- BY Scott Penney

Rise of the Rogue Cloud: The Fundamental Security Mistake Enterprises Make and How to Correct It

Development teams, especially at the world’s largest organizations, move at a lightning pace. Not just to keep their businesses competitive, but also to keep their jobs.

Knowing that, it’s easy to predict what happens when it takes a network user’s IT team two weeks to stand up a testing environment, or when—surprise!—nobody knows how long it could take. This could be because the organization never developed a clear process for providing on-demand computing resources, or because the company is dealing with a patchwork DNS, DHCP, and IPAM solution set that makes streamlining a process like that—let alone automating it—nearly impossible.
 

Enter: Shadow IT.

Network users who need compute are notorious for circumventing IT to get it autonomously (they charge it to their personal credit cards, then expense later). You can’t blame them, because they’re paid to get stuff done. Minding security isn’t in their job description.

This is a problem, especially when the Finance department’s expense controller finds out before the IT team that the organization has a rogue cloud service.

What’s wrong with independent clouds?

On a well-organized network that leverages a foundation like Enterprise DNS (short for “enterprise-grade, streamlined suite of DNS, DHCP, and IPAM solutions”), devices are covered by a unified, secure system. On a rogue cloud, nobody knows what’s going on. Sure, AWS and Azure come with more firewalls than someone can count but utilizing them correctly slows down testing processes. Naturally, these firewalls get indiscriminately disabled by the same users that circumvented IT in the first place.

Adding to the problem is the fact that most in-a-rush users who set up these clouds do so in a hurry, and often don’t bother to follow basic security best practices, like strong password selection. Shadow IT is a security nightmare.

As soon as something bad makes it onto a rogue cloud, it gets direct access–usually via VPN connection from the user’s computer–to their organization’s network. This isn’t just a breach risk; it’s expensive. After all, some nefarious actors are solely interested in accessing an organization’s cloud to free-ride on its computing resources.

Furthermore, when rogue clouds go up, organizations stay unaware of the demand for them. This creates problems in budgeting for the proper process to be set up, to meet the actual demand going forward. This is a vicious circle.

Raaaaahghuuhuhgh? (That’s Wookie for “Want

to learn more about JEDI cloud migration?”)

How to protect your organization?

Network users aren’t deviant; they’re simply trying to do their jobs given contradictory constraints set by their leaders: get things done fast but wait patiently to be granted the resources you need. Rogue cloud stems from a mix of clashing team priorities and modernization-inhibiting network architectures. Remember: some of the world’s largest organizations have this problem.

The first step to protecting your organization against lone wolf network users is to remove the problems that inspire them to act independently of IT. In other words, get to the bottom of your slow SLA/IT issue.

Figure out exactly why it takes weeks to stand up a virtual environment for someone who needs it today. Ask network users (or their managers) to walk you through the process for standing up computing resources, and you’ll probably get a lot of this:

“I don’t know, last time I asked Ben, and he pointed me to Milton, and by the time I had it three weeks passed. I pulled information from three different teams–DNS, IP, Security–and at every step there were more hoops for me to jump through.”

Often this happens because network architectures are patchwork collections of disparate services, and no one team has visibility–let alone access and control–into all the parts. When that happens, it’s hard to streamline (and automate) manual processes like spinning up compute.

One of the first projects organizations must tackle to overcome these challenges is cleaning up their DNS infrastructure. Since DNS is what gives life to compute, both on an internal network and in the cloud, it is perhaps the most important service on a network. Unfortunately, most companies have antiquated DNS infrastructure that doesn’t help them achieve their goals. Much of the time DNS is fragmented, riddled with errors, and hosted on questionable hardware or virtual platforms. This is risky, since if DNS goes down, you may as well send your entire workforce home for the day.

The long-term solution to solving the rogue cloud problem is to set up Cloud the way network users, and IT would really want it to be. With a consistent and universal DNS foundation, you can start automating provisioning tasks for IT to grant compute at lightning speed (regardless of location) and tapping into DNS traffic to give your security team instant visibility into all the devices that are on their traditional and cloud networks. With that visibility, your security team can be in a position to spot threats that may be emerging and apply appropriate policies to mitigate those threats, wherever activity happens.

How hard is this to do?

Extremely. It’s why many world-class organizations are still exposed. The fundamental problems of disparate networks, an inability to see what happens on a network, and subsequent rogue activity can be traced back to when a network was first set up–without a vision of today’s business requirements in mind.

Fortunately, innovative new approaches to managing core network services do exist to free IT organizations from the threat of Shadow IT, and the rise of the Rogue Cloud. Organizations need to start by cleaning up their network, then build Cloud atop a solid, reliable Enterprise DNS foundation, and create clear company-wide processes to handle the provisioning of compute at the speed users now require.

It isn’t an easy process, but an ounce of proactive effort is worth a pound of cure.

 

Originally posted at resources.infosecinstitute.com.

Scott Penney

Scott Penney has been immersed in security technologies and strategies for the last 20 years. His focus has always been on balancing the needs of a dynamic business with the realities of risk mitigation in our connected world. Over his career, Scott has worked with some of the largest companies in the world, such as AT&T, to help define security architectures that make sense – delivering real improvements in overall security posture without over-committing resources. Scott’s current focus is driving new and innovative security solutions for BlueCat, using the power and ubiquity of DNS to identify, assess, and take action on emerging security threats before they have time to manifest.

View more articles by Scott Penney