Done properly, migrating to the cloud takes skilled staff to re-architect systems and applications, significant planning to ensure a successful migration, and a well-executed security strategy.
However, many enterprises started migrating to the cloud sooner (or migrated faster) than they even realized—through a rogue marketing department deploying a cloud lead tracking application, a finance group that stood up a cloud-based accounting service—or others that IT may not have vetted, secured, procured, and continuously monitored.
Most enterprises have scores of these “shadow cloud” applications deployed with little-to-no planning, strategy, or skilled technical staff involved, posing risk to the organization.
In many ways, this phenomenon is easy to understand: Data is the lifeblood of the modern enterprise. Recent studies have stated that 4% of all jobs in the U.S. and 5% of our national output come from the contributions data makes to the economy. Deriving this potential value from data takes computing power. Cloud computing with its service on demand and scalability has become an attractive option for enterprises. In making the transition to cloud environments, leading enterprises take the time to develop migration strategies to deal with the complexity and risk associated with the transition. They look at workloads, determine the applicability of that workload to the cloud, prioritize projects, and execute against their chosen strategy.
Unfortunately, that all takes time. And if a business unit’s needs aren’t high on the priority list, that department will often act on its own so it can quickly derive value from the data and show business results from their efforts. The ease of purchasing cloud services enables business units to acquire cloud services without going through normal procurement channels.
The result can be shadow cloud run amok. Your enterprise’s transition to cloud services may have happened without you even knowing it (or happened faster, or more aggressively). Valuable data may be leaving your environment without your knowledge of where it’s going and how it’s getting there. If this were cash (and in today’s world, data is in many ways equivalent to dollars), what would the chief financial officer do?
The shadow cloud poses significant risks to the enterprise. First, you no longer know where your data resides. Second, if a shadow cloud is made up of consumer-grade solutions, the consumer-grade SaaS solutions often don’t offer the same level of security and protection that enterprise-grade solutions do.
Another significant consideration is that cloud security is built around a shared responsibility model. The cloud provider is responsible for certain security features and the customer is responsible for others. Without the support from your enterprise’s security team, who is fulfilling the customer responsibilities (and how are they being fulfilled)?
These risks have potential regulatory, financial, and operational impacts. From a regulatory standpoint, you may no longer be able to fully identify where protected information such as personally identifiable information or electronic personal health information is stored or transmitted. If a data leak or breach occurs, there could be significant regulatory penalties that you thought you had already mitigated in your enterprise.
In addition to working to implement appropriate security controls within your enterprise, you also may have sought to transfer some risk by purchasing cyber-risk insurance—which brings us to the financial impact. When you apply for cyber-risk insurance, there is generally a form to fill out that describes any sensitive data you may have, the systems in which it is located, and how it is protected. If a data breach occurs and the data is not where you say it is or protected in an appropriate manner, it is entirely possible that any claim you submit may be denied.
Finally, there is the operational impact to consider. If the data contained in the shadow cloud were unavailable or somehow corrupted, what affect would that have on your business? Events that could cause the data to be unavailable range from the cloud provider going out of business to a ransomware attack that locks up your data. When the business units purchase unauthorized cloud services, they often fail to ask exhaustive questions about backups and disaster recovery procedures.
With the risks and potential impact high, what is a chief data officer to do? Here are some tips:
- Discovery—The first step is to use a tool to discover what shadow cloud applications are being run in your enterprise. Tools include the Microsoft Office 365 Productivity App Discovery Tool (requires a subscription to Advanced Security Management); a feature set on many cloud access security broker solutions such as Bitglass’ Zero-day Unmanaged App Control; or a service such as Cisco’s Cloud Consumption as a Service.
- Assessment—Once identified, talk to the users of the shadow cloud to determine the business need that is being met by the unauthorized services.
- Analysis—If a legitimate business need is being met with a particular shadow cloud service, identify whether there is an enterprise-grade service that will meet the same business need and provide the needed security features. If so, arrange to purchase the enterprise-grade version and migrate users to the authorized service.
- Prevention—If there isn’t a valid business need, there isn’t an enterprise-grade version, or the risk is deemed to be too high, work with the network team to block access to that service.
- Educate—Ensure everyone in your organization understands the value of data and what must be done to protect it. Individuals generally don’t break the rules without reason; they most likely have a job to do and seek the most efficient way to accomplish it. Teach them the risks inherent in unmonitored, unvetted cloud applications and the appropriate processes they should follow if they wish to use a cloud service (or any new enterprise application).
In a fast-paced business environment, dealing with the shadow cloud can be challenging. Even with a well-thought-out migration plan, there will always be individuals who want to take advantage of the newest offerings to improve their personal and company performance. If it is thought of at all, the downside risk is minimized. As a community, we need to recognize this and rein in the shadow cloud.
For more articles like this, check out the Cyber Security Sourcebook here.