As organizations grow, so does their reliance on cloud services. But with that growth comes the risk of cloud sprawl — when too many cloud services are added without proper planning and oversight, leading to security and compliance risks.
According to research by the Cloud Security Alliance, cloud sprawl is one of the top security threats organizations face today as they deal with the unstoppable forces of an ephemeral cloud and agile development used to build and secure applications.
What is Cloud Sprawl?
Cloud sprawl typically occurs when an organization lacks visibility into or control over its cloud computing resources. An organization using multiple cloud platforms, and hosting hundreds, if not thousands of identities and data instances, is easily prone to losing visibility into their cloud. Cloud sprawl leads to not knowing where your data is, who has access to it, or what they’re doing with that access. Plus, the nature of the cloud and agile development leads to a constant flow of new applications or workloads that can easily be forgotten.
Adopting the public cloud means more organizations will need visibility and control over their cloud platforms, accounts, instances, identities, services and more. Stretched, underfunded, and rapidly changing, internal teams are forced to keep up with insane workloads that leave plenty of room for three types of sprawl.
Cloud Sprawl Areas: Platform, Data and Identity
Let’s consider three areas that create cloud sprawl: platform, data and identity.
Appealing to convenience and immediate need, developers can usually order computing power and storage without any oversight, planning, and direction of security. Building in the cloud, adding features to existing cloud structures, adding roles, and spinning up pieces of compute are all simple tasks. However, the ease of creating new identities and data stores while recreating an application often leads to abandoned, unneeded, or forgotten workloads, users, pieces of compute, roles and more. These identities, whether they relate to a person or non-person, are left dormant in the environment. Adding wasteful costs and these dormant identities create a hidden risk to enterprises.
This lack of governance means that visibility into the cloud is myopic, with rogue cloud resources that may never get decommissioned or align with the organization’s objectives. It is common to find development servers that are built that are compromised from a security standpoint without anyone realizing it. Even dormant, segregated, or devoid of active data, these circumstances carry significant risks.
Now all this platform sprawl is just within one cloud. Imagine an organization leveraging multiple cloud providers. According to an Osterman Research Paper, 80% of companies use multiple cloud providers. This multi-cloud strategy results in a decentralized view and lack of visibility.
Data Sprawl happens when organizations can no longer effectively manage how they collect, process, and store data, making it increasingly harder for them to control what data they have, where it is located, and who has access to it. It’s self-evident that new corporate infrastructures no longer have a physical or logical concept of a ‘data center’ This makes data in the cloud elusive, intangible, and hard to keep track of, especially when working across multiple clouds and without the proper cloud security tooling.
It is difficult to monitor and control data stored in many disparate environments and makes it harder for developers to quickly and accurately retrieve the information they need. To make matters worse, a lot of the data stored is duplicate or ROT (Redundant, Obsolete, and Trivial), which also leads to excessive utilization of resources. On top of development needs, securing data that teams can’t keep track of or classify appropriately becomes challenging.
Identity sprawl refers to the growth of many separate identities a user or piece of compute creates to access other identities. As the number of identities increases, the identity is said to spread, scatter, or “sprawl” almost needlessly. A more unified approach would do the opposite by consolidating identities, roles, and entitlements to the most conservative business needs.
The ease and benefits of creating cloud accounts have made having many AWS and GCP cloud accounts or Azure subscriptions the norm. It is not unusual for enterprises to have hundreds (and sometimes thousands) of cloud accounts.
That’s just addressing accounts – within those accounts are a proliferation of identities, person and non-person entities. The Osterman report also notes that organizations between $1 million to $10 million in public cloud investments have an average of 1,750 identities and 325 data stores in their environment, and organizations with more than $100 million in cloud investments see upward of 7,750 identities and 3,750 data stores.
The increased use of non-person identities exacerbates this proliferation as entities like roles, service accounts, functions and VMs play critical roles in day-to-day operations and app development.
Strategies for Fighting Cloud Sprawl
The best way for an organization to manage cloud sprawl is to ensure that their cloud applications and environments don’t take on a life of their own. Organizations must proactively determine how the cloud is being used across the board. Some organizations create a Cloud Center of Excellence CCoE to help design a full lifecycle with a future-proof outlook that will keep cloud usage in check, ensuring that growth continues without security risks.
Another way to manage cloud sprawl is to build a company-wide cloud strategy that includes all stakeholders. The cloud security strategy should include policies on using and managing the cloud, migration efforts, and identity controls and access. Automating the right tools is recommended as part of a holistic strategy to contain and avoid potential sprawl.
Constantly monitoring and managing the cloud throughout a business can be a time-consuming and expensive ongoing process. While cloud sprawl can lead to out-of-control spending and unnecessary risk, the effort required to reign it in may feel even more cumbersome or even impossible if done manually.
By working with cloud security technology, organizations can enlist the help of cloud security experts to receive the end-to-end visibility, insights, controls, and support needed to deploy any cloud security strategy.