When I speak with organizations about their adoption of cloud services, I find it interesting that less than half have policies regarding Software as a Service (SaaS), and even fewer have established security best practices or enablement tools. I find it even more interesting that when I ask the same questions about Infrastructure as a Service (IaaS), I almost always draw blank stares. The efficiency gains from SaaS and IaaS are driving accelerated adoption, yet necessary risk management practices may not always be applied to the new realm of IT.
Cloud providers have made the adoption of server and storage services quite appealing by giving technologists back their most valued asset: time. For the individual signing up for IaaS, it can mean that they get back hours (or even weeks) of their lives associated with procurement and deployment of server or storage infrastructure. Even the most nascent technologist can spin up a new server instance with a credit card in under 20 minutes. Unfortunately, some of the recouped time circumvents the change control and audit mechanisms that have been established for conventional infrastructure projects. Much in the same way that Web 2.0 punched holes in the firewall, web-based provisioning platforms send servers scaling the physical walls of the corporate data center.
The challenge for IT security is to enable that adoption of Iaas while maintaining the integrity of the business. But in many organizations, early adopters have beaten security to the cloud. The good news: the data to discover rogue IaaS usage exists within IT event logs. By reviewing the logs of perimeter network security devices (firewall and web security products) it is possible to the find the telltale signs of rogue IaaS adoption. Automating reporting through technologies like McAfee SIEM can even provide a proactive audit record to facilitate regular review of cloud adoption across the organization.
Once you have identified rogue IaaS users, the appropriate action will vary based on the organization’s risk profile. For most organizations, I usually advise to maintain a positive position about the user’s newly discovered cloud adoption. Contact the user, start with a traditional business risk analysis, and keep the user involved in the process for determining a corrective action. For those organizations that have established policies and tools to manage secure cloud adoption, the corrective measures could be as simple as adding the infrastructure to existing security management tools like McAfee ePO, which allows the efficient monitoring and protection of IaaS environment with technologies like McAfee MOVE and McAfee Application Control.
Once you have measured and mitigated the risk, you have an opportunity exercise continuous improvement in your IT processes. Your “former rogue” IaaS user has lessons for the rest of your organization. They can help your IT, procurement, and security teams to understand why they went direct to the IaaS provider, and they can provide insight to IaaS adoption that other teams can leverage as they consider the advantages of the cloud. Treat them as a field proven expert in your endeavors to create cloud confidence.