CIOREVIEW >> Cloud >>

'Game of Shadows' Threat Looms Large in the Cloud

By CIOReview | Wednesday, September 21, 2016

Cloud computing has developed and evolved a great deal and continues to do so at a rapid pace, while leaving a huge impact on businesses all across the globe. Many organizations are planning to shift to the cloud, and Gartner terms it as one of the hottest technology trends. It’s not a startling revelation that every organization at some point of time has given in to the charms of the cloud and tried to work on one or multiple cloud platforms. Ample of storage space and economy of cost form the core of this lure that’s tempting every organization to go for the cloud instead of doing the work on-premises. But there are also other aspects to it, where employees act on their own and are not subjected to the rules and regulations of the organization while adopting third party apps within the cloud infrastructure. This can be very damaging to an organization and part of the concern stems from the fact that the unapproved use of clouds may affect data security and integrity. Quality of data, accuracy and compliance controls could become that much harder to execute.

Shadow IT may be termed as a hardware or software within an enterprise that is not compliant with the rules and regulations of an organization, and is not within the purview of the central IT department. The name ‘Shadow IT’ itself carries a dark and negative connotation with it and it’s quite possible that many times organizations don’t have a clue that their employees are using it. The cloud’s ability to create an application very rapidly has resulted in many employees giving in to the ‘dark side’. Shadow data may be termed as the data that is not properly governed or regulated by the security controls or regulations and it covers all this and goes way beyond it. It contains all the sensitive data that users upload, store and share via the cloud. While, the end users may not be in tune with these issues, the IT is astutely aware of the impact of these rogue actions on IT data governance.

There was a time not very long ago when Microsoft Access caused a big disruption in the field of IT and was the source of major headache for organizations. As the name suggests Access is powerful and accessible and employees used this tool to create apps of their own. After years of this forbidden practice, hundreds of Access databases spread throughout organizations, and, often, none of them came under the purview of IT. This same phenomenon is on the verge of recurring again, and it’s ready to strike—this time, with cloud apps.

When these shadow cloud apps enter the enterprise environment, several potentially risky conditions emerge. These conditions leave a negative impact on a number of areas, including security issues, poor quality control, maintenance issues, and lack of data portability. A vast majority of business cloud apps do not meet the necessary security requirements and could put companies at risk, even when most of the companies use it.

Shadow apps can leave a lasting impression on the way business is done and in many cases clients back out  if their data is lost or other such malfunctions or misfortunes happen. Another scary thought comes to mind is the fact that if the employee who created the app leaves the organization, he takes the password with him/her putting at risk both the security and reputation of the organization.

Impact of Shadow Apps

• When these shadow apps are created by the employees, it’s very difficult to find out whether they handle and secure the data in way that adheres to institutional policy, leading to a constant security threat lurking in the corner.
• When users create their own apps in some obscure cloud, the data they use is often defined by arbitrary metadata— descriptions of specific data items that aren't derived from the enterprise, but from a user's interpretation of the data, and this can lead to some critical complexities.
• One other important issue that comes to the fore with shadow apps is lack of accessibility when it is required. If years of sensitive data stored in a shadow app and another system needs to access the data, it becomes a long and arduous task to form an interface between the system and the rogue data.

It’s like coming a full circle and it is equally difficult to stop rogue data apps as it was to stop Microsoft Access apps. It’s bound to happen and it’s just not possible to stop it. There are certain ways in which one can minimize the effect of these rogue apps.  One of the ways is to create a knowledge base of cloud options and pay proper attention while selecting a cloud platform for the organization. Another way is to keep a tab on the each department who are developing apps and provide the much needed support for interface building. All these processes should be examined and looked into by the IT security officer, who should keep a proper check on activities thus providing the much required security cover.

The biggest challenge for the cloud industry is access management and how they deal with it. It has become a really intimidating challenge to deal with this ‘League of Shadows’ and the only viable solution that comes to mind is to  call all the stakeholders to the table and discuss a way to tackle this challenge. It should be a proper approach to educate all the parties involved about the intricacies concerning adoption of a new cloud technology and data management policy.