"Shadow it" incident caused by a cloud computing problem

If your business has an incompetent administrator, your entire cloud infrastructure will be compromised. So what kind of protection should you take?

Usually I write something after the children go to school in the morning. But this morning, I snuck out of the office, got a cup of coffee in my hand, and my Mac on my leg. Because I heard a very disturbing shadow it story from a person who attended the IP Expo show in London, and I wanted to record it on disk before flying across the Atlantic.

The thing is this: I am not a pessimist, I think the professional IT team as long as the confidence, have their own logic, give them some time, they can solve all problems, after all, they have the initiative. However, this is an example of cloud computing, and we need to discuss it carefully when the details are clear.

We are all too familiar with shadow it: it refers to some of the internal personnel within the enterprise who understand the relevant technology, without the consent of the IT department, or even some of the dangerous operations of the enterprise policy. Do you often find Yadba (another Dropbox account), even though each employee has signed an agreement not to disclose information about shipping documents? Fortunately, the Dropbox problem is relatively easy to solve, simply by providing an acceptable alternative to secure file sharing applications in your datacenter, It then uses packet detection, application feature detection, or NetFlow to access the control list, or remove it from the enterprise.

Thousands of bills have left the IT department helpless.

However, the example I heard from the IP Expo Show is that it has completely deviated from the application usage regulations and even the IaaS case management. Note that because of its lack of early warning, it can occur in any size enterprise.

In a nutshell, an amateur network developer or content management system administrator thinks he has found a good way to get customers to track the progress of their orders. He was awarded a purchase order and then opened an IaaS account for an important supplier. He also built a passable application, including a mobile response layout. Finally, it helped him set up a VPN connection to his virtual private cloud (VPC) so he could access the data service APIs on the corporate network. The customer is very happy and the management is very convenient. However, the only problem was that he received the flight distance data from the airline to his credit card, noting that it was for his personal credit card.

You may not want to see the last word because you know what it means.

The first sign of the seriousness of the problem is not that the administrator has been working for another period of time leaving the company. But two months later, his default mailbox webhelp@thecompanyisscrewd.com began to receive various messages. What's really serious is that hyperlinks and global tracking sites are offline. At first this has not caused the company panic, just think the website crashes, and then find the administrator to fix it. But then again, the problem happened repeatedly. Soon, the network operations team realized that the problem was not from host hosting, but in a mixed cloud. It's just an IP address on the Internet, and now nothing is more troubling than a completely unknown production system. The entire account, including machine instances, storage, relational databases, and VPN endpoints, has been completely emptied.

As a result, the account owner deleted his personal account information and sent a separate email to the junior IT administrator reminding him of the card the enterprise had set up for his account. The administrator thought he did a flawless job, but encountered problems with the purchase order. The cloud service provider only guaranteed the account to run for 60 days, then detonated the safe time bomb. At this point, the IT department begged the vendor to fix the problem, but the answer was: This account is personal, and no matter whether it connects to the DNS resolution or the identity and copyright across the network interface, they have no transfer.

Missed the opportunity to "brighten" the shadow It

In hindsight, the problem should be as easy as getting Dropbox offline, probably simpler. In addition to detecting the vpn,it that can clearly show the vendor being traded, the VPC VPN is also provided, and the required new subdomains are added to DNS. They failed in the end not because they didn't do it, but because they didn't know where they were from the start. They do not have a reasonable service audit process to judge the services the enterprise enjoys in the cloud. They will not be able to track development permissions or administrative rights or mandatory standard documents.

Luckily, the company was back online a few days later, because the guy who had the situation was saved, and he backed up before he used the approved storage account it could serve. The company was lucky enough to make a substantial change after the incident. Managers implement new audit procedures and begin to carefully scan traffic to identify unknown services on existing sites, and more importantly, they increasingly suspect shadow it.

As for me, I know what I'm going to do right after I get back to Austin.