Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementTechnologies & SolutionsSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecurityCybersecurity News

3 ways to fight cloud sprawl

By Eric Kedrosky
cloud-security-fp1170x658v05.jpg

Image by biancoblue via Freepik

September 6, 2022

As organizations grow, so does their reliance on cloud services. But with that growth comes the risk of cloud sprawl — when too many cloud services are added without proper planning and oversight, leading to security and compliance risks.


According to research by the Cloud Security Alliance, cloud sprawl is one of the top security threats organizations face today as they deal with the unstoppable forces of an ephemeral cloud and agile development used to build and secure applications. 


What is Cloud Sprawl?

Cloud sprawl typically occurs when an organization lacks visibility into or control over its cloud computing resources. An organization using multiple cloud platforms, and hosting hundreds, if not thousands of identities and data instances, is easily prone to losing visibility into their cloud. Cloud sprawl leads to not knowing where your data is, who has access to it, or what they’re doing with that access. Plus, the nature of the cloud and agile development leads to a constant flow of new applications or workloads that can easily be forgotten. 


Adopting the public cloud means more organizations will need visibility and control over their cloud platforms, accounts, instances, identities, services and more. Stretched, underfunded, and rapidly changing, internal teams are forced to keep up with insane workloads that leave plenty of room for three types of sprawl.


Cloud Sprawl Areas: Platform, Data and Identity

Let’s consider three areas that create cloud sprawl: platform, data and identity.


Platform Sprawl

Appealing to convenience and immediate need, developers can usually order computing power and storage without any oversight, planning, and direction of security. Building in the cloud, adding features to existing cloud structures, adding roles, and spinning up pieces of compute are all simple tasks. However, the ease of creating new identities and data stores while recreating an application often leads to abandoned, unneeded, or forgotten workloads, users, pieces of compute, roles and more. These identities, whether they relate to a person or non-person, are left dormant in the environment. Adding wasteful costs and these dormant identities create a hidden risk to enterprises. 


This lack of governance means that visibility into the cloud is myopic, with rogue cloud resources that may never get decommissioned or align with the organization’s objectives. It is common to find development servers that are built that are compromised from a security standpoint without anyone realizing it. Even dormant, segregated, or devoid of active data, these circumstances carry significant risks.


Now all this platform sprawl is just within one cloud. Imagine an organization leveraging multiple cloud providers. According to an Osterman Research Paper, 80% of companies use multiple cloud providers. This multi-cloud strategy results in a decentralized view and lack of visibility. 


Data Sprawl

Data Sprawl happens when organizations can no longer effectively manage how they collect, process, and store data, making it increasingly harder for them to control what data they have, where it is located, and who has access to it. It’s self-evident that new corporate infrastructures no longer have a physical or logical concept of a ‘data center’ This makes data in the cloud elusive, intangible, and hard to keep track of, especially when working across multiple clouds and without the proper cloud security tooling.


It is difficult to monitor and control data stored in many disparate environments and makes it harder for developers to quickly and accurately retrieve the information they need. To make matters worse, a lot of the data stored is duplicate or ROT (Redundant, Obsolete, and Trivial), which also leads to excessive utilization of resources. On top of development needs, securing data that teams can’t keep track of or classify appropriately becomes challenging.


Identity Sprawl

Identity sprawl refers to the growth of many separate identities a user or piece of compute creates to access other identities. As the number of identities increases, the identity is said to spread, scatter, or “sprawl” almost needlessly. A more unified approach would do the opposite by consolidating identities, roles, and entitlements to the most conservative business needs.


The ease and benefits of creating cloud accounts have made having many AWS and GCP cloud accounts or Azure subscriptions the norm. It is not unusual for enterprises to have hundreds (and sometimes thousands) of cloud accounts. 


That’s just addressing accounts – within those accounts are a proliferation of identities, person and non-person entities. The Osterman report also notes that organizations between $1 million to $10 million in public cloud investments have an average of 1,750 identities and 325 data stores in their environment, and organizations with more than $100 million in cloud investments see upward of 7,750 identities and 3,750 data stores.


The increased use of non-person identities exacerbates this proliferation as entities like roles, service accounts, functions and VMs play critical roles in day-to-day operations and app development.


Strategies for Fighting Cloud Sprawl

The best way for an organization to manage cloud sprawl is to ensure that their cloud applications and environments don’t take on a life of their own. Organizations must proactively determine how the cloud is being used across the board. Some organizations create a Cloud Center of Excellence CCoE to help design a full lifecycle with a future-proof outlook that will keep cloud usage in check, ensuring that growth continues without security risks.


Another way to manage cloud sprawl is to build a company-wide cloud strategy that includes all stakeholders. The cloud security strategy should include policies on using and managing the cloud, migration efforts, and identity controls and access. Automating the right tools is recommended as part of a holistic strategy to contain and avoid potential sprawl.


Constantly monitoring and managing the cloud throughout a business can be a time-consuming and expensive ongoing process. While cloud sprawl can lead to out-of-control spending and unnecessary risk, the effort required to reign it in may feel even more cumbersome or even impossible if done manually.


By working with cloud security technology, organizations can enlist the help of cloud security experts to receive the end-to-end visibility, insights, controls, and support needed to deploy any cloud security strategy. 

KEYWORDS: cloud security cyber security data security risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Eric kedrosky 1

Eric Kedrosky is the Director of Cloud Security Research and CISO for Sonrai Security. Eric has spent his career gathering a wealth of experience that has allowed him to become an expert in cloud security.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Fountain pen

Trump Administration Executive Order Changes Cybersecurity Policy

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cloud security

    Overcoming 4 enterprise cloud security challenges

    See More
  • The Cloud Is NOT a Product

    How to avoid becoming another Azure misconfiguration statistic

    See More
  • black keyboard with blue lights

    3 tips to better manage tool sprawl to maximize existing spend

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

  • school security.jpg

    School Security: How to Build and Strengthen a School Safety Program

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing