As you may have noticed, shadow IT is very much on our minds at CipherCloud — and for good reason: shadow IT is one of the most insidious and challenging threats to enterprise data security. The recent breach of a large number of celebrities’ iCloud accounts and subsequent leaking of their personal photographs only serves to highlight the dangers of using consumer-facing cloud applications to store sensitive files and data.
Businesses that have let shadow IT proliferate unchecked for too long—which is to say, almost all businesses—are often in for some nasty surprises the first time they use a cloud application discovery tool like ours. Here are three particularly nasty shadow IT surprises.
Often, the biggest nasty shadow IT surprise is the sheer number of cloud application accounts—particularly file sharing accounts—employees have created. As we discussed in our post on Cloud Application “Whack-A-Mole,” at some organizations, we’ve found users accessing hundreds of unsanctioned cloud applications, of which half or more are often file sharing. And here are the two problems with free or cheap consumer-facing file sharing cloud applications: there are a lot of them, and not all of them are equally secure.
2. Security variations
Security infrastructure and policies vary from cloud provider to cloud provider, making variations in security among different cloud applications our second nasty shadow IT surprise. The major cloud application providers tend to offer robust security, but the same can’t always be said of smaller or more niche providers. In fact, some providers don’t even offer basic transport layer security like SSL to protect data while in transit to their servers. Discovering that your employees have been uploading sensitive documents on unencrypted connections is a nasty surprise indeed.
3. Data residency violations
The third of our nasty shadow IT surprises can cause massive regulatory compliance headaches. There are cloud providers headquartered in every corner of the globe, with data centers equally as distributed, and the typical enterprise end user may not think to question where the corporate data they upload will be stored. Unfortunately, in some cases, that where is critical to remaining in compliance with data privacy and data residency laws. The revelation that employees have been storing data where they shouldn’t is one that can end up involving not only IT and InfoSec, but the legal team and the compliance team as well.
As you can see, shadow IT can cause many problems for the unwary enterprise. This is why we consider discovery so vital to cloud security, and why we’ve made our cloud discovery tool free for businesses to try.
Product Tour & Free Risk Assessment
What nasty shadow IT surprises have you encountered? Tell us your story in the comments.