In a recent Forbes magazine report, it was noted that worldwide spending on public cloud services would grow from nearly $70B in 2015 to more than $141B in 2019. The benefits of speed to market are powerful drivers, as companies are moving to a more “agile” approach to technology deployment and business operations.
Traditional IT organizations are typically not well placed to support an agile model, which has fueled the proliferation of Shadow IT. Shadow IT is the adoption of non-sanctioned technology, which can empower users but also result in security and compliance risks to an organization.
It is becoming increasingly easier and faster to acquire cloud resources with little to no technical knowledge. While the major cloud vendors have built strong security capabilities within their platforms and services, the onus is on the tenant to implement them properly.
The following provides practical steps that can be used to counter Shadow IT.
The Process Route
By establishing processes that incorporate concise security control requirements and contract language provisions to measure the viability and compliance of a given cloud provider upfront, you can save considerable headaches down the road. A clear engagement process should include the items captured below and must be defined and communicated to the business for how these services are requested, reviewed and approved.
Establish a Cloud Policy
Establish an official company cloud policies and standards with executive support. Key elements should include:
- Data localization constraints: Understand restrictions on where their data must be created and stored based on local privacy laws. Ensure the cloud provider can support your company’s particular needs.
- Data constraints: Determine what data is permissible for cloud use and what are the required controls (encryption, access control, data handling and disposal).
- Awareness: Communicate the company’s position on cloud to key stakeholders and business organization leadership.
Partner with legal, vendor and finance teams
This is first line of defense in most organizations as the intake for new vendors and services typically starts here. Establish guidelines for cloud vendor assessment. Work with legal to develop the appropriate contract language to address security and privacy requirements. A couple of useful resources that can be leveraged are as follows.
- The NIST Guideline 800-161 on supply chain management
- The Cloud Security Alliance GRC Stack
Work with your finance department
Being that cloud services are typically purchased through credit cards, develop a process to identify cloud-related expenses and report on them.
Establish company sanctioned cloud provider offerings
By providing vetted and sanctioned cloud capability, you lessen the chance of Shadow IT adoption.
The Technical Route
Sometimes you need to combat technology with technology. The good news is, most organizations already have tools in place to help and the industry has been keen to understand this new threat landscape and as such new solutions are emerging.
Most environments have some level of network access control and monitoring capability. Firewalls, IDS/IPS, content filters and proxy technologies can provide a rich amount of information on network and data activity. By establishing filtering criteria and reporting, you can detect external cloud activity by known IP ranges or through application and categorization capabilities within next generation firewalls and content filters. This is a process that should be established, run and reported on a periodic basis.
Internet presence monitoring
Quite often, these Shadow IT deployments will attempt to brand the application with the organization's identity by the use of domain names that reflect the company name, service or product. A good mitigation approach for this is to periodically search for company, services and product names.
Cloud Access Security Brokers (CASB)
Seeing a need, the security market always tries to take advantage of the opportunity to sell something new. CASB solutions offer a number of capabilities that help companies manage compliance and security of their cloud initiatives.
CASB solutions provide a number of capabilities such as:
- Visibility: Through audit mechanisms, security alerts and compliance reporting.
- Data security: Through access control, data loss prevention and encryption.
Some of these capabilities, most specifically visibility, had been lacking in the cloud space and have been a roadblock to cloud adoption for many organizations.
Combine Process & Technology
Industry statistics show that we can no longer ignore cloud adoption and deny our organizations the clear benefits cloud computing offers. As with any emerging disruptive technology there is risk that accompanies reward and mitigating the risk this is just another beast for us to wrestle. Doing so successfully by setting clear direction and providing sanctioned cloud options means the business achieves faster time to market, reduces cost and lessens the burden on IT.
As we work to ensure that secure approach while reducing risk to the organization we can remain a step ahead of the cloud’s shadow.
About Thomas DeFelice
Thomas DeFelice, CISSP, brings over 20 years of experience to his role as an executive director of executive advisory in the Atlantic Coast region at Optiv. Prior to joining Optiv, Thomas worked at Pactera, Computershare and BJ’s Wholesale Club in various roles. Thomas is based in New Hampshire.