Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Three Ways to Combat Shadow IT 2.0

While we can blame the cloud for shadow IT 2.0, SaaS isn’t the culprit this time. New competitive disruptors to our businesses are armed with digital services, making digitalization a mandate for business survival. Digitalization, though, requires agility. Waiting six weeks for new server infrastructure doesn’t work in today’s competitive environment.

While we can blame the cloud for shadow IT 2.0, SaaS isn’t the culprit this time. New competitive disruptors to our businesses are armed with digital services, making digitalization a mandate for business survival. Digitalization, though, requires agility. Waiting six weeks for new server infrastructure doesn’t work in today’s competitive environment.

Developers and operations are responding with an agile approach through DevOps practices, and are rapidly implementing new services in the public cloud, largely IaaS. DevOps is focused on increasing release velocity of custom apps to support business opportunities, while improving software quality to reduce waste. But, this rapid software development cycle makes it so that security teams are often unaware that critical business applications are flourishing outside of their purview.

Shadow IT Control

Over 4,500 common vulnerabilities and exposures (CVEs) are published each year. No developer, regardless of skill, can keep current with that pace. If custom code escapes security testing according to policy, it’s likely to include known vulnerabilities that can be exploited.

There is little benefit to being first to market with a new digital service, if the poor security of that service results in customer churn due to exposure of customer information or attacker disruption.  

While the first wave of shadow IT was driven by business users directly acquiring cloud services without necessary security controls, this next iteration comes from within IT. Consider these three ways to mitigate the potential vulnerabilities that unprotected custom code running in the public cloud presents.

Embrace the DevOps culture

DevOps blurs the traditional IT boundaries between operations and development to achieve the shared goal of digital agility for the business. While this promotes a collaborative culture, security will be isolated if it is seen as a bottleneck rather than a partner to achieving business objectives.

Advertisement. Scroll to continue reading.

Security, rather, can capitalize on the collaborative culture by demonstrating an appreciation for the business goals, and supporting efforts to deliver custom code that isn’t going to break in production due to vulnerabilities. This means asking developers what they need to write secure code and providing those resources, whether that is training, checklists or best practices.

Automate security testing of custom code

DevOps makes much use of automated testing, and Application Security Testing (AST) can be incorporated into the other automated testing processes already in place. While AST isn’t foolproof, it can take on the heavy lifting of looking for known vulnerabilities. If it can be added to the deployment pipeline, developers will be more likely to support its use rather than circumvent testing, especially if it means faster final code review.

Apply consistent access controls and governance for IaaS

Conventional wisdom is that the major IaaS vendors are more secure than local data centers due to the security resources available to the big three – Amazon, Microsoft and Google. However, there is a shared security responsibility for the organization deploying code to the public cloud. 

With the original form of shadow IT, one of the primary security challenges was access control, which gave rise to tools or services that centrally broker access to SaaS applications as a policy enforcement point. IaaS access controls must likewise be formalized and enforced, but in a way that does not inhibit the continuous deployment of code.

Consider the use of a cloud access proxy server that centrally enforces access policy controls, offers the convenience of single sign-on for developers who may need to access multiple cloud services, and can produce governance reports both for compliance and cost-saving purposes. Zombie workloads in the cloud consuming resources is a waste of money.

In the end, Shadow IT 2.0 is a symptom of a bigger problem – the inability to maintain digital competitive advantage due to the insufficient pace of code deployment. Developers aren’t necessarily adverse to security, but they feel the business pressure to deploy most acutely. Finding ways to work together to achieve this common goal in support of the business is the path to combating Shadow IT 2.0.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...