Last week I told about how a vulnerable cloud server was deployed, ignored, and then owned by an attacker, with Amazon catching this and the entire cycle complete in just over two weeks. It had an obvious cause: skipping part of the process in which unneeded cloud resources are shut down.
But I said that it demonstrated a much larger risk to corporations and government agencies. What was that about?
In Learning Tree’s Cloud Security Essentials course we discuss how your organization may decide that the public cloud is simply not acceptable. But at the same time, rogue employees often purchase cloud services on their own without informing the IT department. A recent survey by Netskope suggests that IT staff in a typical company are only aware of about 10% of the total use of cloud applications.
“Shadow IT” has come to be the term for information technologies purchased and used without the involvement of the IT department.
A mid-level manager becomes frustrated at slow response or outright refusal or unavailability, and says “These cloud services are a useful alternative, I’ll just pay for those.”
Your data and your crucial operations leak out into public cloud providers with very little awareness of the details. Those people charged with formal responsibility for data protection only know about and control what remains in-house, they don’t realize that the real data is now elsewhere.
Let’s say that the overly enthusiastic employees were developing software, so they went with either PaaS or IaaS. Maybe their application had a security hole and the PaaS system is compromised. Or maybe they were using IaaS, which is like a very cheap server in a co-location facility, and some misconfiguration or vulnerability in the operating system or network service let an intruder into their machine.
The data should have been protected by encryption using keys that are not stored on the same machine, so the data confidentiality should be OK. And reasonable ownership and permission settings should protect the integrity and availability of the data.
But what about access to the system where the data resides?
An unprivileged intruder can use a cloud platform to launch further attacks or other annoyances like spam. A good cloud provider will notice this, and they will send a message to the account that owns the running instance.
In the case of shadow IT, that message does not go to the corporation or agency, it goes to the e-mail account used by the manager who purchased this cloud service. Are they carefully monitoring that account? Will they know what to make of the provider’s report?
If the instance owner does not fix the problem quickly, the provider will drop a virtualized firewall in front of the compromised system. There goes your data access and functionality.
What can you do about this?
Work to avoid this problem. Educate your staff about the hazards and unacceptability of shadow IT. At the same time, realize that it’s still going to happen if your IT department frustrates your user community. Your IT staff needs responsiveness and open-mindedness. If they don’t provide a service, some employees will go out and get a dangerous alternative on their own.