UPDATED 17:02 EDT / AUGUST 30 2013

NEWS

Shadow IT, Rogue Clouds and Security

Shadow IT is one of the greatest security risks that a lot of people just don’t know about. It’s actually a growing and potential threat to security in enterprise after enterprise. If you don’t know what Shadow IT is – that’s when IT systems seep into production without prior approval from the organization. The phenomenon of mobility is one comparable such example. In many environments, when mobility hit the mainstream, you had all these devices taking off – people accessing and storing email, web pages, storing documents, connecting to the company network – all of it uncontrolled, unsanctioned officially by the company. Here’s another classic example (and we’re not picking on anybody here): developers have a knack for wanting to own things themselves, often times it can just be quicker to use some desktop system or even a test server, load a database or whatever they want to work on – sooner or later that system becomes a live production system. It just happens.  That means sooner or later you will get a call when it fails or they just need help. Your IT department didn’t build it, but they now more or less support it, and even more critical, it now has a production purpose so you have no choice but to support it at some level.  That’s a process matter to say the least but it could also mean that because it was built out of process it may be a security risk on top of everything else.  You don’t know who has the passwords, permissions haven’t been secured, perhaps it is not even in a physically secure location – those are just some of the security issues that Shadow IT introduces.

Now we have the cloud and for all the things it’s changing in a positive way, it has the potential if unchecked to affect things from a risk perspective.  Back to the example of the developer – perhaps he’s building labs out in an Infrastructure as a Service (IAAS) cloud provider – because it’s easy, perhaps it’s Amazon’s EC2 environment, perhaps it’s Azure – one thing for sure is it isn’t your environment and you have no control or guidelines for utilizing a third-party environment.  That same developer loads proprietary company code or mistakenly puts up a real database with company info on it, just for testing – well that’s an issue.  How about those same mobility users that start to employ unofficial cloud file storage services.  It doesn’t take a giant logical leap to tell that you can quickly lose your ability to discover information, report information, and stay in compliance.  BYOD exasperates this situation because now you have devices everywhere, installing all kinds of apps, reaching into locally stored documents – company documents and making life “easier” for the user.  Information that goes into things like Evernote or SkyDrive – it could be information lost.  That’s one password, one account your organization doesn’t control, have the ability to recover, reset, or delete and it happens over and over again.

These are major threats, and the answer isn’t easy.  We have to rely however on major pillars in security principles – People, Policies, and Technology.  That’s an opportunity where a lot of improvement can always be made, so whether it’s professional security services, a refreshed security initiative within an organization, or the latest in security technology such as security analytics, these elements can have a significant and even immediate impact.  Often an analysis begins with baseline assessment, and scales to vulnerability assessments, process and procedural reviews, you can begin to evaluate security as a stack – at multiple levels, because that’s how security is implemented nowadays.  On other fronts, technologies are emerging that allow you to set corporate encryption keys for cloud services outside the enterprise.  They can also control the behavior of certain applications, eliminating copy/paste or screenshots on a device when it is doing company work.   The options are growing in order to deal with this and that’s a good thing for security in general.  It really comes down to what your needs are, the investment is also tied to a company’s critical security priorities, compliance and regulatory requirements, budget, and whether the solution does what you need it to do effectively, there are many situations to say the least.  People – training users on what’s important, what’s protected, what’s right to do, and what is wrong to do – those things are a consistent security theme and do not change here.  Policies – Role-based access, data security, security plans, data-governance – policies set up agreed practices that are designed to assure business needs are met.  These are constant security themes that we’re seeing over and over again.  Trusted advisors in a strong partnership can also be part of developing a reliable, practical security matrix that protects your assets, delivering on business goals and value.  Pick your technology partners carefully.

Rogue clouds do seep into enterprise, and departments are finding personal identifiable information, credit card information, social security numbers, financial information and so much more out in these environments.  The worst part is the organization has no idea, that’s why it’s called Shadow IT.  One cloud instance with your company data on it – it could be lost in any number of ways.  One personnel file that gets out into Evernote, then that account gets “phished” by some rogue app in the Google Play market or a third party website – that’s a big issue.  So data leaks out, finds its way to the ultimate Shadow entity on the web, it ends up in the hands of hackers, competitors, regulators, or all of the above.  That’s where the diligence and activity awareness are most required.  With Shadow IT in all kinds of forms sweeping the enterprise, and a never-ending wave of innovations that are emerging on the scene at any given time, keeping your eyes open for your information can be extremely powerful.  If you look at Shadow IT and have realized that it’s probably an issue for you – Perhaps you don’t want to do away with it, but you wish to at least control it, then you need to consider a mix of technology, training and policy to deal with it.


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU