1. Don't Neglect Development's Need for Speed
Every organization that is technologically mature is simultaneously running three environments: development, quality assurance, and production. They each serve different aspects of the application continuum and are interdependent, but to maintain an adequate level of security, they must establish and adhere to specific security requirements. At some point, new applications and tools, ones brought into the organization through team-level and individual use, will find their way onto the dashboard of IT. There must be a set of requirements and best practices around security so these tools can be seamlessly added into the organization's environment with as little disruption as possible.
2. Change Is the New Normal
What's deployed in public clouds is ephemeral: Containerized applications or virtualized environments are brought up and down constantly and do not rely on fixed IPs and port numbers. Any ancillary shadow applications and tools that are tied to these resources must be monitored to ensure that their security controls coexist with those of the underlying cloud platform, especially as it changes quickly.
3. Respect the Complexity
The nature of what needs to be protected in the cloud is more complex and made of raw building blocks. Organizations adopt public clouds such as Amazon Web Services (AWS) in order to rapidly leverage innovative technologies available on demand without having to invest significantly in new skills. No two deployments on AWS are alike, and security solutions need to account for the fact that teams using shared repositories may be coming from different access points.
4. Prioritize Compliance
Although it may be a challenge to get teams to think about security when using shadow applications, invoking the need to be compliant can help. An organization often cannot operate when they are noncompliant with industry standards because rights and privileges are revoked, which can effectively kneecap the operational abilities of the company. Were this to happen, it could likely lead to companies completely banning shadow tools and services. Awareness of such draconian consequences can help drive home a message that security comes first.
5. Best Practices Are Best
As in all things, it's best to stick to the simplest course of action. Just as you would with any organizational priority, instill a culture of security throughout the company and educate best practices into the way teams and individuals operate. The more people know about the effects of poorly constructed versus proper security operates, the better chance you have that they will adhere on their own to the right way to do things.
- 8 Attack Vectors Puncturing Cloud Environments
- Who Takes Responsibility for Cyberattacks in the Cloud?
- Security at the Speed of DevOps: Maturity, Orchestration, and Detection
- Your Life Is the Attack Surface: The Risks of IoT