How Adobe monitors cloud deployments to control shadow IT

Keeping an eye on your cloud deployments is key to preventing yet another data breach. Adobe's MAVLink program does just that.

Multiple individual cloud instances / cloud deployments
Gremlin / Getty Images

Too little security leads to data breaches, but too much security can wind up with the same result. Employees eager to do their jobs and fettered by what can sometimes seem like unnecessary restrictions on their ability to do so, can often lead to a burgeoning shadow IT problem, including shadow IT in the cloud.

Monitoring your enterprise cloud deployments to ensure that well-meaning employees don't spin up cloud instances without permission is a good way to prevent those "unsecured S3 bucket" headlines with your company's name attached. Adobe developed its in-house MAVLink program to do just that and won a 2020 CSO50 award for the effort.

Monitoring and controlling shadow IT

MAVLink helps Adobe take control of shadow cloud IT by standardizing and continuously monitoring all its cloud deployments for misconfigurations that could lead to a data breach or other security incident. "Cloud security can be complex work," Adobe cloud security architect Scott Pack tells CSO. "By providing tooling services to help perform security assessments for these accounts and environments regardless of the teams’ level of sophistication, we’re able to monitor more effectively and help identify potential issues more easily."

Striking the right balance between enabling employee productivity and preventing security incidents is a struggle for most security teams, and in developing MAVLink Adobe has had to grapple with the same problems. "Maintaining correct tension and balance is a constant effort," Pack says. "We, as the security team, strive to work with our engineering teams to address real potential risk without burning cycles on false positives. I think it is likely that this balancing effort is something that every security team struggles with."

Adobe first deployed MAVLink as a test in 2016, leading to company-wide deployment in August 2017. The program now assesses security and collects telemetry across thousands of cloud accounts and does so without any service interruptions, according to Pack.

To continue reading this article register now

Microsoft's very bad year for security: A timeline