In the first installment of this extended part series, we explored the fundamentals of cloud governance and best practices for establishing a robust governance framework on AWS. We identified shadow IT, which is the use of unapproved cloud services by employees, as a key challenge. In this article, we'll dive deeper into strategies for managing shadow IT risks while fostering the agility and innovation the cloud enables. We will also focus on leveraging AWS services to improve visibility, automate policies, and provide secure self-service options.
Understanding the Risks and Causes of Shadow IT
Before we jump into solutions, let's take a moment to understand the risks posed by shadow IT:
- Security vulnerabilities: Unsanctioned cloud services can expose sensitive data if proper controls are not in place. According to Gartner, through 2025, at least 99% of cloud security failures will be the customer's fault.
- Compliance violations: Unapproved services may not meet regulatory requirements like HIPAA, PCI, etc.
- Inefficient spending: Redundant services and lack of volume discounts can drive up cloud costs.
So, what fuels the growth of shadow IT? Some common reasons include:
- Slow provisioning processes from central IT: When developers face long wait times to get resources, they are more likely to go around IT and use unapproved services to move faster. Cumbersome approval processes incentivize shadow IT.
- Lack of awareness about approved services: Employees often aren't aware of all the approved tools available to them. Without clear communication from IT, they assume they need to find their own solutions.
- Desire to experiment with new technologies: Developers want to try the latest tools and services. When IT policies are too restrictive, employees may decide to experiment without approval.
The cloud has accelerated these issues by making it incredibly easy for anyone to spin up new services quickly, often without needing to go through IT. However, while the cloud enables shadow IT, it also provides powerful tools to help govern it.
Strategies for Managing Shadow IT on AWS
As an AWS Select Tier Services Partner, our cloud experts realize that AWS provides several services and tools that can help you discover shadow IT in your environment and mitigate the risks:
- Gain Visibility with AWS Monitoring Tools
You can't protect what you can't see. AWS provides powerful tools to monitor your environment for unapproved activities:
- AWS Config: Continuously assess, audit, and evaluate configurations of AWS resources. Use Config Rules to detect policy violations, like unapproved instance types or unencrypted S3 buckets.
- AWS CloudTrail: Log, monitor, and retain account activity across your AWS infrastructure. Detect unusual API calls that could indicate shadow IT, like IAM user creation outside approved processes.
- Amazon GuardDuty: Continuously monitor for malicious activity and unauthorized behavior. GuardDuty uses machine learning to identify potential security issues.
- Automate Policies with AWS Control Tower and Service Catalog
Establish guardrails and provision approved services in a self-service manner:
- AWS Control Tower: Set up and govern a secure, multi-account environment based on best practices. Enforce policies with preventive and detective guardrails.
- AWS Service Catalog: Create catalogs of approved resources that adhere to security and compliance requirements. Developers can quickly deploy from the catalog within defined guardrails.
- Enable Secure Innovation with AWS Organizations
Provide builders with secure sandbox environments to experiment:
- Use AWS Organizations to programmatically provision new AWS accounts for teams to innovate. Apply baseline security policies using Service Control Policies (SCPs) to enforce guardrails across accounts.
- Integrate with AWS IAM Identity Center to centrally manage access to these sandbox accounts.
- Leverage Landing Zones and Reusable Templates
Establish a secure foundation with a multi-account landing zone based on AWS best practices. Use tools such as:
- AWS Control Tower Account Factory for Terraform (AFT): Provision a fully compliant landing zone according to your requirements using infrastructure as code.
- AWS CloudFormation: Create reusable templates for common architectures that adhere to security standards. Make these available via Service Catalog for developers to use.
- Foster Open Communication and Training
Ultimately, managing shadow IT requires a cultural shift:
- Engage with business teams to understand their needs and why they may be tempted to use unapproved services. Work with them to find secure alternatives.
- Provide training on approved services, processes for requesting resources, and the risks of shadow IT. Make security engaging and relevant.
- Be transparent about the policies around shadow IT and the consequences of violations. Share examples of how shadow IT has led to security breaches.
By leveraging AWS's powerful governance tools and following these featured strategies, you can effectively manage shadow IT risks while still enabling the agility and innovation that the cloud unlocks. The key is to automate guardrails, streamline provisioning, and work closely with builders to meet their needs in a secure manner.
In our next post, we'll explore how to build a Cloud Center of Excellence to drive cloud governance best practices across your organization. Stay tuned!
Next Steps: In today's cloud-driven world, ensuring meaningful security for an AWS environment is paramount for IT security leaders and the end users they protect. WEI Senior Cloud Architect & Strategist Keith Lafaso presents on this important topic as he unveils the essential best practices to safeguard your cloud infrastructure. Listen below: