A recent Symantec survey shows some troubling issues in cloud usage among businesses, including “rogue clouds” and how using them them might expose a company’s confidential information.
A “rogue cloud” is a cloud-based service used for company purposes without being cleared through a company’s IT department, such as when “sales and marketing people . . . set up Dropbox with outside vendors to share sensitive information.” According to the survey, rogue clouds are a problem at 83% of large enterprises and 70% of midsize enterprises. Not only do these rogue clouds create IT headaches, they also create legal risks to the companies by potentially binding the company to a legal contract that has not been reviewed or approved by the company’s legal counsel, and also by putting sensitive and confidential information into an environment that has not been reviewed for data security. It is worth noting that “among organizations who reported rogue cloud issues, 40 percent experienced the exposure of confidential information, and more than a quarter faced account takeover issues, defacement of Web properties, or stolen goods or services.” A scary number indeed.
When employees were asked why they used rogue clouds instead of receiving the necessary permissions, 20% admitted they didn’t realize their rogue cloud was a problem. Others felt like “going through IT would make the process more difficult.”
The knee-jerk reaction of many businesses is to ask what they do to stop their employees from using rogue clouds, but maybe that’s the wrong question. Perhaps a better question is, “how can the company support employees using cloud resources safely?”
Another possible option is for a company to “create in-house cloud services that are as easy and convenient as the popular public ones.” This gives the company better control over the data stored on the service and encryption keys used for the data, even if the company uses Amazon, Rackspace or another cloud storage provider to actually store the data. It also gives the company an opportunity to negotiate contract terms with the cloud provider.
In an increasingly cloud-based world, employees will continue to look for the path of least resistance and use more cloud resources, even if those resources are not approved by their employers. The safest companies likely will be those that work to reduce the resistance without compromising data security.