Even 'rogue' clouds can be secured, experts say

One of the latest challenge for the heads of IT departments is how to secure sensitive company information that employees have shared or stored on public clouds without their knowledge, permission or control. A new survey describes how big of a problem "rogue" cloud use has become.

More than 75 percent of businesses surveyed recently by the security vendor Symantec reported that their employees have shared or stored sensitive company information on public clouds services. The report, "Avoiding the Hidden Costs of the Cloud 2013" ( PDF document), which surveyed 3,236 organizations in 29 countries, found 83% of enterprises and 70% of small- to medium-size businesses (SMB) using such "rogue" service.

The term refers to public cloud services that are not part of a company's IT infrastructure and areÃ'Â being used without the knowledge, permission or control of the company's IT department.

"Perhaps the sales manager signs his department up for Salesforce without thinking to consult IT," the report gives as an example. "Or perhaps marketing shares important launch materials with outside vendors via an unauthorized Dropbox account."

"In either case the organization has put sensitive information into the cloud without organizational oversight," it said.

It has been called "shadow IT" as well, "but we thought rogue is a bit more descriptive,"Ã'Â Dave Elliott, a senior product marketing manager for global cloud at Symantec, told CSO Online about the report.

By whatever name, it has either increased markedly in recent years, or IT departments have become more aware of it. "It has become a significant threat in the last couple of years," Elliott said.

[See also: 7 deadly sins of cloud computing]

The risks of this are not just theoretical. Symantec reported that among the survey respondents that reported rogue cloud deployments, 40% experienced the exposure of confidential information, and more than a quarter faced account takeover issues, defacement of Web properties, or stolen goods or services.

Also, 40% reported that they had lost data in the cloud and had to restore it from backups. "Two-thirds of those organizations saw recovery operations fail," the report said.

Other recent surveys have come to similar findings. A report released about two months ago by Nasuni, an enterprise storage management company, said that 20% of business users surveyed said they used Dropbox to share and store work documents. Half of those did it even though they know it violated company policy. And the worst offenders were those near or at the top of the corporate ladder.

A major cause of the problem, say experts, is that rogue clouds are easier and more convenient to use than in-house services. "The most commonly cited reason for these rogue cloud projects was to save(time and money: Going through IT would make the process more difficult," the Symantec report said.

And solving it is apparently not as simple as simply issuing a directive forbidding the use of cloud services without the approval of IT.

"People look for the path of least resistance," said Edy Almer, vice president at Wave Systems. "And for organizations that are not willing to fire good employees just to set an example, technical measures are mandatory to support the written policy."

Vinny Sakore, program manager for cloud security services at ICSA Labs, said,Ã'Â "Remember, the issue here isn't automation but human behavior, and we humans are resilient beings who often like to think out of the box."

Chris Eng, vice president of research at Veracode, said it is technically possible for IT simply to block open cloud services from the corporate network, but he said "there'd still be ways around it.

"For example, people take work home, and maybe they simply access Dropbox from there instead. Or they switch to one of many other cloud storage services, like Box or SkyDrive," he said. "Now you have sensitive company data on several cloud services instead of just one. People will always find ways to circumvent the rules, especially if they feel it makes their job easier."

Beyond that, there are enough benefits to "bring your own cloud" that management doesn't want to discourage it. "The productivity benefits and cost improvements of many of these services are bubbled up to the CEO, who sees the benefit, and may not appreciate the risk," said Andres Kohn, vice president of technology at Proofpoint.

Dave Elliott said there's no turning back. "You don't really want to stop it," he said of rogue cloud use. "The forward thinkers want to enable users to take advantage of the cloud. It's productivity enhancing -- a business enabler," he said.

So, Elliott and other experts say it is up to IT to mitigate the risks. Kohn said: "Organizations on the leading edge of this trend have already implemented a CISO position that has greater visibility and power in the organization, and whose role is not to say 'no,' but to say 'yes, you can do it securely in this way."

Elliott said besides written policies, awareness training and monitoring, companies can choose certain public cloud services in different categories, "and make them the 'blessed' ones." Some companies, he added, can create in-house cloud services that are as easy and convenient as the popular public ones.

The ideal will be when IT departments can create a "seamless ability for your end users to use any cloud service, but layer visibility and control on top of it. Then people can extend the personal into corporate," Elliott said.

That would have to include encryption of data and "letting the company manage the keys, not the cloud provider," he said.

Eng notes that most workers are just looking to do their jobs better and faster. "If it solves their pain point, they won't need to skirt the policies," he said.

Read more about cloud security in CSOonline's Cloud Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssymantecdropboxData Protection | Cloud Securityrogue cloudsoftwaredata protectionBYO

More about CSODropboxICSAProofpointSymantecWave Systems

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts