Shadow IT has worried CIOs for decades. The practice is often defended as a source of innovation and a faster-than-normal way for users to get their jobs done but this off the radar technology use by employees presents serious dangers to the corporation ranging from increased security threats to compliance issues.
Dealing with the problem is, to say the least, troublesome for IT but now the challenge has escalated to a near-impossibility as Shadow IT takes on a new form: stealth clouds.
“The problem with stealth clouds, just like with stealth bombers, is you can’t detect them — unlike the shadows in Shadow IT,” said Ian Gotts, CEO and chairman of Nimbus, a global provider of business process management (BPM) solutions.
Stealth clouds rolling in
The term stealth cloud refers to the unauthorized use of a company’s private or public cloud, be that by current or ex-employees or third parties.
“Companies are not taking the necessary steps to ensure data is being accessed by the right employees on-premise, not to mention administrators from host companies when data is housed by third party providers,” explained Kurt Johnson, vice president of Strategy and Corporate Development for Courion Corporation. “There is a profound lack of understanding within many companies as to what data is hosted in the cloud, which employees have access to that data, and who is responsible for protecting data in the cloud.”
Stealth clouds arose from two recent developments: The overly fast adoption of cloud and the modern workforce’s rabid impatience with the speed of IT’s adoption and roll out of new technologies.
Threats that relate to unauthorized access, information breaches, loss or misuse of data are still being discovered. Simply put, “the value of and adoption of cloud computing is developing significantly faster that the ability to provide security and protection of the data within it” said Chris Harbrecht, vice president of Sales at Compsat Technology.
Virtualization has helped IT address the problem by reducing the time it takes to provide IT capacity from weeks to a matter of days. “However, even with virtualization, there is still far too much manual processing in getting these IT services to the end user,” said Rich Bourdeau, vice president of Product Management at DynamicOps. Workers, now accustomed to living and working at Internet speeds, refuse to wait so they figure out work-arounds. The end result is that rogue technology use dramatically outpaces IT’s ability to keep up.
A recent Courion Corporation survey found “one in seven companies actually know for a fact that they have potential access violations in the Cloud, but don’t know how to find them.” Indeed, in that same survey nearly two-thirds of business managers admitted they would not pass an audit verifying which users have access to their hosted applications.
Stealth cloud formation
It’s not that IT isn’t working hard to pinpoint offenses and nail offenders; it’s that the offenses (and therefore the offenders) are almost undetectable. “You may be able to start looking for increased internet traffic, but you need to be able to determine what is information/browsing/research vs. specific Web-based applications,” explained Nimbus’ Gotts. “This may be from work machines (PC, tablet, smartphones) or from home devices, in which case you have no visibility. What you may be able to detect is a lack of activity in certain internal systems, e.g. CRM, which shows that the users are going somewhere else or the users have stopped asking for a new internal system or enhancements to existing internal systems.”
Examining budgets for unauthorized cloud use charges is also ineffective since employees can easily charge such small amounts to their private accounts.
“When it gets to the point that it’s easier for a user to break out their credit card and spin up a new server in Amazon’s cloud than it is for their company’s IT department to create a development server then you have a problem,” said David Rocamora, senior consultant at Control Group.
Indeed, it is very easy for employees to use public cloud without their IT department or CIO knowing about it and — the kicker — still expense it back to the company. “If these purchases are expensed with other departmental purchases, they may not be discovered by IT, and this practice may quickly grow to exceed the cost of internal private clouds,” said Bourdeau.
IT’s job is made even harder by the fact that the offenders themselves often don’t recognize the problems they are creating. Indeed, they are usually only trying to get their work done. “Maybe it’s time to sit down with the users and see what they actually need and find ways that your IT department can provide solutions so that everyone can get to work efficiently,” said Rocamora.
It is equally important to understand that stealth clouds also form inside IT. “For example, a company with their own servers for a particular function might have two designated admins, but if the same function is outsourced to a cloud vendor, now you could have 20 admins that have access to your data as well as the data of dozens of other companies,” warned Brian Anderson, CMO of BeyondTrust. “The cloud also entails prolific virtualization, which means there’s an additional software layer, the hypervisor, that needs to be protected. In most virtual environments today, IT staff can mount data to the hypervisor as an easy way to gain unlimited, unsupervised access.”
Squelching stealth clouds is nearly impossible since network access is ubiquitous and business users are no longer IT illiterate. Technically speaking, there is simply no means to prevent, track or stop the use of stealth clouds. Preventative action is far more effective. Implementing automated Identity and access governance systems and security controls to enforce appropriate access, reduce access violation risk and prevent data breaches is the first step.
The second step involves taking inventory on what company data is in the cloud, who has access to it and whether that access conforms to existing corporate policies. This step is essential because it is common to find employee access inadvertently broadened by the sweeping scopes of many cloud applications. Realign access accordingly or redefine the corporate policies, whichever action best fits company goals and regulatory requirements.
Risk and governance
Without clear and well-defined access policies, there is no defense against stealth clouds. Line of business managers are ultimately responsible for managing their employees’ access by certifying users. However, it is fairly common for business managers to give this a low priority. CIOs should make it a regular practice to remind managers to be proactive on this issue.
Despite doing all of this, stealth clouds may still form. Accepting that cloud cover is unavoidable and working towards harnessing it makes good business sense. “Work out what problem business or IT staff are solving with the cloud and embrace it or provide a really good alternative. Don’t punish the messenger,” advised Rakkhi Samarasekera, CEO of security startup, rakkhis.com.
The best defense of all may require some crystal ball peering and avid trend watching.
“At the end of the day, getting ahead of the underlying need for rapidly emerging services that are delivered by cloud applications and services is the best defense. Listen to the need,” said Ben Trowbridge, CEO of Alsbridge, a global advisory and benchmarking company. “The net is to stay relevant. CIOs should make an attempt to identify where risks to the business truly exist and offer a better alternative to the stealth cloud usage.”
A prolific and versatile writer, Pam Baker’s published credits include numerous articles in leading publications including, but not limited to: Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, NY Times, and Knight-Ridder/McClatchy newspapers. She has also authored several analytical studies on technology and eight books. Baker also wrote and produced an award-winning documentary on paper-making. She is a member of the National Press Club (NPC), Society of Professional Journalists (SPJ), and the Internet Press Guild (IPG).