Strategic CIO // Executive Insights & Innovation
Commentary
5/14/2014
09:06 AM
Lori MacVittie
Lori MacVittie
Commentary
Connect Directly
RSS
E-Mail
100%
0%

Shadow IT: Honey Badger Better Care

Use of Dropbox and other consumer services is exploding in enterprises, yet companies turn a blind eye to the security risks. This sends the wrong message to cloud service providers.

Late last week, popular SaaS storage provider Dropbox admitted to a web vulnerability that put the confidentiality of data at risk. Its response was to shut off link-sharing functionality to prevent abuse -- a decision that was not, if comments on its blog post about the decision are representative, well-received. Not only did this vulnerability put users at risk, its remediation apparently disrupted workflows across enterprises and thus negatively affected a key business performance indicator: productivity.

According to SkyHigh Networks' Cloud Adoption Risk Report for the second quarter of 2014, Dropbox remains the No. 1 file-sharing service in use across more than 250 companies, spanning the financial services, healthcare, high tech, manufacturing, media, and services industries. Unfortunately, there's only one "enterprise-ready" cloud service as defined by Skyhigh Networks in the Top 10 file-sharing services list, and it ain't Dropbox. That honor belongs to Box, which comes in at No. 4 on list.

It's nearly a sure bet that you have users -- or entire departments -- blithely saving business data to Dropbox or some other file-sharing service. Unless you have complete control over every user's desktop (VDI vendors are right now salivating over this use case) it's highly unlikely that that "shadow IT" passed you by.

[How does distrust affect cloud businesses? Read Data Protection Fears Vs. US Cloud Market.]

Most CIOs readily acknowledge that, yes, unauthorized cloud services are in use within the corporate demesne. Most also underestimate just how pervasive they are, says Tal Klein, VP of strategy for Adallom, another player in this relatively new cloud service security market. "Executives usually estimate something like 30 cloud services, and we usually find around 300,” says Klein. “We've yet to see a company with more than 1,000 employees that had less than 200 'shadow IT' apps.” 

That's a precarious situation that should have the business concerned. Yet it's often business leaders themselves giving at least tacit approval, which dampens any kind of urgency that might be felt by those well aware of the risks. 

And, there's very little impetus for providers of these services to get enterprise ready. Of the 3,571 services assessed by SkyHigh, only 7% met the criteria to be considered "enterprise ready."

The  2014 Strategic Security Survey shows infosec pros are plenty worried about cloud services.
The 2014 Strategic Security Survey shows infosec pros are plenty worried about cloud services.

Surprised? Don't be. If the users "paying" the bills -- whether via expense account or serving up your data for mining -- don't care, why should the provider?

CIOs need to confront this issue now. Yes, shadow IT has gone on for years. But SkyHigh claims the average number of services in use by organizations has increased in the last quarter by 21%. The longer you turn a blind eye, the harder it's going to get.

Although IT is simply not going to shut down shadow IT at this point, you might still be able to put into place the minimum governance necessary to ensure that services are not incurring unnecessary risk.

The first step is discovery -- get a handle on just what services are in use and by whom. Find out by using logs or by simply talking to business units in a non-confrontational way. Then do some research to see which meet your definition of enterprise-ready and which do not. For the latter group, steer users toward services that are, in the opinion of IT, ready for use in their enterprises given all the various business, industry, and legal requirements. It might mean putting in place the controls required to shut down unauthorized services and offering a grace period for users to migrate to a more acceptable cloud service. Consider creating or augmenting an existing enterprise app store that includes links to vetted cloud services -- those that make your "enterprise ready" grade -- so users can easily access acceptable options. 

No matter how you approach the problem, approach it. Approach it now. Because cloud service adoption is continuing to accelerate, and the Dropbox vulnerability is not going to be the last security issue we're going to see.

Private clouds are moving rapidly from concept to production. But some fears about expertise and integration still linger. Also in the Private Clouds Step Up issue of InformationWeek: The public cloud and the steam engine have more in common than you might think. (Free registration required.)

Lori MacVittie is a subject matter expert on cloud computing, cloud and application security, and application delivery and is responsible for education and evangelism across F5's entire product suite. MacVittie has extensive development and technical architecture experience ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
5/15/2014 | 11:04:27 AM
Re: Embrace the beast!
I think Lori's advice is sound: better to steer users toward more suitable options (without being confrontational about it).

But the problem remains that even if you get employees onto Secure Enterprise Platform X, they're going to be collaborating with business partners that are still using Dropbox and other consumer tools. Not sure what the fix is here.

On the positive side, I think it's encouraging that Dropbox admitted to the vulnerability. I'm not naive enough to believe that Dropbox is transparent about all its security problems, but we've come a long way from the days when vendors pretended they were always secure.
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
5/15/2014 | 9:52:29 AM
Re: Embrace the beast!
Consumerism in the enterprise will almost always be at odds with security and governance. A balance of alternatives, or the idea shared of the Caution! sign instead of Stop!, needs to be found. Identify the consumer or end-user friendly tools that also fit the organization's security, governance and compliance needs. Then, help users get there. Whatever policies are put into place, the average user in any company is going to find and utilize the tools that allow him/her to get their job done with the minimum amount of overhead or headache. The harder IT makes it to get the job done by implementing the strongest security tools and rules, the more employees will look for ways to get around it. Meet them in the middle and find solutions that meet the needs of both sides of the equation.
bkosh
100%
0%
bkosh,
User Rank: Strategist
5/14/2014 | 1:32:04 PM
Re: Embrace the beast!
Well Lorna makes a good point, if IT can't encrypt/protect data then how will we expect users to? The main benefit of nCrypted Cloud is it allows IT folks to delegate the responsibility of protecting shared data in the cloud to their end users. It's a mouse click to encrypt. It's also network agnostic, device agnostic, and cloud storage agnostic. At the same time, there is accountability with forensic level data usage auditing, so you can centralize visibility and oversight of user's activity. IT gets a looking glass into where data is going and being used outside the organization, and on non-corporate devices. Anomalies are easily detected and corrected. This is not crazy, it is an accountability based model, it's the only way to scale and it's the way our society works. For example, most states have speed limited to 65MPH. But cars are not limited to 65MPH. Why not? Drivers are held accountable for their actions, and traffic flows freely. We need the same model to balance the corporate requriements of protecting the data, while allowing business users to move as quickly and efficiently as possible. 
ShadowIT
50%
50%
ShadowIT,
User Rank: Apprentice
5/14/2014 | 1:09:53 PM
Re: Embrace the beast!
What are the benefits of nCrypted Cloud?
Lorna Garey
100%
0%
Lorna Garey,
User Rank: Author
5/14/2014 | 11:31:58 AM
Re: Embrace the beast!
Encryption is one of those techs that everyone agrees is smart, but then they have some excuse why they can't use it consistently. Key management is hard! It will add latency/confuse users/cost too much! It didn't take off when IT was in control. Not holding my breath for it to be widely adopted now.
Laurianne
50%
50%
Laurianne,
User Rank: Author
5/14/2014 | 10:12:59 AM
Re: Embrace the beast!
As CIOs at our recent InformationWeek Conference discussed, you can get a grip on Dropbox use by offering preferred alternatives. Onyeka Nchege, CIO of Coca-Cola Bottling, described how he holds up a caution sign, rather than a stop sign, for business users, on matters of BYOD and shadow IT. Then you present the alternatives.
bkosh
50%
50%
bkosh,
User Rank: Strategist
5/14/2014 | 9:46:55 AM
Embrace the beast!
That's a nice story and a killer headline. Smart IT is spreading the responsibility of security to their users by having them encrypt all data before it hits the cloud. This is wise because even if you trust one cloud, the average user is going to have 3-5 cloud storage servcies on each device. That's a recipe for disaster unless you have a cross platform way to share and collaborate securely. This is the reason for third party apps like nCrypted Cloud.  
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek - September 2, 2014
Avoiding audits and vendor fines isn't enough. Take control of licensing to exact deeper software discounts and match purchasing to actual employee needs.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Howard Marks talks about steps to take in choosing the right cloud storage solutions for your IT problems
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.