All too often in information technology, rules are broken. Such an attitude often gives rise to 'shadow IT,' which is the use of infrastructure, services and applications outside the boundaries of an organization's corporate IT policies. Shadow IT that targets cloud-based technology creates what is known as a 'shadow cloud.'
When it comes to security, if ever there was an excuse to 'ask for forgiveness rather than permission,' the pandemic without question tops the list. In a business where security isn't already fully embedded, it seemed inevitable that decisions would be made without their input or knowledge. Too much has happened, too quickly — businesses have had to roll out new cloud applications and services at an astonishing rate to enable remote working, support customers and facilitate the digitization of their existing services.
As security teams begin to re-evaluate their organization's rushed through cloud solutions, they'll find a lot of it hiding in the shadows.
Typically, one person or team can decide to employ shadow cloud solutions. But during COVID-19, it may have been the business itself who understandably took an 'act now, ask questions later' approach, with an unstated message that they will approve what is needed to function and review it all retroactively.
A common characteristic of a true shadow cloud is that it lacks the security and monitoring processes that, if properly operated, the legitimate IT function would employ. This solution will usually result in an increased risk of exposure to corporate data, personally identifiable information (PII), and intellectual property (IP).
Many organizations will likely have authorized the use of cloud-based solutions such as Dropbox, Google Drive, AWS, and Azure to allow for remote collaboration and continued productivity. But it's now imperative that the use of these services be governed and monitored by corporate IT and risk professionals who understand the entirety of the implications.
Seldom governed by a competent security team, let alone benefit from periodic security reviews or even antivirus software — shadow cloud deployments can result in serious risks.
Even before COVID-19, many clients raised concerns over data discovered in their cloud environments placed there by employees or contractors in violation of company policies. Unfortunately, sometimes, they were not the first to find that data, and a breach followed. Today, as security teams use the momentary calm to begin to investigate their organization's security deficit, stories of incidents are on the rise.
To companies or its regulators looking at those incidents, it makes little difference why data was exposed. Penalties are just as severe in nearly all cases when shadow IT or shadow cloud is at the root of a data breach.
When a database server is setup on an internal network, it's typically behind a firewall managed by IT staff. It can only communicate with systems on that internal network unless it's specifically configured to communicate with internet systems.
However, when a cloud service provider is implemented, it can communicate with the entire internet unless a cloud-based firewall solution is deployed. Without this firewall, any service installed on this system can potentially communicate with any other computer connected to the internet, typically with only a single password to secure it — leaving any misconfiguration open to exploitation.
Many complex shadow cloud applications (e.g. Applications with a remotely accessible interface and a database) are deployed or created by the end-user or a developer. One person or even a small team rarely have all the skill sets necessary to manage risk completely:
Employees not trained in IT security may not realize the severity of these risks. That's one reason why new IT assets need to go through the proper change management and risk review process defined by the organization.
Security teams have a unique opportunity to change their image. Rather than being seen as blockers to progress and productivity — it's time to be enablers. COVID-19 showed us how businesses could quickly respond when needed, so how can we streamline the security-by-design processes to match that pace? How do we balance the enforcement of critical ground rules for shadow cloud infrastructure with business requirements and deadlines? Here are six tips for helping you manage shadow cloud today.
While shadow cloud use should be discouraged, its use during the pandemic is a strong testimony to what cloud solutions can offer and its benefits. When organizations can support cloud technology oversight and governance, stakeholders lose legitimate high ground for deploying shadow cloud solutions.
Organizations that are ready for the future, whether they adopt cloud technology as a primary platform or ban it altogether, should do so while treating stakeholders as partners — bringing IT solutions out of the shadows.
Throughout this website, “we”, “KPMG”, “us” and “our” refers to the global organization or to one or more of the member firms of KPMG International Limited (“KPMG International”), each of which is a separate legal entity.