Policy, education key to reining in rogue cloud

Unauthorized employee use of cloud services is big business for providers but can cause security problems for enterprises

It used to be that rogue access points and USB drives kept IT administrators up at night, worrying about employees exporting sensitive corporate data. Now, with good reason, they're worrying about employees using cloud services in ways that could compromise corporate data.

Controlling employee use of the cloud isn't easy--there's no simple way to block all unauthorized services. But creating a detailed policy and proactively educating users about it can make a big difference, experts say.

Because cloud services are designed to be easy to set up, employees are starting to use them in ways that could cause problems for their employers. They could be simply using services, like Google Docs, that are hosted in the cloud. Or, they could be running corporate applications or services on hosted offerings like Amazon Web Services.

For instance, one popular way to get data onto an iPad is using Dropbox, an online file backup service. An employee might upload a sensitive document to Dropbox in order to access it from an iPad. "But where's Dropbox's data stored? You may have deleted it from Dropbox, but is it being backed up somewhere?" asked Ian Gotts, CEO of Nimbus, a company that offers business process management software and services.

The answers to those questions could comply with corporate policies, but might not, and the employee likely has no idea.

In addition to signing up for services, like Dropbox or Google Docs, that use the cloud, employees are also starting to use infrastructure-as-a-service offerings from companies like Amazon and in doing so may break IT policies. Users can sign up for Amazon Web Services online with a credit card and get started right away.

Rogue IT is a "massive source of business for many hosting companies," said Phil Shih, an analyst with Tier 1 Research. "It has really spurred some of the momentum in the cloud business."

Employees are using such services for different reasons. "It is very easy to provision a server and be able to spin it up," said Allen Allison, chief security officer with NaviSite, a company that offers hosting and managed cloud services. "The reason could range anywhere from setting up a server for personal use because you like to blog about 'Dancing with the Stars' to hosting child porn."

An employee could sign up for such services, however, because it's simply an easier way to provision a server for a legitimate corporate application. "The reality is, it points to internal developer frustration with internal IT," said Kenneth Ziegler, president and chief operating officer for Logicworks, a company that recently launched a public cloud offering. IT administrators may take several months to provision a server for an employee. Services from companies like Amazon let users get started on a new server sometimes within minutes.

In doing so, an employee could not only break IT policies but also the law or agreements with a partner. That could happen if the employee uploads certain kinds of data to a cloud service that might store data outside of the country, for instance.

Creating an IT policy and then educating users about it are the first steps to preventing problems that could arise from employee use of cloud services. An IT policy for the cloud should be well-thought-out, said Gotts. "One that says we won't have it happening isn't a policy," he said. "Because then they'll buy laptops and 3G cards and circumvent the policy."

But a fair, reasonable policy, such as one that stipulates that certain kinds of data can't be stored outside the borders of the country, will resonate. "Business users will understand that," he said.

IT organizations should also offer amnesty to people already engaging in cloud policies that break the rules, he said. That way the IT administrators can make an accurate risk assessment.

Then the IT department should develop a list of approved cloud service providers. The sooner that list is available, the better, because it could eliminate possible problems with encouraging workers to migrate from unapproved providers.

CIOs can now choose cloud providers that offer enterprises tools for controlling the way that workers use their services. Skytap is one cloud provider that has worked hard to develop management tools.

"What we hear from our enterprise customers, particularly the IT organizations, is 'we're not afraid of the cloud, we want to embrace it, but it's now the wild wild West,'" Sundar Raghavan, chief product and marketing officer at Skytap, said.

New users may be unaware of how quickly they can rack up usage charges. "One challenge with the cloud is that it's easy to consume," he said. That means people might leave an application running on a hosted service without really realizing "the meter is ticking," he said. Then they'll charge the company for that usage on an expense report, he said.

With Skytap, IT administrators can set policies and assign rights to individual employees. For instance, developers might have more rights to add new servers than a salesperson.

He thinks this capability will make a company like Skytap more likely to become an authorized cloud resource for large companies.

NaviSite also has a barrier to usage that makes it difficult for individual employees to use its service. In order to start doing business with NaviSite, a company has to first sign a contract. "So we would have the ability to deny a rogue user or administrator from spinning up a server without the proper authority," Allison said.

Logicworks also has features that let administrators set limits for users.

Amazon argues that its offering is better than rogue servers that employees might run surreptitiously because an IT administrator can view all systems running on Amazon Web Services. However, that only works if the employee uses a company account to run a service with Amazon. Since anyone can log on and use any credit card, an IT administrator has no way of knowing when users do so.

Once IT has identified authorized service providers, it has to work hard to educate users. "It all starts with a level of education," Gotts said. "The big, big issue here is that business users who are able to consume cloud services don't know what they don't know. Until they get to a level of knowledge and understanding, people will get hurt because they didn't even know they were at risk."

Without the education component, IT will struggle to limit workers to authorized providers. "You can restrict access to Google Docs or Amazon, but at no time are you ever going to be able to deny all cloud service providers. There are a lot out there," Allison said. "It's just a matter of training your users, letting them know what's acceptable and doing the best you can at enforcing those policies."

Nancy Gohring covers mobile phones and cloud computing for The IDG News Service. Follow Nancy on Twitter at @idgnancy. Nancy's e-mail address is Nancy_Gohring@idg.com

Join the PC World newsletter!

Error: Please check your email address.

Tags Amazon Web Servicesservicesrogue ITsecurityYEAR ENDHostedComputing servicescloud computingNaviSite

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Nancy Gohring

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?