During a recent visit to a large U.S. financial services firm, I reviewed insights IBM had learned from our client base about securing the cloud with a roomful of executives and staff. The executives pointed out that their company had not yet launched its own corporate cloud initiatives because they didn’t feel they had put proper risk management and governance in place for cloud security. As they said this, every head in the room was nodding in the affirmative.
Several hours later, however, when the executives left the room, a key architect pulled me aside and spent 20 minutes articulating all the unpublished usage of cloud computing within the company, asserting that a large number of the firm’s employees were actively using a popular cloud file-sharing service to more conveniently share business data — and no one was quite sure if any of the data were sensitive.
Many IT leaders are struggling to appropriately support their emerging cloud initiatives as they seek to establish proper governance and optimize cloud adoption across an organization that has typically not yet defined a preferred strategy and approach that spans the entire enterprise.
This is even more challenging for the IT security function, which is often playing “catch-up” with business-led technology initiatives. In the case of cloud computing, IT security must somehow apply proper risk management policies and capabilities to an environment where the business is potentially (un)knowingly distributing sensitive business data and other assets to new locations outside of the corporate network. This is clearly a critical cloud security issue.
Where exactly is this sensitive business data being sent? And stored? And manipulated? This is challenging enough to determine in a firm’s formally sponsored public, private or hybrid cloud-based initiatives. However, I’d assert that there is an even more troubling model of cloud computing that many businesses — including those that firmly believe that they haven’t adopted the cloud at all — have yet to sufficiently identify and manage. This is the covert cloud.
The covert cloud is a collection of cloud-based services that a business is actively using without the formal knowledge of — let alone the approval of — the IT department.
The serious potential consequences of covert cloud usage span corporate functions. Is sensitive business data being accessed by inappropriate parties? What are the covert cloud security implications for officers, executives, employees, partners, clients, prospects and analysts that have no way of knowing about this cloud use, especially in the event that an outside or internal source claims a breach? If you discover inappropriate access, would you be able to legally access the covert cloud assets to perform needed forensics?
4 Steps to Address Covert Cloud Security
Obviously, from a security and risk management point of view, we must address the covert cloud. What steps can be taken now?
- First, IT leaders must be willing to acknowledge and address the covert cloud rather than choosing to only formally recognize existing corporate-sponsored efforts. Focused management attention is critical, even potentially including a limited-time “amnesty program” for self-identification of covert cloud usage.
- Second, targeted education must be delivered to help employees understand the business risks of covert cloud usage as well as the ramifications of continuing to pursue covert usage.
- Third, technologies that enable enhanced security intelligence, such as flow analytics, access management and data loss monitoring, should be deployed to uncover and manage covert cloud usage.
- Fourth, a definitive plan for cross-enterprise cloud adoption should be developed in a tight partnership between business, IT and risk management, with proper governance and measurements defined.