'Rogue clouds' giving IT staffs nightmares

Cloud computing is increasingly being adopted by companies around the world, but IT managers say "rogue cloud implementations" in which business managers sign up for services without getting IT approval is among their biggest challenges.

This is according to a survey on avoiding hidden cloud costs that was sponsored by Symantec with interviews and polling done by ReRez, in which some 94% of the 3,236 information-technology managers in 29 countries said their companies either already were using cloud services or discussing how to do so.

Cybercrime attacks on business accounts are dropping

"Rogue clouds" occur if sales and marketing people, for example, order up Salesforce.com without bothering to consult IT or set up Dropbox with outside vendors to share sensitive information. It's happening to three-quarters of those using cloud, according to the survey, and it occurs more in large enterprises (83%) than in small to midsize ones (70%).

"So why are organizations doing it? One in five don't realize they shouldn't," the report says about the "rogue cloud" problem. The report adds they think they're saving money through "rogue cloud" projects and believe "going through IT would make the process more difficult."

On top of having to deal with rogue clouds, 43% of IT managers relying on cloud-based services said they had "lost data in the cloud," meaning they either couldn't find it or had accidentally deleted it, said Dave Elliott, cloud strategist and director of global cloud marketing at Symantec.

This means they had to recover it from a backup, but two-thirds doing this saw recovery operations fail at some point. Of the recovery procedures IT managers had in place, 32% said they found cloud data recovery to be "fast" but 22% said it "can take 3 or more days."

Some 61% making use of backup procedures for the cloud use three or more methods to do this, which Elliott said might be too many. One place where inefficient processes clearly seem to be occurring is in cloud storage, which is quick to deploy and you pay only for what you use. In the survey, the more than 3,000 IT managers, who work in organizations both large and small in North America, Latin America, Asia-Pacific and Europe, acknowledged they saw utilization rates of cloud storage at just 17%.

"There is a tremendous difference in this area between enterprises (which are utilizing 26% of their storage) and SMBs (which use a shockingly low 7%). This is a costly mistake, as organizations are paying for roughly six times as much storage as they actually need," the survey report states.

"They're overprovisioning cloud storage," said Elliott. Another facet of the cloud storage issue is that much of the time no deduplication of data is done. About half said they either did "virtually none" or a "small amount." This indicates there's still the need for thinking through cloud-storage processes to optimize the benefits, said Elliott, saying Symantec recommends deduplicating data in the cloud.

Other points of concern revolve around legal issues, such as requests for electronically stored documents that are demanded for what's known as "e-discovery" purposes in court or otherwise. The survey shows that 34% have had e-discovery requests for cloud data in the past 12 months, but of these, 66% admitted they had missed the deadline at some point and 41% said they were simply unable to do it at all and never found the requested information. This could potentially lead to fines or otherwise complicate legal situations for their organizations.

Another issue the survey asked about, managing cloud-based SSL certificates, revealed a mixed bag of activity. About a quarter of the IT managers said they thought it was "easy," but 8% "don't even try." Elliott said he doesn't know if that suggests that some companies simply are better organized to manage SSL certificates overall in the enterprise or the cloud. However, "organizations are responsible for managing their own certificates," he said.

In its recommendations for better use of cloud, Symantec said the first thing is focusing on policies and the individuals who all have a stake to make it work, rather than merely the technologies and platforms.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: emessmer@nww.com.

Join the CSO newsletter!

Error: Please check your email address.

Tags symantecdropboxstoragesecuritySalesforce.comCloudcloud computinginternet

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place