The dangers hidden in the shadow cloud

Sep 12, 2014


BYOD, IT, security



A hacked cloud with a silver lining?

The recent iCloud hack may be one of the best things to happen for information security. That may be little comfort to victimized celebrities, but the hack has the public discussing important issues like multi-factor authentication, better passwords, and the need to answer security questions with responses not found on websites and social media. It also shows that if criminals want to find a way to gather sensitive information, they will do so by any means possible – including via an employee’s personal cloud.

So what’s the big deal to the company if an employee’s personal information is hijacked by criminals? If the employee is using their personal cloud to also store corporate data, the bad guys have access to that information, which is probably the stuff they are looking for. And as personal clouds become more popular and allow people to easily access information across multiple devices, employees are increasingly using applications that aren’t approved by the IT department. This puts enterprise data at risk.

This rogue cloud storage activity is also known as a shadow cloud, and the primary problem with shadow cloud is the lack of control IT teams have over it.

“Consumer cloud infrastructure is usually based on public cloud, so businesses don’t know where their data is going, which country it’s in, or who has access to it,” says Ajay Patel, CEO of HighQ. “There’s no visibility of what is being shared and by whom. This can result in significant security and compliance risks that put can businesses in jeopardy.”

This is especially dangerous for industries that are heavily regulated in how information is stored and shared, such as in healthcare, government, financial, and retail industries. Business leaders must be able to prove that they are following security policies, especially when facing a regulatory audit or entering a new business contract, Kevin Jones, senior information security architect at Thycotic, points out. Now, not only is there a greater risk of the data being breached, but the organization is at risk of losing out on business opportunities and fines for non-compliance.

“Shadow cloud,” says Jones, “is the equivalent of you locking all your doors while another person unlocks one later without telling you.”

How to set safer IT policies

Eliminating the shadow cloud is an easier-said-than-done process. Just as companies have seen with the Bring Your Own Device (BYOD) movement, mixing personal and business use of technologies can be a touchy topic. Employees are wary of IT departments overstepping privacy boundaries, while IT departments want optimum security for any corporate data on these devices.

IT and management need to create a well-defined policy that addresses shadow cloud use, and then be firm in enforcing that policy.

“Generally, IT needs to maintain control over the acquisition of technology to ensure the smooth operation of the company’s systems,” says Jessica Franken, a partner at the law firm Quarles & Brady and expert in data privacy, security and technology law. “Providing responsive service to the organization and phrasing the message in a positive way so that employees see real value in involving the IT staff in the acquisition of these services helps.”

Franken suggests that shadow cloud policy should include the right to audit the employee’s use of the company’s IT systems as a basic requirement. This will allow for the detection of programs and access to cloud-based services on company equipment should be included. “The company should also be sure to prohibit employees from placing company information/data on the cloud unless the cloud environment is one set up by the company,” she adds.

Know your own shadows

At the same time, company leadership needs to better understand why employees are going rogue with their cloud use in the first place.

“Shadow cloud is something that happens when end users find it simpler to get IT services from a cloud provider than from internal IT,” James Keating, business technology architect for Evolving Solutions, explains. “If internal IT were to be more pro-active in terms of meeting customer needs, this can go a long way in preventing shadow cloud from happening in the first place.”

“The reason employees use shadow IT is because they don’t have the tools they need in the workplace so they turn to tools they use at home,” says Patel. “If employees have access to technology that enables them to work in a way that is intuitive, efficient and enjoyable, then they are likely to use it.”

Consumer tools have traditionally led the way when it comes to the user experience and design of cloud software, and enterprise tools are finally catching up, Patel adds. The primary difference between enterprise technology and consumer technology is security. Enterprise tools are designed to meet strict regulations required by businesses. Personal cloud applications are useful and have their purpose, of course, but they don’t have the same level of security as the enterprise cloud.

And that may be the most important lesson to come from the iCloud hack.

Post by Sue Poremba

Sue Poremba is a security and technology writer based in central Pennsylvania.