Most IT leaders will remember the days of “shadow IT” without much joy. As employees brought their own apps and solutions into the business, they also ushered in a surge of security issues throughout systems and networks – leaving IT scrambling to find the right balance between choice, flexibility, and control. The same issue now faces IT from a different source: cloud adoption.
For most businesses, one cloud is not enough: it takes numerous “as-a-service” options, often coupled with private cloud infrastructure, to meet the enterprise’s full range of use cases and departmental requirements. Beyond just hybrid cloud infrastructure, more and more enterprises are gravitating towards a multi-cloud environment – one in which they find themselves looking after a suite of SaaS, IaaS, and PaaS solutions, many of which lack integration or compatibility with one another. It’s no wonder SaaS spending continues to rise at nearly 25 per cent per year as businesses adopt an ever-increasing range of point solutions for their various needs.
At the same time, developers and lines-of-business like marketing hold increasing autonomy over how they purchase and consume their own IT resources – the sort that emerged during the shadow-IT era and never really went away. And as these independent actors start to bring their own cloud solutions into play, IT will find itself confronted with a new threat: “shadow cloud”, made up of cloud services that they either lack visibility or control over.
How can IT leaders stop the onset of the cloud’s shadow before it falls upon their infrastructure? As with past fears around shadow IT, doing so will take a twofold approach: more comprehensive security platforms, and greater situational awareness amongst both IT teams and end-users themselves.
An automatic approach to coverage
First, IT leaders will need a new breed of security platforms to cover the spread of shadow cloud. These platforms go beyond static network, systems, and application protection to focus on something new: automatic adaptation whenever the organisation’s threat surface expands. The sheer speed and scale at which end-users can spin up new cloud services means IT’s cloud security portfolio must be equally agile and aware when such services come into play.
Centralising cloud security on a single, overarching platform makes increasing sense in a multi-cloud world. Just as mobile device management (MDM) platforms brought incredibly diverse devices and apps into a “single source of truth” – and control – the most effective cloud security platforms will govern every as-a-service offering from the one dashboard or console. Ideally, such platforms should automatically provision new layers of security as new workloads emerge on the organisation’s network, as well as automatically scaling up network defences to match real-time movements in traffic which might signal or attract a breach. Some, like Fortinet’s, will even segment and silo different types of always-on connections to keep a breach in one service from compromising others.
These security platforms will, at some point, autonomously detect and govern the full range of cloud services used within an organisation. Until then, however, IT leaders will also need to invest as heavily as possible in the other pillar of multi-anything security: end-user awareness and education.
Security through people-power
During the days of shadow IT, achieving buy-in implement stricter “control” initiatives, limiting purchases by line-of-business, often proved difficult because end-users – including senior management – simply did not appreciate the potential impact of a breach. For most organisations, that should no longer be the case. The high-profile nature and headline-grabbing costs of successful breaches, compounded by the growing penalties and compliance requirements of regulations like the Notifiable Data Breach scheme, have put cybersecurity on most boardroom agendas in some shape or form. Most employees know that cyber threats are real, and costly; the challenge now is to turn that awareness into safer behaviour.
Rigorous monitoring of the network perimeter can help IT teams detect where unregulated cloud services or APIs are being called, and by whom. From there, IT leaders can work with end-users of those services to bring them under the organisation’s security platform, or find ways to integrate them as securely and compliantly as possible into other parts of the business’ cloud infrastructure. When working on compliance or meeting evolving regulatory needs, IT may wish to bring in third-party partners to assist in making sure their colleagues’ cloud implementation falls within the latest best practice.
The combination of a wider and more fragmented cloud surface, coupled with rising compliance and regulatory burdens, makes security in the face of “shadow cloud” harder than ever before. For IT, the key is collaboration: working with developers, marketers, and other cloud adopters will inevitably yield far better results and lesser compliance leakage than putting a restrictive hold on the business. At the same time, IT leaders should focus on deploying cloud security platforms that can automatically detect and govern the entire organisational portfolio of cloud services under a single highly transparent set of controls. That visibility, coupled with support from end-users themselves, will help keep the shadow of a cloud breach at bay.