What Do You Do When Employees Start Using a Free Cloud Service? The shadow IT
What do you do as CIO when people in your company start using a free cloud service that’s better than the similar service you deployed for them at great expense? For example, what if your employees are spending time on a Jive social platform because it’s faster and easier to use than the solution you proudly put into place last year?
You could ban the cloud service or severely restrict their access to it. Or you could take the more open-minded approach used at IBM, itself a leading provider of cloud services. IBM gives employees broad scope to access cloud resources for nonsensitive data and application use.
But that’s not the end of the story. Through its Digital IBMer initiative, the company provides IT-policy training that guides employees to a detailed understanding of cloud risks and policies and ultimately ensures a high degree of security. IBM provides a paradigm for what other companies should be doing.
Use of cloud services that aren’t officially sanctioned by companies — shadow IT, as some people call it — is growing quickly. The average company now uses 923 distinct cloud services, such as Amazon Web Services, Microsoft’s Azure, Office 365, Salesforce, Box, and Yammer. Use of these services grew 21.6% in 2014, reports cloud-security firm Skyhigh Networks, which tracks 17 million users and 10,000 cloud services worldwide. Some 90% of companies’ cloud activity is attributable to individual employees and small teams, rather than corporations’ business-technology groups.
The security of these services is an issue: The vast majority (90%) of cloud services don’t encrypt data at rest (as opposed to in transmission), only 15% support multifactor authentication, and even fewer (6%) are ISO certified, says Skyhigh CEO Rajiv Gupta. (ISO 27001 was created in 2013 to ensure that security risks and threats to the business are assessed and managed, that physical security processes such as restricted access are enforced consistently, and that audits are conducted regularly.)
Because it’s so difficult to monitor and regulate employees’ use of file-sharing sites and other cloud services, many CIOs simply ignore the whole issue. Which is exactly what I did when, as “CIO” of my home, I recently tried to figure out whether and how to limit my kids’ internet access. It had been necessary for me to install a new operating system after they had picked up viruses while accessing sites that gave them clues on how to progress in their online games. Just like employees of your company, my kids are opportunistic: If they find a cloud service that provides something they want, they use it, without investigating. I wondered: Should I lock them down completely? Should I restrict them to trusted sources? If so, how? One option would have been to limit the router to addresses I knew. But their friends were telling them about new sites every day, and I wouldn’t have been able to keep up.
In the end I took a hands-off approach, hoping their common sense would limit any risky fringe behavior on game and media sites that I’d never heard of. Some of the sites they access are fine. But the risks are definitely out there.
Which is why companies can’t afford to be as hands-off as I am. Cloud services have become important productivity tools, driving cost savings and enhanced flexibility, but their unrestricted use not only opens a door for infiltrators to get into the company’s data, it also can provide a channel for that information to be extracted. In one company, after an employee had left, an audit showed that the individual had uploaded 4.5 gigabytes of files to Kanbox, a personal-cloud-storage solution recently acquired by Alibaba and hosted in China. In another company, an employee uploaded 48.7 gigabytes in a single day to RyuShare, from where the data was sent to a drop zone in another country. In yet another company, an employee uploaded sensitive programming to SourceForge, an open-source code repository that anyone can access.
IBM’s approach is to support employees’ use of cloud services, guide employees in product procurement and, in tandem, provide legal assistance to help employees understand the potential problems behind a cloud service’s terms and conditions, Robert Beasley, a member of IBM’s security-policies team, told me.
Supporting users’ cloud-services choices isn’t simple, however. It requires trust, which comes from a sense of shared responsibility. Although the leaders of the business-technology unit have ultimate responsibility for the systems’ integrity, accountability must be spread among the business-technology group, the unit owning the particular business process, and users. That means each of these parties needs to understand the riskiness of each cloud service on various dimensions such as encryption of data and adherence to security standards. Companies can find out about services’ risk level via the Cloud Trust Registry or by performing their own assessments using metrics from organizations such as the Cloud Security Alliance. Companies can also look at such issues as whether a cloud service provider adheres to the Privacy Level Agreement outlined by the European Commission.
At the same time, everyone involved in using cloud services needs to understand the security issues and take action accordingly. For example, in order to maintain compliance with privacy regulations, hospitals must encrypt protected health information at the source before sending it to a cloud-service provider; payment-card data, too, must be encrypted at the source.
In addition, there are new technologies aimed at protecting data:
Data hashing is a technology that creates a hash, or specific code, to identify a given dataset. This allows the integrity of the data to be checked every time the data is used or accessed by a credentialed individual at the firm. Hashing would prevent data from being changed by an unauthorized third party.
Digital watermarks allow data to be tracked. While this approach does not protect the data, it does allow it to be linked back to the individual who placed it on a cloud or at an unsanctioned location, making that person potentially responsible for any consequences to the data’s misappropriation.
Data-marking tools like these can be tied to trusted-party authentication technology that enables companies to restrict data access and movements — for example, allowing data to be moved from a work machine to a smartphone only if the recipient device has the appropriate authentication.
It’s not surprising that some of the most promising approaches to the problem of employee cloud use come not from regulation or corporate policies but from emerging cloud-based identification-as-a-service technologies. Researchers are attempting to create simple yet effective means of facilitating cross-cloud single-sign-on authentication, where a “foreign” cloud provider is required to gain trusted third-party status from the “home” cloud before being able to communicate with the user and the user’s applications.
Until this federated cloud-security framework is achieved, you may very well have to trust your employees’ behavior when it comes to the cloud. But as the new cross-cloud technological solutions approach, firms will increasingly be able to verify that employees are actually doing what they’re supposed to do with critical corporate data assets.