How Adobe monitors cloud deployments to control shadow IT

Too little security leads to data breaches, but too much security can wind up with the same result. Employees eager to do their jobs and fettered by what can sometimes seem like unnecessary restrictions on their ability to do so, can often lead to a burgeoning shadow IT problem, including shadow IT in the cloud.

Monitoring your enterprise cloud deployments to ensure that well-meaning employees don’t spin up cloud instances without permission is a good way to prevent those “unsecured S3 bucket” headlines with your company’s name attached. Adobe developed its in-house MAVLink program to do just that and won a 2020 CSO50 award for the effort.

Monitoring and controlling shadow IT

MAVLink helps Adobe take control of shadow cloud IT by standardizing and continuously monitoring all its cloud deployments for misconfigurations that could lead to a data breach or other security incident. “Cloud security can be complex work,” Adobe cloud security architect Scott Pack tells CSO. “By providing tooling services to help perform security assessments for these accounts and environments regardless of the teams’ level of sophistication, we’re able to monitor more effectively and help identify potential issues more easily.”

Striking the right balance between enabling employee productivity and preventing security incidents is a struggle for most security teams, and in developing MAVLink Adobe has had to grapple with the same problems. “Maintaining correct tension and balance is a constant effort,” Pack says. “We, as the security team, strive to work with our engineering teams to address real potential risk without burning cycles on false positives. I think it is likely that this balancing effort is something that every security team struggles with.”

Adobe first deployed MAVLink as a test in 2016, leading to company-wide deployment in August 2017. The program now assesses security and collects telemetry across thousands of cloud accounts and does so without any service interruptions, according to Pack.

Collecting data on new cloud accounts

MAVLink monitors all attempts to create new cloud accounts using a Microsoft Exchange filter that reroutes any registration emails to the security team. Adobe also monitors corporate credit card transactions for employees setting up cloud accounts without permission. The program uses Amazon Web Services configuration snapshots to identify public IP addresses, check Elastic Load Balancing cipher suites, and get user lists within an account.

“Whenever data is collected, it flows into our security incident and event management (SIEM) system and logging tools for analysis by MAVLink. MAVLink then helps enable us to monitor our cloud service accounts in one place,” Pack wrote in a blog post.

MAVLink has turned out to be particularly useful to Adobe in the wake of several recent acquisitions, Pack says, giving the security team visibility into cloud accounts within days.

Adobe is considering releasing MAVLink under an open source license, Pack says. “Cost effective cloud security at scale is something a lot of mature companies struggle with, and we want to help them overcome those challenges and continue to innovate on the solution.”

When developing an in-house solution like this one, Pack emphasized that security tools should be built with feature creep in mind.

“During the time we’ve had MAVLink in place we’ve updated many parts of our security program, including network visibility, host monitoring, vulnerability scanning, secret management, etc,” Pack tells CSO. “When building security tooling it’s important to design for extensibility; you’ll likely be asked to make the tool do things it wasn’t originally made for. Try to stay flexible!”