With the increase in cloud computing, consumer devices and BYOD in the workplace, it's become increasingly difficult...
for IT departments to keep track of and manage software and hardware, and maintain a secure environment at the same time. Systems and applications in use by employees without the direct involvement or knowledge of IT are often referred to as shadow IT.
The Cloud Security Alliance's 2014 Cloud Adoption Practices and Priorities survey highlights the growing trend that enterprises lack control over shadow cloud apps and services, and a large percentage don't even have a program in place to manage them. We've known this for some time -- McAfee (Intel Security) also conducted a survey in 2013 on the use of "shadow software as a service (SaaS)" in enterprises, and found that a significant number of respondents either do not have policies related to the use of SaaS applications, or simply don't know what they don't know.
Threats lurking in the shadow cloud
Shadow cloud services and assets can lead to many issues and risks, including:
- Wasted time, energy and investments: Shadow cloud can easily lead to wasted time, energy and investments in traditional IT. If employees use non-approved technology, wasted efforts can include training on approved technologies, security technology policies that don't touch shadow cloud, audits and investigations that provide less accurate or effective results, incidents and response efforts due to unapproved technology, help desk and support needed, and bypasses of technology/security controls altogether.
- Inefficiency: One often-overlooked area that is heavily affected by shadow cloud is process development and execution. For organizations striving to develop and advance process maturity for operations, shadow cloud can be a huge setback. Shadow cloud can lead to inefficiencies in audits and audit effectiveness, inventory and configuration management processes and practices, patch and vulnerability management programs, overall process efficiency initiatives such as Six Sigma, and IT operations processes.
- Data loss or leakage: Shadow cloud can easily lead to data loss or leakage. When employees illicitly use cloud services like Dropbox and others for storage of sensitive data, data is being stored outside the organization and could be exposed in a cloud provider breach. Any data or systems stored in the cloud could be susceptible to an attack against the cloud provider or other tenants.
- Unknown vulnerabilities: When systems and applications are deployed unknowingly, they are not listed in any system or app inventory, and likely don't meet configuration and patch management requirements. Shadow cloud assets and applications may also be susceptible to vulnerabilities that are announced and not monitored by IT staff, and may also be subject to zero-day vulnerabilities with no patches or fixes available. Any of these issues can lead to potential risk elevation, and an organization's entire risk profile can be heavily skewed due to the existence of vulnerable shadow cloud systems and apps.
- Unknown targets for attack: Similar to unknown vulnerabilities, this category focuses explicitly on lack of sound system and data inventory. Systems unknown to inventory are ripe for attack, especially cloud services that can easily contribute to a widely expanded attack surface.
Shining a light on shadow cloud
While there are numerous risks associated with shadow cloud, there are strategies security teams can use to get a handle on them. Some key mitigation steps organizations can take now include:
- Policies and guidelines: Security policies have to be more granular, driven by business processes on the one hand and risk on the other. CISOs must explain risk-based granular security policies and enforcement for cloud implementations to business managers. In turn, business managers need to get the security team to understand how business processes should and shouldn't work when they want to use cloud services. Addressing allowed and disallowed use of cloud services in a policy is the first step to controlling shadow cloud.
- Monitoring and access restriction: Monitoring data and traffic going into the cloud is critical in detecting the use of shadow cloud. Access restriction to internal networks, systems and data can also be useful in identifying unknown systems and apps. A good starting point is with content filters to the Internet (URL filters). Cloud-specific content and application filtering is now available from vendors like Skyhigh Networks and Netskope, which can readily assist in detecting and preventing shadow cloud use. Even if an organization chooses not to fully restrict access, monitoring and logging can help to determine what is in use. This can lead to alternatives and risk prioritization.
- Infrastructure controls: Fundamental controls like firewall rules, subnet delineation, VLANs and ACLs can be helpful. Hardened system configurations, scanning and patching can help prevent unauthorized installation of applications within known cloud environments.
Shadow cloud highlights other business needs
It's no secret that getting a grip on the use of shadow cloud can be a long and difficult process. Usually, shadow cloud signals political issues or business needs gaps that need to be addressed in an organization, and it is really the job of information security to provide safer alternatives wherever possible. Fortunately, there are numerous tools and technologies that can help.
About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He previously worked as CSO at Configuresoft; as CTO at the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.
Learn how to find shadow cloud usage in your enterprise.