Shadow IT: Why companies are exposing your data — and what to do about it

Kent Christensen is practice director for cloud and virtual data centers at Datalink.

The race to cloud computing is exposing private customer information and sensitive corporate data on an unprecedented scale. The demand for quicker and cheaper application development is driving this trend.

Companies are moving at breakneck speed to produce applications that offer a competitive edge and business results. As CMOs crack the whip behind developers, app teams choose to buy cloud services without the knowledge or input of IT, the traditional guardians of data security.

As a result, the public cloud has become the sandbox for development. And as customer information and sensitive corporate data is poured into this sandbox, IT is beginning to lose control of its company’s data assets.

As an IT adviser at Datalink, I have witnessed this rise of shadow IT. It comes from pressure to develop apps fast and a myth that the cloud is a Swiss Army knife suited for every application.

In reality, not all apps and related data should go on the public cloud.

Preventing this abuse of customer data and risk to corporate security requires not merely a change in thinking, but rather the transformation of IT into a true service provider that uses the cloud with the precision of a scalpel.

Levels of data exposure

Corporations are struggling to keep files stored on public clouds secure, and the scale of data exposure is shocking.

“Avoiding the Hidden Costs of Cloud 2013,” a report by Symantec, surveyed 3,236 business and IT executives from 29 countries on their use of the cloud. Among companies that reported “rogue cloud deployments,” like the app developer’s sandbox,“40 percent experienced the exposure of confidential information, and more than a quarter faced account takeover issues, defacement of web properties or stolen goods or services.”

A further 40 percent of surveyed organizations had lost data in the cloud, and 68 percent of these organizations experienced recovery failures. Finally, another 23 percent of organizations had been fined for privacy violations in the cloud within the past 12 months

Providers of cloud services are not necessarily to blame. In March, Threatpost reported that Rapid7, a vulnerability management firm, analyzed the security of files stored on Amazon S3. Their researchers found that of 12,328 buckets (essentially files containers) owned by Fortune 1000 companies, 1,951 had somehow been reset from a private to public setting, exposing more than 126 billion files.

The problem was not Amazon’s fault, the researchers determined, but rather mismanagement by companies and their third party vendors. Among a random sample of 40,000 exposed files, more than half could be used to breach corporate network or offered for sale on the black market.

The cloud-blockers

Despite these known risks, the flight to the cloud continues, and it is part of what I call a “Swiss Army knife” approach to cloud computing, which holds that cloud is now faster, cheaper, and better for everything, so every system should be cloud-based.

The love of cloud is also motivated by IT departments, which have gained a reputation within their organizations for being high spenders, gatekeepers, and enemies of the cloud who slow down all development with security concerns. When a marketing team wants Dropbox and IT says, “No, it’s non-compliant, and we can’t risk leaking corporate data,” IT perpetuates this myth — even if they have good reasons for not using Dropbox.

Instead, IT departments need to ask, “Why do you need Dropbox?” If the answer is for smoother collaboration, then it is on IT to find a file-sharing and collaboration platform that can exist strictly within corporate data centers. Saying “no” just drives other departments to find their own solutions, which are clearly fraught with risk.

The scalpel approach

If rogue cloud deployments are risky but departments legitimately need cloud or cloud-like features, then problem solving is the future of IT — not yes-or-no answers.

To keep app development teams agile yet reverse the exposure of sensitive data, corporations need to replace Swiss Army thinking with a scalpel approach, which holds that cloud deployments are precise means to specific ends. The result will be a hybrid of in-house (private) and public cloud solutions.

CRM software like Salesforce.com, for instance, is a precise use of the cloud. It makes a lot of sense to enable mobile sales teams to access customer information outside of a business’s four walls. Google, Microsoft and Amazon offer virtual environments that are specifically designed for secure development and testing of applications.

So here’s my advice to IT: to actually use a scalpel approach, you need to be one step ahead of marketing, sales, finance and all the other departments that otherwise are going to circumvent you—and risk corporate data and customer information—if you say no to their request.

You need to vet and curate solutions that you trust and are able to monitor. Let development teams practically order them off a menu and deploy them as quickly as the CMO hopes. If you can get ahead of other department’s needs — of your client’s needs — you have an opportunity to be seen as a strategic partner and value creator instead of a digital policeman, and you have an opportunity to control the race to the cloud. Your future hinges on you evolving into a cloud services broker.