Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Three Ways to Combat Shadow IT 2.0

While we can blame the cloud for shadow IT 2.0, SaaS isn’t the culprit this time. New competitive disruptors to our businesses are armed with digital services, making digitalization a mandate for business survival. Digitalization, though, requires agility. Waiting six weeks for new server infrastructure doesn’t work in today’s competitive environment.

While we can blame the cloud for shadow IT 2.0, SaaS isn’t the culprit this time. New competitive disruptors to our businesses are armed with digital services, making digitalization a mandate for business survival. Digitalization, though, requires agility. Waiting six weeks for new server infrastructure doesn’t work in today’s competitive environment.

Developers and operations are responding with an agile approach through DevOps practices, and are rapidly implementing new services in the public cloud, largely IaaS. DevOps is focused on increasing release velocity of custom apps to support business opportunities, while improving software quality to reduce waste. But, this rapid software development cycle makes it so that security teams are often unaware that critical business applications are flourishing outside of their purview.

Shadow IT Control

Over 4,500 common vulnerabilities and exposures (CVEs) are published each year. No developer, regardless of skill, can keep current with that pace. If custom code escapes security testing according to policy, it’s likely to include known vulnerabilities that can be exploited.

There is little benefit to being first to market with a new digital service, if the poor security of that service results in customer churn due to exposure of customer information or attacker disruption.  

While the first wave of shadow IT was driven by business users directly acquiring cloud services without necessary security controls, this next iteration comes from within IT. Consider these three ways to mitigate the potential vulnerabilities that unprotected custom code running in the public cloud presents.

Embrace the DevOps culture

DevOps blurs the traditional IT boundaries between operations and development to achieve the shared goal of digital agility for the business. While this promotes a collaborative culture, security will be isolated if it is seen as a bottleneck rather than a partner to achieving business objectives.

Security, rather, can capitalize on the collaborative culture by demonstrating an appreciation for the business goals, and supporting efforts to deliver custom code that isn’t going to break in production due to vulnerabilities. This means asking developers what they need to write secure code and providing those resources, whether that is training, checklists or best practices.

Advertisement. Scroll to continue reading.

Automate security testing of custom code

DevOps makes much use of automated testing, and Application Security Testing (AST) can be incorporated into the other automated testing processes already in place. While AST isn’t foolproof, it can take on the heavy lifting of looking for known vulnerabilities. If it can be added to the deployment pipeline, developers will be more likely to support its use rather than circumvent testing, especially if it means faster final code review.

Apply consistent access controls and governance for IaaS

Conventional wisdom is that the major IaaS vendors are more secure than local data centers due to the security resources available to the big three – Amazon, Microsoft and Google. However, there is a shared security responsibility for the organization deploying code to the public cloud. 

With the original form of shadow IT, one of the primary security challenges was access control, which gave rise to tools or services that centrally broker access to SaaS applications as a policy enforcement point. IaaS access controls must likewise be formalized and enforced, but in a way that does not inhibit the continuous deployment of code.

Consider the use of a cloud access proxy server that centrally enforces access policy controls, offers the convenience of single sign-on for developers who may need to access multiple cloud services, and can produce governance reports both for compliance and cost-saving purposes. Zombie workloads in the cloud consuming resources is a waste of money.

In the end, Shadow IT 2.0 is a symptom of a bigger problem – the inability to maintain digital competitive advantage due to the insufficient pace of code deployment. Developers aren’t necessarily adverse to security, but they feel the business pressure to deploy most acutely. Finding ways to work together to achieve this common goal in support of the business is the path to combating Shadow IT 2.0.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.