Cloud Security

Shadow IT: The silent cloud migration killer

As more organizations see the benefits the cloud can offer, enterprises are eager to implement cloud migration strategies. By next year, Gartner forecasts that 75 percent of organizations will take the next step and deploy a multicloud or hybrid cloud model to meet their IT needs. As with any major IT shift, there are several common pitfalls that organizations fall prey to during the adoption process. What’s the highest risk for security? Shadow IT.

Shadow IT is the phenomenon whereby employees who are not getting what they need from their own IT department set up storage or compute infrastructure at a public cloud provider and deploy applications or store data in the cloud.

Falling into the Shadows

Make no mistake, shadow IT can make your organization vulnerable. Not surprisingly, this means the first reaction of most CIOs is to shut it down – but this can be harder than one might think. There will always be a risk of employees going rogue and sneaking in the technology they believe makes their jobs easier.

Therefore, it’s important for enterprises to familiarize themselves with – and prepare to face the risks of – shadow IT, including:

  • Security: Enterprise data is scattered through hundreds of unsupervised apps and thousands of uncontrolled devices. It’s increasingly difficult to manage and maintain a strong network-first security strategy when there are unknown environments being utilized by employees.
  • Integration: With dozens, or even perhaps hundreds, of different clouds, how do you get them to work together?
  • Compliance: Enterprises have little to no control over what is happening in the shadow IT world.
  • Cost: Spending can easily get out of control when not monitored from a central point. 30 percent of technology spending occurs outside of IT’s control, and that number will only continue to grow.

When employees deploy their own clouds, they don’t necessarily have the skills or tools to make sure the deployment is secure, let alone maintain good security hygiene through proper patch management and vulnerability updates. Furthermore, cloud instances are frequently forgotten, as projects conclude or whatever web servers were deployed become outdated. The company risks a data leakage or an intrusion because of an attack surface the IT department did not even know existed.

A Light in the Darkness

While it’s very clear that shadow IT presents serious security challenges, it’s not an inherently bad thing that needs to be completely repressed. When employees get to choose their devices and apps, productivity can go way up. They can adopt the latest technologies faster than IT ever could and drive innovation by more agilely responding to market shifts. This is why CIOs are realizing that they — and their organizations—can actually benefit by coexisting or even embracing shadow IT.

Shadow IT can also provide enterprises with a coveted edge in attracting and retaining highly sought-after talent. The ability to choose and use desired systems is a real draw for IT pros. Organizations that wish to sweeten the pot for potential employees would be wise to consider seizing the opportunity shadow IT presents.

How to Successfully Integrate Shadow IT

It’s important to recognize that IT staff is always under pressure and stretched thin to deliver on business transformation initiatives. With shadow IT here to stay, enterprises need a strategy to include it in their cloud adoption journey.

For IT to retain any control over the security posture of the entire network presence, they must provide templates and tools that would enable a secure deployment. For example, deploying a new VPC should:

  • Automatically deploy a virtual firewall with all the necessary configurations to restrict access to the VPC to known sources
  • Secure the campus to cloud connection with a site to site VPN
  • Add the newly acquired IP addresses to a scanning solution to make sure the VPC never deviates from an acceptable posture

When planning a move to the cloud, it’s crucial that enterprises recognize and plan for potential pitfalls – shadow IT included. While these obstacles certainly come with their own sets of unique challenges, enterprises that find ways to use them to their advantage will come out on top.

Organizations must essentially decide to either cut out shadow IT altogether or integrate it. It’s a critical decision that requires both a look inward at the company’s current security posture, as well as a look forward at what it should be. Whatever the ultimate choice, understand the risks and potential rewards to avoid falling prey to this silent killer.

Related

New Muddled Libra attacks set sights on cloud

Attacks by the Muddled Libra threat operation — also known as UNC3944, Scattered Spider, Scatter Swine, and Starfraud — have been redirected at cloud service providers and software-as-a-service apps as part of efforts to bolster its data extortion efforts, reports The Hacker News.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.