Rise of the Rogue Cloud: The Fundamental Security Mistake Enterprises Make and How to Correct It
Development teams, especially at the world's largest organizations, move at a lightning pace. Not just to keep their businesses competitive, but also to keep their jobs.
Knowing that, it's easy to predict what happens when it takes a network user's IT team two weeks to stand up a testing environment, or when—surprise!—nobody knows how long it could take. This could be because the organization never developed a clear process for providing on-demand computing resources, or because the company is dealing with a patchwork DNS, DHCP, and IPAM solution set that makes streamlining a process like that—let alone automating it—nearly impossible.
Learn Cloud Security
Enter: Shadow IT.
Network users who need compute are notorious for circumventing IT to get it autonomously (they charge it to their personal credit cards, then expense later). You can't blame them, because they're paid to get stuff done. Minding security isn't in their job description.
This is a problem, especially when the Finance department's expense controller finds out before the IT team that the organization has a rogue cloud service.
What's wrong with independent clouds?
On a well-organized network that leverages a foundation like Enterprise DNS (short for "enterprise-grade, streamlined suite of DNS, DHCP, and IPAM solutions"), devices are covered by a unified, secure system. On a rogue cloud, nobody knows what's going on. Sure, AWS and Azure come with more firewalls than someone can count but utilizing them correctly slows down testing processes. Naturally, these firewalls get indiscriminately disabled by the same users that circumvented IT in the first place.
Adding to the problem is the fact that most in-a-rush users who set up these clouds do so in a hurry, and often don't bother to follow basic security best practices, like strong password selection. Shadow IT is a security nightmare.
As soon as something bad makes it onto a rogue cloud, it gets direct access–usually via VPN connection from the user's computer–to their organization's network. This isn't just a breach risk; it's expensive. After all, some nefarious actors are solely interested in accessing an organization's cloud to free-ride on its computing resources.
Furthermore, when rogue clouds go up, organizations stay unaware of the demand for them. This creates problems in budgeting for the proper process to be set up, to meet the actual demand going forward. This is a vicious circle.
How to protect your organization?
Network users aren't deviant; they're simply trying to do their jobs given contradictory constraints set by their leaders: get things done fast but wait patiently to be granted the resources you need. Rogue cloud stems from a mix of clashing team priorities and modernization-inhibiting network architectures. Remember: some of the world's largest organizations have this problem.
The first step to protecting your organization against lone wolf network users is to remove the problems that inspire them to act independently of IT. In other words, get to the bottom of your slow SLA/IT issue.
Figure out exactly why it takes weeks to stand up a virtual environment for someone who needs it today. Ask network users (or their managers) to walk you through the process for standing up computing resources, and you'll probably get a lot of this:
"I don't know, last time I asked Ben, and he pointed me to Milton, and by the time I had it three weeks passed. I pulled information from three different teams–DNS, IP, Security–and at every step there were more hoops for me to jump through."
Often this happens because network architectures are patchwork collections of disparate services, and no one team has visibility–let alone access and control–into all the parts. When that happens, it's hard to streamline (and automate) manual processes like spinning up compute.
One of the first projects organizations must tackle to overcome these challenges is cleaning up their DNS infrastructure. Since DNS is what gives life to compute, both on an internal network and in the cloud, it is perhaps the most important service on a network. Unfortunately, most companies have antiquated DNS infrastructure that doesn't help them achieve their goals. Much of the time DNS is fragmented, riddled with errors, and hosted on questionable hardware or virtual platforms. This is risky, since if DNS goes down, you may as well send your entire workforce home for the day.
The long-term solution to solving the rogue cloud problem is to set up Cloud the way network users, and IT would really want it to be. With a consistent and universal DNS foundation, you can start automating provisioning tasks for IT to grant compute at lightning speed (regardless of location) and tapping into DNS traffic to give your security team instant visibility into all the devices that are on their traditional and cloud networks. With that visibility, your security team can be in a position to spot threats that may be emerging and apply appropriate policies to mitigate those threats, wherever activity happens.
How hard is this to do?
Extremely. It's why many world-class organizations are still exposed. The fundamental problems of disparate networks, an inability to see what happens on a network, and subsequent rogue activity can be traced back to when a network was first set up–without a vision of today's business requirements in mind.
Fortunately, innovative new approaches to managing core network services do exist to free IT organizations from the threat of Shadow IT, and the rise of the Rogue Cloud. Organizations need to start by cleaning up their network, then build Cloud atop a solid, reliable Enterprise DNS foundation, and create clear company-wide processes to handle the provisioning of compute at the speed users now require.
Learn Cloud Security
It isn't an easy process, but an ounce of proactive effort is worth a pound of cure.
Learn Cloud Security
Build your cloud security skills and get hands-on experience in Infosec Skills. What you'll learn:- Cloud architecture
- Cloud management
- Cloud pentesting
- CSP security features
- And more
In this Series
- Rise of the Rogue Cloud: The Fundamental Security Mistake Enterprises Make and How to Correct It
- The rise of cloud computing: Trends and predictions
- Understanding the basics of cloud infrastructure: What you need to know
- How cloud security, data privacy, and cybersecurity convergence drives successful careers
- Secure cloud computing: What you need to know
- Working across multiple cloud service providers: CSP security learning path
- Securing cloud-based applications training: What you need to know
- Security risks of cloud migration
- DevSecOps in the Azure Cloud
- Amazon Athena Security: 6 essential tips
- Securing cloud endpoints: What you should know
- AWS security and compliance overview
- CloudGoat walkthrough series: IAM privilege escalation by attachment
- CloudGoat walkthrough series: EC2 server-side request forgery (SSRF)
- CloudGoat walkthrough series: Remote code execution
- CloudGoat walkthrough series: Lambda Privilege Escalation
- Information security strategy for the hybrid and multi-cloud
- CloudGoat walkthrough series: Cloud Breach S3
- CloudGoat walkthrough series: IAM privilege escalation by rollback
- Working with CloudGoat: The “vulnerable by design” AWS environment
- Malicious Amazon Machine Images (AMIs)
- Key findings from Ponemon’s State of Vulnerability Management in the Cloud and On-Premises report
- Cloud Pentesting Certification Boot Camp: The ultimate guide
- Cloud Based IDS and IPS Solutions [Updated 2019]
- AWS Security Monitoring Checklist [Updated 2019]
- Amazon Inspector: A cloud-based vulnerability assessment tool
- System administrator vs. cloud administrator
- 5 key cloud security use cases
- Deep Packet Inspection in the Cloud
- Honeypots in the Cloud
- Biometrics in the Cloud
- Open-Source Intelligence Collection in Cloud Platforms
- How to Safeguard Against the Privacy Implications of Cloud Computing
- AWS Cloud Security for Beginners — Part 2
- AWS Cloud Security for Beginners — Part 1
- AWS Security Monitoring Checklist — Part 2
- Controlling the Risks of Cloud-Enabled End-Point Security Products
- The Ultimate Guide to CCSP Certification
- Five Reasons Why Security Professionals Need the Cloud
- Amazon S3 Buckets-Hardening
- Cloud Service Reconnaissance
- Cloud Computing Security: Be Secure Before Moving to Cloud
- Cloud Technology Bringing New Possibilities in Threat Management
- Attacking the Cloud
- Man in the Cloud Attacks: Prevention and Containment
- Cloud originated DDoS attacks
- Where Is Your Data Safer? In the Cloud Or On Premise?
- DDOS Protection for Public Cloud Customers
- Security Barriers in the Adaptation of Cloud Technology
- SIEM as a Service
- Cloud Security Incident Compensation
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Cloud security
Cloud security