Shadow IT within NASA's cloud computing deployments led to an audit report last week that many cloud computing...
pros identified with, and some offered tips on how to minimize rogue cloud deployments.
Several of the National Aeronautics and Space Administration's (NASA) centers had moved systems to the public cloud without authorization or a security framework approved by the agency's office of the CIO , according to the July NASA audit report. One "moderate-impact system" was in a public cloud for two years without authorization or security precautions.
It happens every single day, to everybody.
CEO, Ekho Inc.
While not every company is subject to the same kind of public scrutiny as a government agency, this kind of shadow IT is common in cloud computing deployments.
"It happens every single day, to everybody," said Kent Langley, CEO of Ekho Inc., a Web-based data analytics company based in San Rafael, Calif. "I've found servers that were costing me $700 a month in one of my deployments -- someone had launched a bunch of large instances for test and never turned them off."
Some shadow IT deployments have been the result of corporate resistance to cloud computing, but today problems are more likely to stem from honest mistakes, according to Jared Reimer, co-founder of Cascadeo Corp., an IT consulting firm located in Mercer Island, Wash.
Still, these mistakes can have serious consequences. Forgetting to turn off informally launched systems is a frequent cause of security problems in the cloud, Reimer said, as these boxes tend not to be patched and can easily be exploited by hackers.
Other times, convenience simply trumps security precautions.
"What we see people doing is deploying instances and giving them public IPs because it's expedient and convenient, and what that ends up doing is creating assets outside the firewall that are able to reach back in behind the firewall," potentially compromising internal systems, as well, Reimer said.
Ways to mitigate shadow IT
The good news is that as cloud computing deployments -- and their potential hazards -- become more common, so do the ways to reduce the risk of shadow IT.
NASA's auditors have suggested stronger oversight from the agency's office of the CIO, and IT pros who work at companies that report few problems with shadow IT say it's usually because of strong executive leadership and awareness of cloud computing deployments.
Some companies have simply been able to modify approval systems for cloud computing deployments.
"At [Reed Elsevier], they have a counsel in their business unit that goes through those things; they have a checklist or a document you fill out to see how good a fit it is, and of course security is one of the big pieces of that," said Matt Lipinski, architect for Reed Elsevier Technology Services, based in Miamisburg, Ohio.
In another case, at a Fortune 100 company, an executive discovered cloud deployments charged to corporate credit cards and then shut down systems that were risky or unauthorized.
"Always follow the money," said the company's director of engineering, speaking on condition of anonymity due to the sensitive nature of the subject.
There are also technical solutions to the shadow IT problem.
"We look at our proxy logs to see what sites are being used consistently, and the security team uses that to try and prevent these types of surprises," said Sean Perry, CIO for Robert Half International Inc., based in San Ramon, Calif.
Lexington, Mass.-based AMAG Pharmaceuticals Inc. uses several tools to keep a handle on its cloud computing deployments: CloudLock, which monitors the company's approximately 1.8 million documents stored in Google Drive; Google's Postini, which creates email archives with audit trails; and SpectorSoft to monitor certain types of traffic over outbound Ethernet connections, according to Nathan McBride, vice president of IT and chief cloud architect for the firm.
Work with end users, not against them
"End users are far more sophisticated than they used to be," Perry said. "Users are getting smarter and software is getting easier [to work with]."
It's often easier to work with and educate users about security policies than to simply shut down shadow IT deployments, depending on the company and its security posture.
"We've been on record with all the business units that are big fans of [Software as a Service] applications and we would like nothing better than to take systems that are running in our data center and have someone else run them and give them a better solution," Perry said. "That has enabled people to approach us a bit more openly about what they're trying to do."