It’s frequently stated by data security experts that data is the new oil. There are parallels, yet in practice there is one key distinction that ensures the two are very different commodities. Unlike oil, data isn’t a finite resource, as practically every action – for example, the click of a mouse or the tap of a credit card – generates more of it. The challenge of storing and managing an ever-multiplying asset is, therefore, just as important as the process for extracting value.
Maintaining an ever-growing estate of onsite servers and data centers is expensive, leading to the growing use of the cloud as a repository for expanding data stores. However, many people within the IT department feel threatened by the cloud due to the fact that it is hosted externally and can be accessed by third parties – it doesn’t, by default, offer the same hands-on visibility and control that is possible with in-house legacy systems. The popular notion is that data is particularly at risk in the cloud, with many people believing that their precious information is floating haphazardly above them, available for any random person to snatch.
While it’s probably the bane of many cloud service providers’ lives, this widespread panic over cloud security risks is not unfounded. With company data breaches related to cloud insecurity making headlines regularly, particularly relating to iCloud, these types of breaches are even more harrowing when they infiltrate the home.
Just look at the recent breach of database MongoDB, which resulted in the leaking of data from 820,000 “CloudPets” accounts. CloudPets are internet-connected teddy bears, which allow children to hear recordings of their parent’s voice when they are apart. These voice messages, along with email addresses and password data, were then stored in the Amazon Cloud and accessible without any authentication. When the MongoDB database that was hosting the Cloud provider was attacked, there was no second layer of defense at the cloud level, meaning that the personal data was leaked all over the internet. This highlights the gravity of the data privacy challenges issue within the cloud – it can have ramifications of both a corporate and incredibly personal nature.
The problem is that protecting data within the cloud is both complex and difficult to achieve. This is further exacerbated by the fact that most organisations today use multiple cloud storage providers. This is supported by our recent study, which found that 89 percent of organisations use a total of 1-15 private cloud storage providers and 92 percent use 1-15 public cloud storage providers.
Organisations often do this to diversify their portfolio of providers and increase their operational efficiencies in the event that a provider goes out of business or suffers a severe service outage. However, the more cloud providers that organisations have in the mix, the harder it becomes to achieve full visibility into how users are operating within the cloud. This can lead to data management errors and the aptly named - shadow IT.
What is shadow IT?
Shadow IT essentially means that the IT department has had no role in helping to select and deploy services and may not know which services/providers are being used. Basically, users are deploying, things that IT doesn’t know about. As our recent study found, 26 percent of global organisations are either ‘not confident’ or ‘somewhat confident’ that their IT teams know about all cloud storage providers being used. While the definition doesn’t automatically live up to its haunting title, with figures like that it’s clear that shadow IT is a serious problem and can cause serious harm to an organisation. These problems will only increase with the introduction of the EU GDPR, which promises fines of up to 4 percent of global turnover or €20 million, whichever is higher, for organisations that fail to protect the data they hold on EU citizens.
With IDC estimating that spending on cloud services will grow nearly five times faster than overall IT budgets, it’s absolutely vital that organisations take the necessary precautions to identify if shadow IT is occurring and then put the necessary processes, policies, technologies and monitoring mechanisms in place to reduce the risks.
What is the solution?
First, companies looking to prevent data loss/theft and reduce the likelihood of data breaches caused by shadow IT should identify where all of their data resides - in-house, in data centers and in cloud hosting environments. From there, organizations need to monitor if, how, where and why shadow IT is occurring. It really is crucial that the IT department takes an active role in identifying which cloud services are being used within their organisations, both legitimately and covertly, by employees working autonomously to IT. When it comes to shadow IT, a lot of this boils down to the IT department taking responsibility for educating their organisation’s employees about what sorts of activity can put corporate data, and the overall IT infrastructure, at risk.
Shadow IT predates the cloud of course. Do it yourselfers have been known to host internet servers under their desks and if IT dragged their feet on deploying wifi they would quickly discover that employees had already installed access points everywhere. Organisations should also monitor if employees are installing their own WiFi hotspots onto the office’s network. If the WiFi hotspot isn’t secure, it could result in a cyber-criminal hacking into the corporate networks. It’s also important to monitor the network for known and unknown devices. These are all common occurrences, but many organizations just don’t know it’s happening because they don’t think to look.
In order to monitor and reduce the occurrence of shadow IT, it’s really important to establish guidelines for how data should be managed by Cloud providers, conduct frequent and unscheduled audits of each Cloud provider, and assess the security of data stored within the Cloud – be it in a private, public or hybrid environment. Organisations must be diligent in knowing where their data is being stored, how it’s being protected and when it needs to be removed.
Following these steps and complying with measures dictated by data protection laws and industry standards, such as EU GDPR, ISO and NIST, will go a long way in protecting organisations from the tripwires of shadow IT.
For more information about Cloud & DevOps make sure you don't miss this years Cloud & DevOps World, as part of TechXLR8 & London Tech Week. With all of the industries leading figures and companies gathering under one roof and an agenda that focuses on all the most infuential aspects of the industry, this years Cloud & DevOps World is sure to be the biggest and best yet.