Security leaders remember the Shadow IT crisis where security teams weren’t involved in the deployment or analysis of SaaS applications, which resulted in issues growing beyond control
The Shadow IT crisis from the last decade was a difficult time for all security leaders across the IT industry. It marked the start of deployment of business SaaS, which enabled lines-of-business teams (LOB) to purchase turnkey solutions without the involvement of security teams for the first time. It became a crisis as security teams weren’t aware of the apps until a security incident occurred, and by then, the apps, accounts, and data had spread across the cloud.
CISOs say that the apps built in the period were developed externally with zero commonality. Such apps had their separate user stores and separate data stores. The LOBs selected them as they made the work much easier. However, they resulted in an unintentional range of security risks. Most enterprises had what is termed as “Frankenstein monsters’ worth” of applications deployed without a standard control method.
Security leaders say that security innovation was boosted to mitigate the new threats, and common access control tools were implemented after the scenario as a prevention method. They included tools like Cloud Access Security Brokers (CASB), multi-factor authentication (MFA), and single sign-on (SSO) with updated standards like Oauth, SAML, etc. It resulted in a higher workload for IT, increased risk for organizations, and a responsive/ reactive process compared to the preferable thoughtful, efficient, and proactive scramble.
The increased deployment of PaaS
CISOs say the Shadow IT phase was overcome with the help of tighter interactions between LOB and security teams, along with standardization. However, Shadow IT 2.0 is being expected, with the focus shifting from SaaS to Platform as a Service (PaaS). With emerging public cloud infrastructure, development teams can finally deploy, configure, and handle their application infrastructure independently, without seeking permission from IT.
Security leaders acknowledge that Shadow IT 2.0 will be more daunting than the previous version. Full freedom to development teams can lead to an amplification of the original Shadow IT scenario. Now is the perfect time to ensure that the new shift is a good opportunity for security and data privacy if played right.
CIOs point out that conflicting interests and misalignment will sound like the end of the game. They believe that enterprises should not panic as they already have development expertise and IT security expertise to handle the challenges. The existing solutions might not be present with the same people on the same team. While these players may have different objectives and different strategies, the objectives and strategies can easily co-exist. For the first time, they can be embedded into products rather than being added on later.
Security leaders reiterate that it is necessary for each team to have rudimentary knowledge about what the other teams are doing in an enterprise. IT security teams must know what needs to be done to protect sensitive information, and developer teams should know how it can be done with policy-as-code.
When these measures are taken care of, Shadow IT 2.0 will not come to be, and the organizations have a versatile, hyper-tailored, ultra-secure, and efficient platform that facilitates meeting the goals.