Recently Nextgov published an editorial from our own Aaron Kilinski explaining how the adoption of cloud has empowered an old IT nemesis – shadow IT.

In the article Aaron explains that shadow IT is the use of IT systems, devices, software, apps and services outside the supervision of an organization’s approved IT systems. In the past shadow IT was typically a business unit creating their own locally developed applications (LDAs) because going through the proper IT channels was judged too onerous.

Aaron shared an example from his time in public service. He saw personnel surreptitiously use Microsoft Access to address an urgent data processing need that inadvertently turned into a mission critical mission system. This was only discovered when the Microsoft Access reached its scaling limits, and then turned into an emergency project to transform it into a web-based application.

Cloud sprawl is inefficient use of the cloud - over-provisioned, over-scheduled, underutilized, or orphaned cloud assets. It often happens when development teams spin up new cloud resources, forget about them, then move on to the next urgent task. Even when cloud servers are terminated, the servers’ storage volumes – in a sense virtual hard drives – are often left behind. This creates shadow IT in the form of orphaned cloud resources.

Teams also size cloud resources too large based upon the legacy technical specifications coming from on-prem datacenters, instead of starting small and using cloud elasticity for auto-scaling. This results in over-provisioned and underutilized resources. This cloud sprawl increases costs and often leads to overruns in government program budgets.

Cloud sprawl and the related lack of governance can also make agencies more vulnerable to data breaches. When development teams create cloud resources, they may not fully understand the impact of its related configurations, as was the case in the 2019 Capitol One data breach that enabled access to sensitive records stored in AWS S3 buckets. To mitigate the risk introduced by mis-configured cloud resources, agencies need to define cloud usage standards and implement ways to monitor compliance to those standards.

Effective implementation of AIOps is the answer to modern day shadow IT and cloud sprawl. Here’s the Gartner definition: “AIOps combines big data and machine learning to automate IT operations processes, including event correlation, anomaly detection and causality determination.”

One cloud-centric AIOps solution STS helps clients implement is Robotic Cloud Automation (RCA) - a suite of AIOps capabilities that establishes governance guardrails and enforces usage standards across multiple cloud environments. For critical standards compliance issues, it can also remediate the non-compliance findings by bringing cloud resources back into a desired state configuration. This delivers significant cost savings and security improvements through automated monitoring, reporting and remediation of compliance issues.

STS takes clients through three steps of RCA implementation.

First Step – Establish Your Standards

When Agencies are considering which standards to establish, they should embrace established industry standards. RCA is aligned with some of the most widely respected standards in the industry, including Center for Internet Security (CIS) Benchmarks (for AWS, Azure and GCP), NIST 800-53 and AWS Foundational Security Best Practices.

These provide baseline standards to start from, including hundreds of configuration guidelines to safeguard cloud environments against today’s evolving cyber threats.

Second Step – Monitor and Communicate

For many agencies the genie is already out of the bottle. Cloud adoption preceded a management structure, and teams have already created the cloud sprawl and violated security best practices. In such cases, RCA deployment follows a predictable iterative implementation pattern by first enabling monitoring and reporting to understand the depth and breadth of the compliance challenges.

Then agencies need to drive effective communication and change management strategy that engages the cloud users, to adopt the new cloud standards and iteratively drive improved compliance. 

Third Step – Turn on RCA

Once fully compliant with a standard, RCA can enable automated remediation, which locks-in future compliance by maintaining the desired state configuration of cloud resources in perpetuity. For example, for every new server spun up in the cloud, RCA evaluates compliance to three core configurations – proper tagging, encryption, and standardized security group usage. If the server fails any of these tests it is automatically terminated.

Cloud sprawl is nipped in the bud. It’s truly governance as code.

RCA is a powerful enforcement tool for any CIO managing a multi-tenant cloud environment. Yet critically, it’s not enforcement in the old, top-down model of the past. RCA provides AIOps that enables teams to own more of the security responsibility, because a cloud hygiene baseline is “baked” into the system. Agencies can save millions by embracing AIOps, shutting down existing cloud sprawl and preventing it from happening again in the future.

STS uses RCA to help clients eliminate shadow IT, prevent cloud sprawl and to securely explore the potential of the cloud. How can we help you? To learn more about what STS can do to support your mission, please click here.