A Comcast security executive suspected that company employees were using hundreds of unauthorized cloud services. Imagine her shock when an investigation discovered that the number actually ran into the thousands.
This was anything but a one-off.
As a new year approaches, cloud computing administrators find themselves battling an old - and worsening - security problem in the form of Shadow IT. The term refers to individuals or departments who unilaterally decide to buy their own IT products and services without asking permission from their companies.
It’s a gnarly management challenge. Relatively few organizations are able to track the number of cloud services used by their employees. It’s estimated that companies may have as many as 22 times more cloud apps in service than sanctioned officially by IT.
Not only is the phenomenon still vastly underestimated but it also poses a threat to company data stored on the cloud. The irony is that employees are not acting maliciously. Many would explain that they are just trying to cut through red tape to get stuff done. But in reaching for short cuts, they may not realize the implications for the corporate cloud, if not the business.
The Impact: Anything But Benign
When employees skirt IT protocols, they unwittingly put information on their corporate clouds at risk. Indeed, Gartner expects that the use of unofficial cloud services related to Shadow IT will account for one third of all security breaches by 2020.
Security is not the only concern. Shadow IT can also pose a threat to a company’s own intellectual property. In the Comcast case, for example, examiners found a couple of instances where unauthorized deployments potentially jeopardized the ownership of the data that was getting stored on the cloud. The employees who used that unauthorized service should have known that fact after reading the fine print of the terms of service. Then again, it’s not likely that many employees read the terms of service agreements.
So far, enterprises have avoided suffering a massive data breach caused by their employees connecting to unauthorized cloud services. That’s no reason for complacency. Just like San Franciscans who live in dread expectation of the San Andreas fault, the “big one” could hit anytime.
Changing Old Habits and More
Shadow IT’s popularity also underscores the difficulty of reigning in a popular practice. Human nature is what it is and employees routinely flout corporate policy guidelines all the time. But going rogue when it comes to cloud services poses far more danger than the use of the printer for personal use.
You can have the greatest security plan in the world but if users refuse to follow procedures, it’s all for naught. Ingrained habits obviously are hard to shed. Hence, security managers will have to improve their messaging so that employees understand what’s at stake. The message ought to be clear and unequivocal: Shadow IT endangers not just security but the entire organization.
At the same time, IT needs to lay out policies and procedures governing procurement that are easy to understand and implement. If the corporate security plan is cumbersome, employees will ignore it.
Besides preaching from the pulpit, organizations can turn to technology for help. For example, they can deploy identity management systems that track specific user attributes, such as location or job title to help detect unsecured access to company data. They can also use Cloud Access Security Broker (CASB) products and services to assist with the task of getting things buttoned down. The CASB monitors traffic sent between the organization's various endpoints and any cloud applications. At that point, IT will be able to identify which cloud services employees use and uncover rogue deployments.
What’s clear is that organizations need to get all of their users back under one security tent before things get out of their control. No easy task since the biggest security threat they face still walks through the front door each day.
This content is underwritten by VMware -- and is editorially independent. It is produced in accordance with conventional standards of business journalism.
Charles Cooper is an award-winning freelance author who writes about business and technology. During his 30-plus year career, he has worked as an executive editor at several leading tech publications including CNET, ZDNet, PC Week and Computer Shopper.