Cloud computing has gone mainstream. While a hard-core of naysayers still exists, the black-and-white negative viewpoint is a lot less common today than it was a year or two ago. Our research at Freeform Dynamics, says it’s now less about ‘whether’ to use cloud, and more a question of where to adopt it and how.
But that doesn’t mean you can just grab something from the cloud that seems to do the trick and assume you’ll end up with a robust solution. A good cloud service implemented well to solve the right kind of problem can yield significant benefit. If it’s not fit for purpose and/or is poorly implemented, however, it can be extremely bad news.
This is something we explored in a recent online study on cloud-related security, the results of which confirmed a whole range of challenges. Some of these were to do with practical issues such as coordinating identity and access across different services, encrypting data in transit and at rest, and generally maintaining visibility of who is doing what with the cloud. We also identified a bunch of people-related issues, not least of which was figuring out how to prevent users, and even business managers, creating exposures as a result of thoughtlessness or simply lack of knowledge.
Beyond eliciting the usual tick-box survey responses, one of the questions included in the study simply asked: “What is the scariest or most bizarre business use of cloud services you have come across?”, letting participants type whatever they wanted in response. Our aim was to bring to life some of the dangers associated with the inappropriate use of cloud, which are so easy to ignore when discussed in an abstract or theoretical manner.
On the ‘bizarre’ front, apart from a couple of references to employees being caught uploading their porn-collection so they always had it at hand (ahem), we didn’t hear much of general interest. On the subject of ‘scariness’, however, we received a lot of responses that collectively illustrate some of the most common challenges.
Firstly, most IT professionals will not need reminding of the reality summed up by this response to the scariness question:
Scary: “How people do not seem to have much common sense”
Some more specific examples of how thoughtlessness can lead to risks were provided by other respondents:
Scary: “Executives using free cloud services to back up their confidential data, sync it with other devices and share it with colleagues, without worrying about the service terms and conditions, whether data was protected in transit and at rest, and whether the user authentication was robust.”
Scary: “Team of sales reps storing credit card numbers in a plain text shared document to make reordering for customers more of a ’seamless’ experience.”
Scary: “Sharing business contacts with a free cloud service.”
Scary: “Storing bid tenders in [a consumer cloud service]. We stamped on that one hard.”
Scary: “Putting [confidential] in-house training presentations onto a public sharing site for ease of access.”
Scary: “Exchanging sensitive in-house data [via the public cloud] that could have been shared on the intranet instead.”
This next quote captures one of our favourite anecdotes, though we did feel sorry for the user concerned:
Scary: “The finance director lost some vital spreadsheets. When asked to investigate we found he had accidently moved them along with the Lyons club newsletter he had his secretary producing to his private consumer class data storage service.”
But before we run away with the idea that IT professionals always exercise sound judgement…
IT pros aren’t perfect
Here’s a selection of quotes that illustrate how easy it is to be caught out, even when you should arguably know better:
Scary: “Senior [business] management, with the agreement of IT, were advising staff to use a collaborative project planning package on an open site. The project was concerning a customer with very specific NDA and security requirements.”
Scary: “Using a cloud-based repository with guest access, i.e. no user name and password required, to share full customer details between two offices. The IT Manager’s defence was that someone would have to guess that www.domain.co.uksecret existed. When he was shown a web crawler he almost fainted.”
Scary: “Testing applications in the cloud with live patient data.”
On a particular point, some highlighted the dangers of getting too carried away with the whole cloud idea and moving applications into a hosted environment that are not ‘cloud-ready’:
Scary: “Even if the platform is secure and compliant, the application may not be. Simply moving traditional applications which have run in an on-prem environment to the cloud can increase the risk of regulatory violation and disclosure of sensitive data.”
Scary: “Hosting non-cloud applications in the cloud, all the time, as a general policy.”
These last quotes lead us into a common problem with cloud that we suspect often results from people assuming that it somehow makes all traditional problems and considerations magically disappear.
Exposure by design
What’s interesting about these next few comments is that they illustrate how security and compliance risks can be formalised as a result of misguided decisions that have been made in a deliberate and apparently considered manner. Both business decision-makers and IT staff are implicated here:
Scary: “Transfer of confidential personal data (school pupil records), in the clear and with the file unprotected in any way, to an unfamiliar cloud-based storage system at the explicit request of a local authority education department.”
Scary: “Using a test instance as a production service after a demo was adopted by the COO and its use mandated in a sales meeting.”
Scary: “Health care records being stored on non HIPAA compliant cloud services.”
Scary: “Putting health info in the cloud.”
Scary: “Storing identifiable unencrypted IoT messages from private houses.”
Scary: “SME businesses running their companies on free cloud services.”
When you see such examples written down like this it obviously begs the question “Whatever were they thinking?” But these are just a selection of many – we have just chosen a few of the shorter ones to provide a flavour. A number of the anecdotes were quite detailed and we have deliberately not published them for fear of inadvertently giving away the identity of the organisation concerned.
Reading between the lines, some of the risky situations highlighted have undoubtedly come about as a result of normal processes being circumvented.
Short-cutting checks and balances
The ease and speed with which a new cloud service can be adopted is a double-edged sword. On one side, it’s great for responding to new and emerging business needs very rapidly. On the other, there’s a temptation to accelerate through, or even bypass, the usual processes designed to make sure things are done properly:
Scary: “Core production systems going into the cloud without necessary pilots and testing.”
Scary: “The marketing department of a major global corporate [buying a cloud solution] on condition that IT wasn’t told”.
Scary: “Cloud sales people talking directly to business units and selling them pie in the sky solutions without any considerations regarding shortcomings and compromises.”
Scary: “Users routinely implement their own cloud storage options/backup solutions with little regard or input from our internal IT team. It’s not that our IT team doesn’t have the right ideas or optimal solutions, they simply seem overwhelmed and understaffed.”
That last comment speaks to the challenge faced by already overstretched IT teams for whom keeping track of everything going on with cloud is hard enough, let alone finding the time and fighting the battles necessary to ensure that risks are properly managed. And with ad hoc cloud adoption leading to further fragmentation of systems and data, things will get even harder if left unchecked.
The growing phenomenon of ‘cloud sprawl’
Unilateral cloud adoption by business departments and individual users, a phenomenon which some refer to as ‘shadow IT’, increases security risks, but so does the relatively piecemeal way in which many IT departments have implemented cloud themselves. If truth be told, most organisations have not approached cloud in an organised manner, so are accumulating a sprawling and disjointed set of services. This came through strongly in the research in general, and was reflected in comments such as these:
Scary: “Externalising capabilities piecemeal without thought of the consequences.”
Scary: “MultiCloud – working with content spread over many unrelated clouds, with application security also spread across them.”
Associated with this, one of the scariest things some respondents alluded to was simply lack of visibility:
Scary: “I don’t like not knowing what data users are putting in cloud storage, and which services they are using.”
Scary: “To not know who is using what is probably the most scary part of all this.”
Scary: “The scariest thing is that most businesses don’t have a clue if they’ve lost any data.”
Elsewhere in the study, many respondents indicated that they knew they should be doing more to implement the tooling and other measures necessary to gain better control, but the age old problem of lack of management awareness, in turn leading to funding and resource shortfalls, also came through loudly.
While we have focused on the dangers of cloud in our discussion here, this is merely to highlight the risk of adopting services in an indiscriminate, ill-disciplined and uncoordinated manner. The advice that falls out of this is not to avoid cloud – that will be unrealistic for most organisations given the benefits offered and the general direction of the industry. The real imperative is to look at specific opportunities and risks in this area from a business standpoint. Hard as it is in many environments, this means business stakeholders and IT teams working together to agree priorities, trade-offs, and red lines beyond which no one should tread, no matter how loud or politically strong their voice happens to be. Get this piece right, or at least more right than it is in many organisations today, and you’ll be better able to stem the flow of all those ‘accidents’ waiting to happen.
In the meantime, if you are interested in reading more about the study we have been discussing, you can download a short summary of the research here.