The Trouble with Rogue Clouds

recent Symantec survey shows some troubling issues in cloud usage among businesses, including “rogue clouds” and how using them them might expose a company’s confidential information.

A “rogue cloud” is a cloud-based service used for company purposes without being cleared through a company’s IT department, such as when “sales and marketing people . . . set up Dropbox with outside vendors to share sensitive information.”  According to the survey, rogue clouds are a problem at 83% of large enterprises and 70% of midsize enterprises.  Not only do these rogue clouds create IT headaches, they also create legal risks to the companies by potentially binding the company to a legal contract that has not been reviewed or approved by the company’s legal counsel, and also by putting sensitive and confidential information into an environment that has not been reviewed for data security.  It is worth noting that “among organizations who reported rogue cloud issues, 40 percent experienced the exposure of confidential information, and more than a quarter faced account takeover issues, defacement of Web properties, or stolen goods or services.”  A scary number indeed.

When employees were asked why they used rogue clouds instead of receiving the necessary permissions, 20% admitted they didn’t realize their rogue cloud was a problem.  Others felt like “going through IT would make the process more difficult.”

The knee-jerk reaction of many businesses is to ask what they do to stop their employees from using rogue clouds, but maybe that’s the wrong question.  Perhaps a better question is, “how can the company support employees using cloud resources safely?”

CIO magazine suggests some answers to this question.  One option is to evaluate a selection of cloud providers and then let employees know which of those providers they can use with company information.  For example, the company’s IT department and legal group can assess the offerings and contract terms associated with a few of the popular storage sites such as Dropbox, Google Drive and Box.com, and then let employees know which services are approved for work documents.  In the process of approving those services, the company can also remind its employees of requirements and best practices associated with password management, accessing sites on public terminals, and other elements of safe computing.  In most cases the employees would use the services under non-negotiated terms of use and subject to the service provider’s standard data security framework, so for added security the company might consider requiring employees to use encryption tools such as TrueCrypt or Boxcryptor to store sensitive data on the services.

Another possible option is for a company to “create in-house cloud services that are as easy and convenient as the popular public ones.”  This gives the company better control over the data stored on the service and encryption keys used for the data, even if the company uses Amazon, Rackspace or another cloud storage provider to actually store the data.  It also gives the company an opportunity to negotiate contract terms with the cloud provider.

In an increasingly cloud-based world, employees will continue to look for the path of least resistance and use more cloud resources, even if those resources are not approved by their employers.  The safest companies likely will be those that work to reduce the resistance without compromising data security.

Leave a Comment