While we can blame the cloud for shadow IT 2.0, SaaS isn’t the culprit this time. New competitive disruptors to our businesses are armed with digital services, making digitalization a mandate for business survival. Digitalization, though, requires agility. Waiting six weeks for new server infrastructure doesn’t work in today’s competitive environment.
Developers and operations are responding with an agile approach through DevOps practices, and are rapidly implementing new services in the public cloud, largely IaaS. DevOps is focused on increasing release velocity of custom apps to support business opportunities, while improving software quality to reduce waste. But, this rapid software development cycle makes it so that security teams are often unaware that critical business applications are flourishing outside of their purview.
Over 4,500 common vulnerabilities and exposures (CVEs) are published each year. No developer, regardless of skill, can keep current with that pace. If custom code escapes security testing according to policy, it’s likely to include known vulnerabilities that can be exploited.
There is little benefit to being first to market with a new digital service, if the poor security of that service results in customer churn due to exposure of customer information or attacker disruption.
While the first wave of shadow IT was driven by business users directly acquiring cloud services without necessary security controls, this next iteration comes from within IT. Consider these three ways to mitigate the potential vulnerabilities that unprotected custom code running in the public cloud presents.
Embrace the DevOps culture
DevOps blurs the traditional IT boundaries between operations and development to achieve the shared goal of digital agility for the business. While this promotes a collaborative culture, security will be isolated if it is seen as a bottleneck rather than a partner to achieving business objectives.
Security, rather, can capitalize on the collaborative culture by demonstrating an appreciation for the business goals, and supporting efforts to deliver custom code that isn’t going to break in production due to vulnerabilities. This means asking developers what they need to write secure code and providing those resources, whether that is training, checklists or best practices.
Automate security testing of custom code
DevOps makes much use of automated testing, and Application Security Testing (AST) can be incorporated into the other automated testing processes already in place. While AST isn’t foolproof, it can take on the heavy lifting of looking for known vulnerabilities. If it can be added to the deployment pipeline, developers will be more likely to support its use rather than circumvent testing, especially if it means faster final code review.
Apply consistent access controls and governance for IaaS
Conventional wisdom is that the major IaaS vendors are more secure than local data centers due to the security resources available to the big three - Amazon, Microsoft and Google. However, there is a shared security responsibility for the organization deploying code to the public cloud.
With the original form of shadow IT, one of the primary security challenges was access control, which gave rise to tools or services that centrally broker access to SaaS applications as a policy enforcement point. IaaS access controls must likewise be formalized and enforced, but in a way that does not inhibit the continuous deployment of code.
Consider the use of a cloud access proxy server that centrally enforces access policy controls, offers the convenience of single sign-on for developers who may need to access multiple cloud services, and can produce governance reports both for compliance and cost-saving purposes. Zombie workloads in the cloud consuming resources is a waste of money.
In the end, Shadow IT 2.0 is a symptom of a bigger problem – the inability to maintain digital competitive advantage due to the insufficient pace of code deployment. Developers aren’t necessarily adverse to security, but they feel the business pressure to deploy most acutely. Finding ways to work together to achieve this common goal in support of the business is the path to combating Shadow IT 2.0.