Remember the days when IT was in control of all hardware and software brought into the business? Today, it's all about improving performance, convenience, and the mobile workforce. IT is now asked to support devices and applications outside their traditional comfort zone. In some cases, employees use applications without notifying IT and circumventing company controls, a practice known as Shadow IT.
There are many concerns regarding shadow IT, including compliance, governance and standards, lack of testing and change control, as well as configuration management. Below is an interesting cloudtech blog post (written by James Bourne) we wanted to share on the topic.
Another day, another report bemoaning shadow IT for cloud computing. SafeNet’s Challenges of Cloud Information Governance study, conducted by the Ponemon Institute, is the latest to put the blame of compromising data at the door of unapproved IT activity.
Shadow IT, which involves employees bypassing company policy on website and technology usage, has meant cloud security is “stormy”, according to the report. More than half (55%) of the 1,864 IT and IT security practitioners surveyed admitted they were “not confident” that IT knows all the cloud computing services in use at their company.
Respondents added that payment information (56%) was the data that presented the greatest security risk, ahead of customer information (50%), consumer data (34%) and email (23%). Payment info, however, was the least likely to be stored in the cloud, probably as a result of this risk.
Part of the problem for IT managers is that conventional security methods are difficult to enforce with cloud apps and products. 71% of respondents agreed with that statement, while around half (48%) believe it’s more difficult to control or restrict end-user access. Similarly, 61% said cloud increases the compliance risk, compared to only 8% who thinks it goes down.
Another problem, as the survey revealed, was the age old question of who is responsible for cloud data: the end user, or the cloud provider? It’s still not been answered. 33% argued it was the cloud user’s responsibility, 32% said the provider, while 35% said it was a shared responsibility.
Similarly, there is a lack of encryption in software as a service (SaaS) applications. Three quarters of respondents say they use document sharing and online backup tools, but only 28% say their organization encrypts sensitive data directly within these apps.
As enterprise cloud usage will inevitably increase in the coming years, the 30 page full report paints a fairly bleak picture. SafeNet goes through seven reasons why cloud governance is a challenge:
- Uncertainty about who is accountable for safeguarding confidential or sensitive information stored in the cloud
- IT is out of the loop when companies make decisions on the usage of cloud resources
- IT functions are not confident they know all the cloud resources being used
- Companies say encryption is important, but aren’t walking the walk on protecting apps
- An inability to control how employees and third parties handle sensitive data makes compliance more difficult
- More employees are using cloud apps without appropriate security training
- Third parties are allowed to access sensitive data without security reinforcement, such as multi-factor authentication
Shadow IT is often blamed for this lapse in security. Can you be certain as a CIO or senior manager that your workforce isn’t using Dropbox to ping over collaborative documents, for instance? A blog from MobileIron back in March pondered the question: “If an auditor had full access to your Dropbox account right now, would they find a single bit of corporate data that shouldn’t be there?”
In almost all of the cases, it’s difficult to say no. So what’s the solution? Blacklisting apps is a brute force method, although innovative employees can find many ways to break the system, whether it’s for malicious purposes or just an honest attempt to be more productive. As a CloudTecharticle mused yesterday, your employees are a bigger risk to data loss than cybercriminals.
Education, and increased visibility into cloud app usage is key to mitigating the risk of shadow IT, the report concludes – and it’s a good starting point. If you keep your head in the sand and pretend there isn’t a problem, your data could be seriously at risk.