The danger in shadow IT and rogue clouds

The ReRez survey was commisioned by Symantec to look at hidden costs in the cloud, questioning 3,326 organizations in 29 different countries. The vast majority, 94%, either already are or are actively discussing the use of cloud services. Rogue clouds, however, are those unofficial cloud services already in use but not formally sanctioned by the IT department, including services such as Dropbox and Salesforce

It is difficult to quantify the instance of such rogue clouds simply because they are outside of official purview. However, “In one particular instance,” commented Ed Macnair, CEO of SaaSID, “an enterprise CIO told us that he had discovered thirty different deployments of SaaS applications, none of which were procured by the IT department, or configured to comply with corporate security policies.”

The Symantec survey concentrates on the hidden costs in cloud usage, some of which can be unexpected, including compliance, eDiscovery and SSL certificate management. The danger with unsanctioned use of Dropbox (or any other ‘file synchronization’ cloud service), however, is that the services may be used merely to transfer files from the corporate server to staff BYOD devices, but the files themselves remain on third-party servers outside the control or knowledge of the company.

This potentially brings the company into conflict with legal compliance regulations if the files contain sensitive information. “The UK Information Commissioner’s Office has reminded businesses,” adds McNair, “that they are accountable for ensuring that sensitive information is securely handled by their users and cloud providers.” It is important to note here that even encryption is no solution if the encryption keys themselves are not kept securely; that is, if the encryption keys are also stored in the cloud, the company is likely to remain in breach of compliance requirements such as the UK's Data Protection Act (DPA) and PCI DSS.

One of Symantec’s main solutions to this problem is to “Educate, monitor and enforce policies.” The problem here is highlighted in an earlier survey in December 2012 by Nasuni into the use of Dropbox. It too says that “A critical part of implementing an effective IT policy is raising awareness of the policy among users.” In this case, however, Nasuni points out that almost half of its respondents “do not follow IT policies even when educated about the policy.”

What’s Hot on Infosecurity Magazine?