Looming risk of Shadow Cloud and its ominous consequences cannot be ignored by SA businesses but can also be seen as an opportunity.
Cloud Computing: Moving data out of the organisational perimeter
Companies across all industries have begun to extensively embrace cloud computing, resulting in the current use of over a thousand of these services by enterprises, ranging from the cloud storage and webmail to social networking and collaboration. Flexibility, efficiency, scalability, storage options and selection of various tools are some of the benefits of using these services. Users can scale services, customise applications, and access them from anywhere with an Internet connection – all in accordance with their needs.
Benefits delivered by cloud computing services, however, do not compensate the need for appropriate governance, including cybersecurity, in order to avoid potential risks. These risks can come from not knowing where your organisational data are physically stored in the shadow cloud data leakages.
What is Shadow Cloud?
In a broader context, terms ‘Shadow IT’ or ‘Stealth IT’ refer to the use of information systems and technologies without explicit organisational approval. In the same manner, a ‘Shadow application’ is defined as a software program that is not supported by organisational IT department. This usually happens when end users install not approved applications in order to avoid normal, but often slow, organisational channels and processes of approval or for any other reason.
In this setting, ‘Shadow Cloud’ can be defined as ‘Software as a Service’ (SaaS) applications, used by employees for business purposes, which are not obtained or approved by the organisational IT department. These applications may be used by individuals or by work-groups or an entire department. The eWeek portal reported on 25 April 2017 that about 90% of organisational users are adopting niche applications for specific purposes but without knowledge of management. A recent Stratecast report shows that the business productivity apps, social media and storage, backup and web-mail are the most non-approved, shadow cloud applications.
The adoption of shadow cloud apps happens due to the fact that employees often drive adoption of cloud computing applications and services on their own initiatives as they do it in their private lives. However, the information systems and technology departments struggle to catch-up with this trend. Moreover, one of the IBM’s portals hints that even IT staff sometimes use unapproved cloud applications.
‘Shadow’ Threats and Impact
With the rise in the usage of the cloud computing services, it is not surprising that malware is becoming increasingly prevalent in this area. A recent Netskope report points out that more than 37% of malware detected in the cloud where some form of ‘backdoor’ access to organisational information systems. In other words, cyber adversaries were accessing computer programmes by bypassing cybersecurity mechanisms. Another 14% was malware attached to adware (advertising-supported software), which can contain malware or unwanted ads. Although ransomware, which has become a major threat to many businesses, accounts for only 4.2% of the malware detected on cloud service, it is to expect that this percentage will rise sharply in the near future.
The data leakage is yet another risk associated with the use of shadow cloud applications and services. The webmail and cloud storages are now considered as the prime vectors for data leaks. Even ‘ordinary’ cloud computing services and applications pose data visibility problems for IT department and cybersecurity professionals. The use of shadow cloud only amplifies this problem.
Low awareness of possible shadow cloud risks for business operations is yet another source of concern. According to the Cloud Security Alliance and Skyhigh Networks “Custom Applications and IaaS Trends 2017” report, cybersecurity professionals are aware of just 38.4% of all cloud computing application used by 314 organisations that participated in the survey. The remaining 61.6% of applications and services represent potential vulnerabilities and are a threat to organisational cybersecurity.
The numbers evidently highlight the scope of the shadow cloud problem within organisations. The most problems related to shadow cloud occur when organisations use public or hybrid cloud computing services. The SecurityWeek survey shows that almost 73% of respondents of their study have at least one cloud computing business-critical application, while, 46% percent of these business-critical applications are either completely deployed in the public cloud or in a hybrid cloud. Furthermore, 66.5% of respondents ranked the potential of an unprotected or unapproved cloud app as a top concern.
The negative impact of shadow cloud can be quite costly for South African companies if not addressed timely and effectively. A recent IBM report stated that the average cost of data breach typically costs our companies R1, 548, with an average of total organisational cost amounts to R28, 6 million! The IBM study found that the more records and information lost, the higher the cost of the data breach. Costs range from R21, 6 million for data breaches involving 10,000 or fewer lost or stolen records to R33, 5 million for the loss or theft of more than 50,000 records.
Seen from the business point of view, the picture is pretty bleak. If companies lose less than 1% of their existing customers, the average cost of a breach could be R26, 83 million (below the average of R28, 6 million). However, when companies have a churn rate of greater than 4%, the average cost could be R35, 95 million – well above the average.
The PricewaterhouseCoopers summarises the risks arising from the use of shadow cloud application and services as issues regarding data security, transaction integrity, business continuity and regulatory compliance
What can be done?
Left unattended, shadow cloud applications and services can present significant risks to any organisation, particularly those operating in highly regulated sectors such as financials, insurance or healthcare. Hence, it is of the utmost importance to all types of organisations to attend to the matter earnestly.
The first step in addressing shadow cloud concerns is creating awareness. By recognising and legitimising shadow applications and services IT departments can obtain greater visibility of potential risks and develop protective solutions.
The PricewaterhouseCoopers suggests another five useful steps: ● block and eliminate high-risk services; ● move from unauthorised cloud service providers to sanctioned ones; ● exert the fullest control on scoped cloud services; ● build guidelines and a governance structure for managing existing and new cloud services, and ● establish fact-based communications to internal and external stakeholders.
Well-managed shadow cloud can also offer an opportunity for employees to identify the applications that are the most useful for their day-to-day work and suggest to the IT departments to sanction and enable these applications. This practice, however, requires changes in IT policy.
Typically, organisations depreciate hardware over three years and software over five years. This ‘traditional’ model is, however, not viable anymore. Instead, IT departments should explore what users deem most productive and enable the use of these cloud computing applications and services in a secure way.
The IT policies approached in this way would balance employee’s freedom with organisational protection. If for any reason IT departments are unable to act in this way, users will continue to (mis)use shadow cloud as they would, among others, adopt the risky practice of getting their work done more quickly and with less effort.
Gaining support from employees and business leaders for a new approach to shadow computing is of paramount importance. Thus, communication of policies and regulations regarding cloud computing applications should include all stakeholders: IT departments, business users, management, C-level executives and organisational boards. In other words, organisations should keep an open dialogue regarding the matters and address it as soon as the use of potentially problematic shadow cloud application or service is identified.
From the cybersecurity viewpoint, it is also important to foster a collaborative effort between organisations using cloud computing services and the suppliers of these services. If these parties are not involved in securing ‘regular’ shadow cloud, achieving evident benefits offered by these technologies will be an elusive goal.
Finally, the status quo suggests that shadow cloud applications and services are ever-evolving. Hence, shadow cloud is there to stay for a foreseeable future. Instead, attempting to restrict usage of otherwise useful shadow cloud applications and services, organisations should enable the users of these application and services freedom to perform their jobs more efficiently but without compromising organisational cybersecurity and liability. In short, unsanctioned shadow cloud application and services should be carefully examined and sanctioned – if found useful for business effectiveness and efficiency.