Finding your shadow cloud accounts
Have you noticed that almost all of the Internet guides to personal happiness, start out by telling you to let go of the everyday worries, so that you can focus on the handful of things that truly matter? But have you also noticed though, that they seldom provide any detail on how to actually do this? Because the reality is that saying “stop worrying” to someone who is worrying, is as useful as saying “don’t breathe the water” to someone who is drowning.
In the same way, pretty much all of the guides, standards and qualifications for defensive security, all start out by saying something trite like “use your asset list”, without actually telling you how to get a definitive one. Because the reality for most organisations is that if they do have something, it will be out-of-date, incomplete, or conflicting. And that can be a bit of a problem, as:
“if you don’t know about it, how can you protect it?”
As part of this, in recent years, the shift to the cloud has dramatically improved the way that an organisation can respond to change, and variable workloads. But the ease-of-use of the cloud can also be a bit of a double-edged sword. With only a few minutes’ effort, anyone can start a new cloud account, upload company data, then forget about it. Shadow IT is a huge problem for many organisations.
I’d like to introduce you to a simple, three-step approach to finding shadow cloud accounts that I've used successfully with a range of organisations:
Firstly, the easiest way is to obviously just treat your colleagues like adults, and ask them. Sending out a well-crafted email, explaining what you’re looking to achieve, and asking for people to help you, generally works really well. But this isn’t going to help you if people have simply forgotten about the accounts that they created, or worse, have left the organisation since.
Secondly, speak to your IT team, and ask them to provide you with a list of users that access the common cloud management portals using company devices. They should be able to get this for you from any proxy, AV or endpoint management tools that they have. But again, this isn’t going to help you if the portal has never been accessed from company devices.
Thirdly, speak to your accounts team, and ask them to supply you with a list of all staff that have a cloud vendor account on their budget, or on their expenses claims.
Between these three options, you should be able to quickly find pretty much all of your cloud accounts, shadow or otherwise.
And what to do next, now that you have them all? Well, you could do a lot worse than put them into scarlet, so that within a few minutes, you can also get visibility of all your cloud-assets too. [grin]