Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Clouds Cast Long Shadows

Being Quick to Deliver, Anticipate, and Meet the Needs of Customers is an Enviable Ability for any Organization. Can your IT and Security Keep-up?

Being Quick to Deliver, Anticipate, and Meet the Needs of Customers is an Enviable Ability for any Organization. Can your IT and Security Keep-up?

Individuals and groups within organizations will embrace solutions that meet their needs today. Before cloud computing (of all forms), IT had a monopoly; if someone wanted to do something and it involved computers, IT had to be engaged. This is no longer the case. IT is a service, and that service must now compete with shadow IT. Official policy stating ‘thou shall not cloud’ is useless. Instead, IT must be a partner to business groups and individuals. People don’t actively try to create shadow IT. Shadow IT is a symptom that shows IT is not responding to the needs of the business. For myriad reasons, shadow IT is not secure.

The industry has recently been in much the same position on a different subject; bring your own device. Many IT groups have come to accept that the BYOD battle, if there really ever was one, is over. It ended the day a senior manager strolled into the IT offices and demanded that his/her tablet be able to access email. Following the same storyline, IT groups and security staff must accept public cloud usage as all-but inevitable. Instead of bring your own device, public cloud can be described as bring your own server.

Shadow IT and Cloud ComputingAs security-minded folks, it is too easy for us to point at public cloud done outside of the oversight of IT, bang our heads on our desks, and mutter about how terribly wrong shadow IT is. We know that IT groups have people, processes, and technologies in-place to protect the data of an organization. We also know that the people driving business units and projects will use shadow IT if we cannot help them achieve their objectives. Where can we strike a balance between public cloud and security?

Any modern business has an Internet presence, email, and so-on. Most organizations are not driven by IT, though there are exceptions (software-as-a-service vendors, for example). Instead, the business is supported by IT. However, within or across organizations, growing an online presence is a key part of overall business strategy. For these groups, IT resources are a very important tool. If a group can’t procure new servers quickly, they risk not being able to execute their growth strategy quickly and efficiently. In other words, to get to market quickly, a business unit may need to go outside of IT. While the renegades are doing shadow IT, who’s watching to make sure what needs to be protected is, in fact, being protected?

This simplicity and flexibility is at the core of why groups within organizations adopt public cloud. Whether officially sanctioned or not, developers can bring an application to market quickly, and with low operational risk. There isn’t a large, up-front capital investment, which lowers the barrier to entry. Internally, there is also little risk. If sales take-off, forgiveness will be granted. If sales only trickle in, the costs are controlled, and so again, forgiveness is easy to grant when ongoing costs and start-up investments are relatively in-line with revenue. Public cloud is perhaps too simple by half. Datacenter virtualization created server sprawl; public cloud takes sprawl to a whole new level, leaving security in the distant wake. At least with datacenter server sprawl, systems were still behind well-defined perimeter security. With public cloud, who is watching-over the perimeter, let alone the data residing on, or accessed by, these new endpoints?

To hope to keep-up, the IT group and security staff must provide options, and provision them in near real time (no ‘quick and hollow’ options!).. At larger organizations, private cloud is preferred, but hard to achieve (I mean real private cloud, not a highly virtualized datacenter; true on-demand, self-provisioning, datacenters). At smaller organizations, working with a short list of public cloud vendors, or perhaps only one, is a viable option. IT can get to know what a few vendors offer, how to take full advantage of their resources, what they secure as part of the basic offering, what enhancements are available, and what must be brought-in from without.

Renegades will go with shadow IT, and the better the organization is at pumping out new lines of business or new applications, the more renegades there likely are in the organization. How fast is your organization? Remember, being quick to deliver, anticipate, and meet the needs of your customers is an enviable ability for any organization. Can your IT and security keep-up?

Advertisement. Scroll to continue reading.
Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.