In my previous post, I shared about how someone’s greatest fear about cloud computing was how easy it can be.
It is so easy, and so tempting, for someone inside your organization to quickly and quietly push some of your data out into the cloud. There is no trail left to tell that this happened, let alone fill in any details of just what data it was or what continent it ended up on. Some tools to controls some aspects of this risk are appearing, but they seem to all control the original files themselves. But if an authorized user can access them, copy the information into another file, and upload to the other side of the world…
A year ago, Network World reported a survey of executives in which 60% reported being worried about this so-called “cloud sprawl” while 20% reported that they had already done it themselves! Another survey has reported that half of SaaS purchases are made by non-IT departments. While cloud services certainly are information technology, they are seen by many as not being the responsiblity of the IT department.
We have seen frustration lead to self-inflicted problems several times, and it has picked up the general name of “Shadow IT” along the way.
Maybe fifteen to twenty years ago, the threat took the form of frustrated staff members buying dial-in modems so they (and hackers, as it turned out) could access work systems without coming in to the office. Security defenders reacted by war-dialing their own collections of phone numbers to discover unauthorized modems. The name of that defense refers to a 1983 film, suggesting the longevity of this category of problem.
Then, maybe ten years ago, the threat was wireless routers. Again, they were cheap to buy and easy to install, and solved the frustrations of staff who couldn’t get IT to expand internal networking quickly enough. The reaction was, predictably I suppose, called “war-driving,” at least for the form in which you drove around with an antenna, laptop and GPS receiver in your car. Inside the facilities, it’s “war-walking.”
As crudely reactive as as war-dialing and driving and walking are, at least they have some hope of spotting the inappropriate exposure. But there is no war-clouding. Once the data is out there, it can’t be found.
Data leaks that can’t even be noticed are truly scary.
Since it can’t be found and fixed after the fact, you need to prevent it from happening. Communication is crucial, but it must go beyond stern warnings. Your IT department needs to prevent the frustrations that lead to data leakage. If cloud storage or processing are appropriate, do it for them, correctly. If the cloud is inappropriate, as often is the case, then provide what they need in house.
We talk about possible data leaks to the cloud in Learning Tree’s Cloud Security Essentials course, showing you some ways to instead protect the data by moving it to the cloud safely.