There used to be a lot of talk about ‘Shadow IT’, where non-IT staff would create a project for a need, obtain budget for it and make it live using a ‘Software as a Service’ vendor, often completely without the IT departments knowledge.
With the rapid deployment of cloud services by almost everyone, things are getting somewhat tricky now for compliance, data privacy, auditing and of course cyber & information security. Many companies have now created Shadow IT on steroids, whether they realise it or not.
Do you possess the technology or skills to detect what external on-line services your people are using? Has anyone ever mapped your cloud resources, or actually discovered where all your data is and its classification? Are the services you use monitored, audited and reported on? Do they have policies in place to not only protect the data but to meet regulatory standards? Do you have anyone identifying exposure or closing loopholes? You may well have dozens and dozens of cloud services in operation, all doing critical things for your company. But who ever goes through each of these and tests that they are secured properly? That is assuming someone knows what you are using and where it is in the first place!
It seems all too clear to me when speaking to customers and people in industry that very few have a grasp on this or see it as their responsibility. I see a lot of ‘dump it in the cloud and forget about it’. Cloud-native or cloud-first environments are by their nature exposed to the internet and as such sit outside of the on-premise estate. Closer attention needs to be made to what is deployed in the cloud, as a few misconfigurations can prove fatal.
The security logging and auditing that was traditionally done on-premise is not being followed through in the cloud. It’s not someone else’s problem, it’s yours.