This cloud security blog was written by Robert Plant,Vice-Chairman, Department of Business Technology at the University of Miami (@drrobertplant).
As enterprises move their applications and data to the cloud, executives are increasingly being faced with balancing the benefits of productivity gains with significant concerns around compliance and security.
A principal area of concern relates to unsanctioned use of cloud services and applications by employees. Data from Rajiv Gupta, CEO of Skyhigh Networks, indicates that the average company now uses 1,154 distinct cloud services, and the number is growing at over 20% per year.
Many organizations are simply unaware of unsanctioned cloud usage, while others acknowledge that the use of such “shadow IT,” which is technology deployed without oversight by the core enterprise technology group, is inevitable, a side effect of today’s decentralized business structures and need for agile solutions to be deployed quickly.
Most concerning for chief security officers is that this growth is led by employees seeking productivity gains through unsanctioned cloud-based solutions with a wide range of security levels. Currently it is estimated by Skyhigh Networks that 15.8% of files on the cloud contain sensitive data, and that 28.1% of users have uploaded sensitive data, 9.2% of which is then shared.
Employees may, for example, upload a file while overseas to a local cloud file storage service provider without checking the terms and conditions of that vendor who may in fact claim ownership rights to any content. Additionally the data storage cloud provider may not encrypt the data either during its transmission or while stored on their cloud, thus increasing the risk. Other situations include employees who take a piece of code from a cloud-based open source site and incorporate it into their own program without fully checking the validity of the adopted code. Or someone may adopt a design feature from a site that has the potential to infringe another firm’s intellectual property. Or employees may simply discuss technical problems on a cloud-based site for like-minded individuals. While this may seem a great way to increase productivity and find a solution quickly, valuable intellectual property could be lost or insights on new products could inadvertently be revealed to rivals stalking these sites.
Well, cloud “lockdown” is practically infeasible. Technical solutions such as blocking certain sites or requiring authentication, certificates and platform-specific vendors will only work so far, as employees have access to personal machines and devices that can’t be monitored and secured.
Instead, employers should implement a strategy under which employees can bring new tool and resource ideas from the cloud to the enterprise, which can yield great benefits. But this has to be done within an adoption framework where the tool, product or service is properly vetted from technical and legal perspectives. For example, is the cloud service being used robust? Does it employ sufficient redundancy such that if high value data is placed there that it is always guaranteed to be available? From a legal perspective it is necessary to examine the cloud service to ensure it is within the compliance parameters required by regulators for the industry.
Risk can be mitigated in a number of ways including deploying monitoring tools that scan cloud access, software downloads and storage. These tools can identify individuals, IP addresses and abnormal trends. They can rank risk by site and use against profiles for cloud vendors.
Technical monitoring alone is, however, not sufficient and needs to be used in combination with education, evaluation, compliance audits, transparency, accountability and openness of discussion — all positive steps that chief security officers can take to managing cloud adoption and risk.