Proliferation of cloud services has sparked a revolution in IT and how technology is consumed. There has never been a time when we had more capabilities at our fingertips than we do at this moment. This provides both unprecedented opportunity as well as some significant dangers. Could the promise of true digital transformation fall flat due to unregulated proliferation of cloud services in the enterprise?
There is no question that speed and innovation are the killer differentiators of this generation, yet business and technology teams are consistently asked to do more with less. With these goals seemingly at odds, cloud services look poised to make these divergent goals solvable. Rapid deployment, short setup times, ostensibly “unlimited” integration options and low overhead. What’s not to love?
Well, it’s not lost on most IT and security leaders that cloud apps and services often aren’t marketed directly to them but to the business users. That’s not totally inappropriate: Business users have always been the “owners” of the applications, even if technology teams traditionally were part of the purchasing, installation and maintenance process. But with today’s services, any business user can pull out a credit card and instantly provision a cloud service outside the purview of IT, Security or anyone else beyond the direct purchasing authority. That creates new problems as business data of varying value ends up stored outside the enterprise, without company-approved classification and protection schemes applied. This renews the “shadow IT” battles that most centralized technology operations wish they were able to eliminate once and for all.
The stakes for battling shadow IT have changed radically in the last two years. With the ushering in of the GDPR and CCPA regulations, organizations are expected to have control over customer and other personal data. Many of these regulations also mandate strict reporting requirements for breach notification. If data is in the cloud and there is unauthorized access, would the security team know and be instrumented to respond and comply? Failure to comply exposes organizations to potentially huge, crippling fines. With the amnesty period for GDPR over, these consequences are real.
A marketing team sending a cache of customer data to a cloud business intelligence app puts that control at risk. So does an HR team that sets up an unsanctioned, cloud-based file-sharing solution to exchange payroll data with a benefits provider. The business leaders in these scenarios are well-intentioned—crunching customer data could result in a business opportunity or even an insight that could develop into a competitive advantage. Perhaps sharing payroll data over the cloud has saved hours of staff work each week. And while the risks are real, the needs of the business, market pressures and efficiency improvements are real, too.
For those who still believe this couldn’t happen to them, look at some statistics from the Oracle and KPMG Cloud Threat Report for 2019.
- 92% of their survey respondents report that rogue cloud app usage has them at least somewhat concerned.
- 47% of respondents report actual data loss due to shadow IT.
And that’s not all. The respondents also attribute incidents of unauthorized data access and introduction of malware as impacts of shadow IT.
Unsanctioned use or misuse of even approved cloud services can ultimately have the same results. Technology teams are struggling to monitor activity on cloud platforms, even those they already know about. Applications and services they don’t know about compound the problem and drive up risk. These issues result in an overall reduced visibility in detecting and responding to incidents or misuse compared to on-premises-only environments.
There is no doubt that cloud services and applications can accelerate innovation and efficiency in an organization. If done correctly, they can even improve the security posture beyond what is economically feasible in traditional data center environments. But that can only be achieved by respecting the bounds of what fits company-approved policies and standards for security and accountability.
In part 2 of this article series, we’ll look at how security leaders can change the narrative, proactively address shadow IT in the enterprise, and attend the business drivers as well.