Very few organisations have a real understanding of how widely cloud is used within their businesses. Even the IT department, which is expected to have a handle on the technology side of things, has no real idea of the number of cloud services that are being used on a daily basis.
"Our statistics from over 500 customer engagements reveal that IT is usually aware of less than 5% of the cloud services in use in an organisation," says Nigel Hawthorne, EMEA marketing director at Skyhigh Networks.
Hawthorne will be presenting on 'Cloud use: the risks, remediation and rewards' at the ITWeb Security Summit 2016, to be held at Vodacom World in Midrand from 16 to 20 May.
He says that although IT doesn't actually know what total cloud usage within the organisation is, the issue is too important to be a question of guess work. "Frankly, if anyone tells you that there's no cloud use in the organisation, they are not looking very hard, and are putting the organisation at risk by 'sleepwalking into traffic'. We have run hundreds of cloud risk assessments in EMEA and never found less than 300 different services - and even this was in an organisation of only 150 employees."
Moreover, according to Hawthorne, very few if any of these have been reviewed from a security and data loss point of view.
The dangers
Speaking of the dangers and risks associated with cloud services, he says some of these services could be gathering data to sell on to the Dark Web, others may claim that all content uploaded belongs to them, and some are even hosts for malware sources. "However, even if the cloud service itself is not considered high risk, users may upload confidential data without considering the potential data loss and with one click find that they have shared with a wider audience than they realised."
He cites several examples of potential dangers. "Take PDF converter cloud services. "To use these the user uploads data to an unknown source - what are they doing with that data? In addition, over-sharing. You start sharing data on a cloud storage service to a large group of people outside the organisation, without thinking, the user shares confidential data, particularly with auto-sync options. Finally, online presentation services - the service is free but claims all rights to the content and your competitors can search it."
In terms of what businesses should be doing differently with security in light of the cloud, he says firstly, the company needs to have visibility into cloud use, and as this changes constantly, this needs to be an ongoing programme. "Then they need to be able to review each of the services based on security parameters such as encryption, data residency, and legal issues such as the terms and conditions, whether the service has been the source of a data leak before, and several other attributes."
Next Hawthorne says the company needs to set its policies for cloud security, which needs input from other departments as it is not just an IT decision. "Users need to be trained on that policy, then the policy of which services are allowed needs to be enforced. The company should also consider additional services such as SSO, DLP, enhanced logging, and anomaly detection, even for low-risk approved services."
Risk and reward
On the topic of how businesses can balance the benefits of cloud vs the security risks, he says: "You could be forgiven for thinking at this point 'we'll just ban all cloud use', but that is neither technically possible nor usually desirable, as it can result in the opposite of the desired outcome, and bring greater risk not less. If you block the known cloud services, remember, that with over 17 000 different services available, users will simply search and find another one - those less well-known are often the most dangerous."
He says to also remember that cloud computing can make employees more productive, the company more agile, new capabilities can be turned on in seconds and overall costs can reduce compared to implementing traditional computing services.
"A good first start would be to bring together a cross-functional team from different departments such as risk, compliance, IT security, employees and line of business, to decide your stance for cloud use, reviewing the cloud services in use and start to decide what is approved, acceptable and disallowed based on your organisation's security attitude."
In his talk, Hawthorne will review the survey results from the ITWeb survey on cloud computing, share the real-life data on cloud usage in enterprises, discuss the cloud and The Protection of Personal Information Act, as well as use examples to show the benefits and problems with unfettered cloud use, before moving to what IT can do to gain visibility and control of cloud services.
Share