Are Shadow Cloud Services Undermining Your Security Efforts?

The Great Cloud Migration continues around the world, forging new pathways to digital transformation by way of data analytics, on-demand computing power, and agile scalability. If you’ve undertaken this journey, you know that doing it right involves a lot of strategy and planning in addition to the coordinated efforts of skilled applications, systems, and security professionals.

You also probably know that your organization’s cloud journey started before your enterprise initiative was launched — a marketing application for tracking leads here, a payroll service there — and many others that your team never had a chance to vet, secure, or monitor.

In fact, most enterprises have dozens of “shadow cloud” applications in use that introduce risk because they weren’t planned and deployed by IT staff as part of a holistic strategy. 

It’s not hard to see why and how this happens. The modern enterprise runs on data — and so does our modern economy. According to recent research on data’s economic value in the G7 and Europe, four percent of all jobs in the United States and five percent of our national output can be attributed to data-centered activities.

Extracting value from data requires computing power of unprecedented scale, availability, and flexibility. The need to collect, collate, mine, analyze, process, and store data is what drives enterprises to transition to cloud environments. Leading enterprises ensure successful migrations by developing strategies to deal with complexity and risk — determining which workloads should be migrated to the cloud, establishing priorities, selecting vendors, and then working through the stages of deployment. 

As is usually the case with major system upgrades, cloud migration takes time. If an eager department finds its long-awaited SaaS solution too low on the priority list, they may seek to act on their own and hope their outstanding results gain attention and budget.

Cloud services are designed to be easy to use and don’t require a major financial investment up front. It’s no problem for business units to get started without going through normal corporate procurement procedures.

What’s the problem?
If too many departments or managers have gone rogue, your organization’s transition to cloud services may be happening faster than you realize, or more aggressively than you planned based on risk assessments. The problem is, valuable data could be coming and going from your environment without your knowledge or oversight. Bottom line — if you wouldn’t be comfortable doing it with cash, you shouldn’t be comfortable doing it with data.

In addition to knowing everything about where your data is going and how it’s getting there, SHADOW CLOUD CAN BE A QUALITY issue. The SaaS solutions that comprise your shadow cloud are consumer-grade software. They simply don’t offer enterprise-grade security and protection. 

It’s important to remember that cloud security is built on a shared responsibility model — the provider is responsible for maintaining some security features, and the customer (and end-user) is responsible for others. If your security team isn’t managing the customer end of that responsibility, who is? Are they qualified to make security decisions that may have consequences for data privacy, compliance, and governance?

What are the consequences?
Shadow cloud creates risks that could have regulatory, financial, operational, and reputational consequences. In most industries, if you can’t identify where and how personally identifiable information and personal health information are transmitted and stored throughout your extended ecosystem, you are out of compliance.

The enterprise could face significant regulatory penalties and litigation in the (increasingly common) event of a data breach or leak — even with an otherwise effective security program in place. Likewise, if you have transferred some risk via cyber insurance, your data has to be processed and stored as expected. If it isn’t, any claims made after a data breach might be denied.

Over time, shadow cloud applications may indeed become an important part of running your business. What happens if the associated data is unavailable or corrupted? Did the business unit that deployed the unauthorized cloud service(s) thoroughly review and implement the necessary backup and disaster recovery functions?

What can be done?
If these risks and unknowns are ringing your alarm bells, consider taking these steps to close the gaps:

  • Discovery – Use a tool to discover what shadow cloud applications are being run in your enterprise.
  • Assessment – Talk to the users of the shadow cloud to determine whether the unauthorized services are meeting a legitimate business need.  
  • Analysis – If a legitimate business need is being met, identify if there is an enterprise-grade service that will provide the needed security features and meet the same needs. If so, migrate users to the authorized service.
  • Prevention – Work with the network team to block access to that service when it’s determined that: there isn’t a justifiable business need, no enterprise-grade option is available, or the risk is too high.
  • Education – Work continuously to ensure that everyone in the organization understands the value of data and what must be done to protect it. Teach them the risks inherent in unmonitored, unvetted cloud applications as well as the appropriate processes for deploying enterprise cloud services and applications. Shadow cloud doesn’t develop because employees relish going rogue; they have a job to do and go straight to the most efficient way to do it.  

We can’t afford to minimize the downside risks of taking advantage of the latest and greatest in cloud services. Business moves fast, competition is stiff, and shadow cloud happens. Even in a well-planned migration, some will stray off the path.

Awareness is half the battle: staying on top of all the applications and services running in your enterprise, enforcing application policies, and building more collaborative partnerships between IT and business units will go a long way toward keeping your data secure and your enterprise running smoothly.

What’s Hot on Infosecurity Magazine?