We should start talking about "Shadow Cloud"


In 2017, Shadow IT has become a cloudier issue, pun intended
People and teams work differently than they did 15, 10, even 5 years ago. Employees want to work from anywhere, chat, collaborate and share information quickly and easily - and on any device. At the same time, they are creating, storing and accessing data exponentially more than they used to. IDC estimates that the amount of data created doubles every two years. The new rules for digital business impose new requirements for new applications, often of the cloud variety. Managing these factors and associated expectations present new challenges for information security.

Shadow IT, the use of unauthorized technology applications within an organization's application environment, can be likened to a Trojan horse. Once in use, "shadow" applications can have access to sensitive, confidential and or proprietary data, yet not adhere to any DLP policies you have in place. Worse yet, when not properly identified, these applications, if compromised, can provide alternative ins to your organization's credentials, policies, procedures and information.

Traditionally, these applications were downloaded; take away these rights and you can minimize risk. In the beginning of the 2000s this changed - applications were hosted and utilized through the internet. Security professionals responded by blocking URLs, limiting access to these applications. Yet, business need and requirements resulted in a lax of these policies. Simply blocking application usage stifles innovation and has limited the mobile first, cloud first way that people and organizations wish to collaborate.

There is a strong business case for continuously leveraging and implementing cloud applications as we've come to know them. Public cloud applications such as Office 365, Salesforce, and Box, as well as expansive service providers such as AWS, Microsoft Azure, and the Google Cloud Platform -  warrant no introduction. The aforementioned solution providers help organizations collaborate, automate tasks, and work more effectively. Whether of the SaaS, PaaS, and or IaaS variety, these solutions provide a robust degree of security and compliance capabilities, many of which are configurable and customizable based on specific requirements. But enterprise cloud solutions are not the whole of the cloud application picture. There are also consumer applications, with many providers offering multi-mode arrangements (Google and Microsoft, for example). Understanding and applying a uniform policy to applications with different security architectures and rules is nevertheless a challenge.

Simply put, the beauty of the cloud is also a danger. Factors like automation, agile infrastructure, rapid release cadence and new, community focused features are all highlights built, by nature into a cloud solution investment. Consider the speed of which applications can be "spun-up", data imported, processes built and user accounts configured. On the flip side, the easy provisioning and access of these solutions complicate:
  • Risky behavior
  • Compliance requirements
  • Security policies
  • Threat detection
  • Incident response
These aspects are especially interesting when we consider how many cloud applications are in play at a given organization. Complicating matters are often:
  1. A wide range of available business or consumer focused cloud applications 
  2. A security or oversight architecture built for on-premise applications
  3. Differing cloud security models by service provider
When not understood or addressed appropriately, these factors can become a bigger, more unmanageable problem. Something to ask yourself is: Are you aware of the cloud applications your organization is exposed to?

Many organizations default to the cloud for customer facing, analytics or mobile applications, so this may be an easy answer for some use cases - but not all. 

Consider that many providers are constantly creating new solutions with new features, meeting new requirements to solve new business problems that your organization may not face yet. These providers are actively marketing to the business, advertising solutions to problems that IT may not fully comprehend. Understanding these applications, their use, best practices and folding them into the overall applications strategy AND security architecture is a big undertaking and an often missing part of organizational applications, security and compliance strategy.

Taking a step back, your organization may already be on its way to addressing some of these concerns. For instance, an important part of an strong security strategy has traditionally been identity and access management, or IAM. These are capabilities that provide the right people access to the right resources based on specific requirements. If your organization uses an IAM solution (such as Azure AD, AWS Directory Service or Okta Cloud Connect) then perhaps you can draw upon a list of known, federated solutions. But what about the unknown: shadow cloud solutions? Indeed, in thinking about the greater cloud security question mark:
  • Can you and do you continuously monitor your environment for sanctioned and unsanctioned cloud solutions?
  • How do you deploy cloud applications? 
  • What is your strategy around corporate-sanctioned and employee-introduced cloud apps?
  • Do you standardize on cloud applications based on a detailed and involved process, continually reviewing usage and fit?
  • Can corporate customers to go "shopping" through a catalog of cloud services?
  • How do you maintain control over data access and sharing?
  • What policies do you have to protect data from unauthorized access?
  • Do your cloud applications meet data privacy requirements set by customers, industry or government?
Reviewing the provided list of questions should bring pause. These are strategic questions that suggest not only a different relationship between IT and the business but also a focused approach to using cloud applications when appropriate. Increasingly, the laws and business models of the world lag behind behavior - and IT within a business is no different. Ideally, your organization will seek to make it easier for people to utilize the applications that make sense using a scalable risk adverse process. This has two benefits, the first is true vetting and understanding of use from an IT security perspective. The second benefit is about enabling people and processes. Issues of:
  • Training
  • Adoption
  • Support
  • Usage
  • Customization
  • Configuration
  • Best Practices
  • Integration
....can become tight webs to untangle without a coherent strategy in place to minimize risk AND maximize value. Having a cloud process, facilitation, coordination and security strategy is essential in enabling a business and its people in an increasingly mobile first, cloud first world. 

Until this point I've talked about the problem. The solution is of course, fluid - it is not one solution, one policy, nor one FTE, but rather a focused, dedicated effort involving multiples of 3 factors: 
  1. People
  2. Process
  3. Technology
Factors such as training, education, development and talent can help reinforce and develop formalized policies and procedures which can be instituted, maintained and continuously improved with feedback - using technology. 

The technology aspect can often be addressed using a type of software known as a Cloud Security Access Broker. This software sits between consumers and solutions, offering a mechanism to evaluate cloud solutions, protect information assets, and assure adherence to security policies, procedures and compliance.  As a word of wisdom -  this technology should be seen as a way to reinforce, not just establish organizational policies and procedures. A CASB solution should be seen as an enabler of a robust cloud solution strategy.

Implementing a cloud strategy is a strategic opportunity that presents new opportunities to eliminate the shadow cloud risk and provide new opportunities for transformation. Interestingly enough, this will require increasing collaboration between IT and business stakeholders - not a bad thing!

Proper educational and change management initiatives in this regard will best empower people to collaborate and work more effectively, while under the umbrella of the organization's compliance, security and oversight requirements. Simply investing in a CASB solution does not constitute a success but the start of a continual education for the business. Just as security is a fluid, constant process, conquering the "shadow cloud" is a continuous process within the security equation. 

Comments

  1. romanDecember 20, 2018 at 9:12 PM

    Project Management
    I am impressed with your work and skill.Fabulous outfit.Thank you so much.Good job. Keep posting
    VISUALIZATION SERVICES

    ReplyDelete

Post a Comment

Popular posts from this blog

Flow, Azure ML and Power BI: Achievement Unlocked

Image
If you've been following Microsoft lately, you'll note Microsoft's self proclaimed, "mobile first, cloud first" strategy. In my opinion, there is no better beneficiary of this new direction than Microsoft's Power BI offering. Power BI, a self-service BI solution allows you to create and author slick reports and publish them to a a web portal to share with users inside your organization, outside of it or even the general public. An added benefit of the solution is its rapid release schedule, providing updates on a monthly basis, coupled with a growing user community providing support and custom visuals. Custom visuals allow you to extend the solution and visualize your data in new and unique ways specific to your business requirements.  While this at a high level is designed for mass adoption, what puts the solution over the top is the disruption pricing - free to 9.99/user/month. The price schedule provides you with additional features and functionality mostly
Read more

In gratitude: 10 things I learned at the Power BI World Tour

I feel fortunate to have been able to attend and present at the sold-out, two-day, Power BI World Tour  in Chicago. As a presenter, it was a great opportunity to share knowledge, experience, tips and tricks related related to Power BI. If you came to my session - thank you.  To me - these conferences aren't just about the presenters, or the sponsors, or the attendees. They shine in the way passionate people come together and share ideas. As such, I want to discuss my experience - notably, the amount of new things I learned. Events like these are great ways to learn more about features, get insights related to roadmap, and most importantly, learn how peers are using the technology. What follows are 10 things I learned: Ten Things Learned at the Power BI World Tour: 1. Self Service BI is changing the way companies work together  I met many Excel users evolving from VLOOKUPs to PowerPivot to Power BI. These business users talked about the ability to go
Read more

What's important? Do my users know? How will they know? - The WHAT

Image
In a previous post,  I explored the paradox of Analytics, Visualization and Communication. At the end, I teased the best way to do this is thoughtful design. I asked the question:   What's important?  Do my users know? How will they know? Design is fundamentally a purposeful application of context that helps people understand and use things. That's it. When it comes to data visualization, this often means helping users understand, WHAT?   Another question to ask yourself is actually, SO WHAT?  That's right - why does this matter? Why is this relevant? This analysis should be meaningful to someone. In a business context, your analysis should be effective and touch an organizational value chain, such as customer retention, supply chain, profitability, brand sentiment, etc. That "WHAT" should be a critical component of why you put the visualization together - so don't lose sight of it. To aid this, here are some questions to prompt thoughtfulness abou
Read more