Rogue clouds? Shadow IT? CIOs need to get a grip

Opinion Davey Winder Feb 4, 2013

Terms such as rogue clouds aren't helpful. They're fulfilling a business need and CIOs should recognise this and improve the security

ReRez recently published the results of a survey (commissioned by Symantec) of more than 3,000 IT managers across 29 countries and revealed that 83 percent of them at the enterprise level, and 70 percent in the small to medium sector, admitted staff were using 'rogue' clouds.

The use of so-called 'Shadow IT' is nothing new, and over the last year the whole Bring Your Own Device (BYOD) debate has highlighted this, but the 'Rogue Cloud' label is relatively new. So what does it mean?

Well, simply put, the rogue cloud term relates to the use of cloud-based applications that do not have the approval of the IT department, the use of cloud-based services which are therefore in contravention of existing information security policy.

This shadow IT use doesn't have to be instigated at the bottom of the staff food chain either, quite often businesses themselves are buying rogue cloud services by not realising that they are cloud-based and if they do then not adequately investigating how much control they have over these applications.

That said, given that according to the same survey results a fifth of employees had no idea that they were breaching corporate security policy, it certainly also means that there is something wrong with the way in which existing policies are updated and the staff security compliance programme.

A fifth of employees had no idea that they were breaching corporate security policy

The most often quoted argument against the use of shadow IT, and which applies equally well to rogue cloud usage, is that it has the potential to open the enterprise network doors to malicious intruders. For sure, this particular argument holds plenty of water and the ReRez/Symantec survey confirms the danger: 40 percent of those questioned said that confidential data had been 'exposed' by the use of shadow IT and a quarter admitted to accounts being hacked, services being mis-appropriated and web properties suffering defacement.

However, as the research showed, there are other implications when it comes to shadow IT: 34 percent of those asked had been requested by a court to produce electronically stored information, yet 41 percent of those couldn't comply courtesy of not being able to retrieve the said data.

The knock-on eDiscovery costs when litigation rears its ugly head should not be underestimated. Quite apart from risking the ire of the judge by claiming 'it was them rogue cloud users what done it your lordship' if your business fails to keep track of cloud-based service usage then getting to the point where you make that declaration, and the judge will be even less impressed if you don't bother trying, is going to cost you much more than it would otherwise.

Think about it, if your SaaS application processed data is stored across multiple cloud providers then the cost of retrieving that data is going to multiply when compared to producing it from a single source. Throw in the spanner of complexity that not knowing which cloud providers are involved, thanks to the rogue cloud effect, and the impact upon IT management, litigation research teams and so on is huge.

There are two sides to the rogue cloud debate, and the same twin-reasoning for the use of any shadow IT applies: to save both time and money. When under the cosh, employees who know what technology and what specific application will best enable them to do the job they have been tasked with doing are likely to go and grab it. If you need evidence that this is happening then look at the recent PricewaterhouseCoopers study that showed 30 percent of enterprise IT spending was external to the 'official' budget.

 I tend to be of the opinion that this is no bad thing, especially when companies need to be more productive in order to remain profitable during undoubtedly recessionary times. Casting such usage as 'rogue' or 'shadow' sets it as being evil;  as being a problem in its own right.

I'm not sure that's really the case. Just as blocking all at work access to social networks has often been found to be counter-productive, so blocking all access to unauthorised cloud-based applications will hit the bottom line.

Disruptive technologies only disrupt when they are misunderstood, and it's time that business (in the holistic sense) gets to grips with the cloud and embraces it in all its innovative glory for what it is: a productivity booster, a budget saver and an end-user enabler.

That doesn't mean that security gets thrown out of the window, instead it just means that some thought has to be given how best to merge governance and compliance with so-called shadow usage into a workable and secure strategic framework. The risks of the rogue cloud need to be mitigated, no doubt about that, and one of the best ways is to have a CISO who says yes rather than no: yes, you can do it safely like this ...

Davey Winder

daveywinder (2).jpg

Davey Winder has been covering the IT security beat for the last 20 years. Along the way he has won the 'Information Security Journalist of the Year' title no less than three times, and in 2011 was bestowed with the Enigma award for his lifelong contribution to information security journalism.