Still going rogue in the cloud

Employees expose their companies to added risk when they use unauthorized cloud services. But some experts say it is probably not entirely fair to call them 'rogue clouds'

In the world of IT security, public cloud services themselves are not rogues as the classic dictionary definition would put it: "Unprincipled, deceitful, unreliable, scoundrels or rascals." It is employees who are, in effect, "going rogue" by using those services without the permission or even knowledge of their organizations' IT departments.

However, whatever the semantics and whoever is at fault, most security experts say rogue clouds or the rogue use of clouds can be a major threat to corporate data security.

For starters, if an employee stores company information on a file-sharing service like Dropbox, even for good reasons like convenience and collaboration, if that employee leaves the company, he is likely to have all that information still under his control.

Peter Moriarty, director of Sydney-based managed IT services provider itGenius Australia, told The Australian that while Dropbox is a great app, "it is not fully tied to your corporate email address, so when an employee leaves they may have corporate data in there and still have their log-in."

Experts have a list of other risks as well: Possible cloud infections; breaches of data compliance requirements; exposure of confidential information through hacking, since the cloud service has, in effect, now become the end user of the data; theft of goods or services; account takeover; and possible defacement of web properties.

Yet rogue cloud deployments are increasingly popular. The security firm Symantec, in a survey released earlier this year, found that, 77% of all businesses have experienced rogue cloud situations, or unauthorized use of cloud services, over the past year."

And while the goal of that use is generally to save time and money, the survey found that 40 percent of organizations where the rogue use of clouds exists, "have in fact experienced the exposure of confidential information. Other issues include theft of goods or services, account takeover and even defacement of web properties, experienced by more than one-quarter of businesses."

That trend is continuing, according to Kevin O'Brien, enterprise solutions architect at Cloudlock. He said his firm sees two key trends when it analyzes third-party applications enabled within company cloud environments. "The number of untested third party applications has risen by more than 60 percent over the past 12 months, and the amount of data being moved through those applications has risen in lockstep with their increase in adoption," he said.

This, he added, creates something of a "shadow IT," where department heads and line staff, "make technical decisions, such as whether to trust and allow access to a third-party software tool, without adequate oversight or information."

O'Brien said there are generally two categories of rogue cloud apps — those that handle and transfer data and those that are more personal such as video games and personal productivity or social tools.

He said his firm sees more of the latter, namely entertainment and productivity apps that have a significant amount of access to critical business data. "We've seen a rise in the number of our customers who are banning apps like Angry Birds, MailBox and other such personal apps which have been installed by their staff."

Kent Christensen, virtualization practice manager at Datalink, said one benefit of the Symantec report and other media attention to rogue cloud use is that at least there is increased awareness of the risks.

[Assess risk before you ascend to the cloud]

And he said while companies are "all over the map" when it comes to the frequency of rogue cloud use, "many are planning a strategy to help repatriate some of the application loads but have not done so yet. [Others] have cried foul and brought stuff back into the fold due to compliance and security or cost."

But he and others say the expanded rogue use of clouds points to a failure on the part of IT departments to provide employees with the tools they need. Dropbox, one of the most frequently mentioned sites when rogue clouds are under discussion, "is likely the most common since it is so simple and useful," Christensen said.

"In this case the organization is demanding the ability to collaborate and IT has not provided a solution. So users download Dropbox and do it on their own. It is a consumerized application — very simple to procure and use — being used in the corporate setting."

Mark Diodati, technical director in the office of the CTO at Ping Identity, agrees, saying employee frustration with IT is the primary reason they turn to the rogue use of cloud services. "They don't want to wait 18 months for somebody to set up a VM," he said. "IT has to start thinking on business time, which means faster than infrastructure time."

Dropbox did not respond to a request for comment, but directed CSO to pages on its website that list its security, privacy and compliance features. Those include SSL and AES-256 bit encryption and available two-step verification.

It complies with the U.S.-E.U and U.S.-Swiss Safe Harbor Frameworks, but does not yet have HIPAA, FERPA, SAS 70, ISO 9001, ISO 27001 or PCI certifications.

But Christensen said there are plenty of alternatives for the most popular cloud services, if IT will take the time to vet them and then make them available. "Dropbox or GoogleDrive are really applications that were not initially designed for commercial organization use," he said. "Other applications, like HDS, EMC, NetApp and others are designing Dropbox-like services that are more secure and compliant. Some even allow the data to remain in the private cloud and accessed via a secure corporate network, but still allow collaboration between authenticated users."

Andrew Jaquith, CTO of SilverSky, takes it even further, saying that a report done by his firm, "showed the business application that has the most cloud adoption is email, at 40%. That means 60% of the market hasn't adopted it yet. Does that make email a 'rogue cloud'? I don't think anyone would argue that. What we are talking about is just a question of degree," he said.

"When we talk about 'rogue clouds,' all we mean is that it is something that does not have the blessing of IT. But that's no different than PCs were at first: unsanctioned devices. IT should seek to understand honestly why these alternatives to traditional services are being used. They are IT's competition. If IT can't provide something internally that solves the needs that these alternative solutions fulfill, it should find the next best version that meets their assurance and security requirements."

Kevin O'Brien said it is clear that most employees are, "increasingly tech-savvy and want to work efficiently and effectively. They use cloud systems at home, often without even realizing it — Gmail is the now-classic example. If IT attempts a top-down control approach to app management, their users will sidestep them."

So, he said, "IT needs to address the root cause of the problem — find ways to review, analyze and empower users, not to cast aside all concerns about security and regulatory compliance." That means IT needs to remove, revoke and ban those rogue environments that subject the organization to excessive risk.

"The core point here is that no matter how it occurs, a data breach is still a data breach, and the loss of sensitive information can carry both financial and legal repercussions that can result in real loss," he said.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.