Hey, You, Get off of My Cloud
In May, Gartner released a report titled “Don’t Let Cloud Migration Flip Your Network and Put Users in Charge of Enterprise Security,” which is a pretty good read, focusing on how the cloud can be detrimental to the overall infrastructure of organizations. Basically, organizations are moving to the cloud as if they were adding a new application on-premises, and are not taking cloud considerations into account when designing what their cloud architecture should look like.
One of the things the report suggests focusing on is Shadow IT, which refers to IT systems built and used within organizations without explicit organizational approval, for example, systems specified and deployed by departments other than the IT department.
According to a Netskope study in February, “The average number of cloud apps used in the enterprise is 1,181. Very high percentages of these apps are not enterprise-ready in terms of security and EU General Data Protection Regulation (GDPR)-level privacy.” And OneLogin states that 71 percent of end users are using software not sanctioned by the organization. Here’s one more scary statistic – a study from EMC suggests that data loss and downtime cost a total of $1.7 trillion each year.
Gartner studies have found that Shadow IT comprises 30 to 40 percent of IT spending in large enterprises. What do hackers think? According to EdTech Magazine, “33 percent is the estimated percentage of successful attacks on institutions that will occur in shadow IT resources by 2020.” It is impossible for organizations to protect and monitor their infrastructure when Shadow IT practices are being used. Ok, I think we can all agree that Shadow IT should make the security folks quite nervous, as well as busy, and the executives sit up and take notice of the cost and the enormous risk involved.
Can you eliminate Shadow IT? Probably not, unless you are a miracle worker. You do have to get a handle on it and, if you are lucky, take control of it. From an end user perspective, the IT department used to hold the keys to the kingdom, but not anymore. They’ve also acquired an undeserved bad rap with most end users. Today’s end users are technically savvy and have taken the approach that if they need functionality they don’t have, they will download it, and if they need storage, they will upload it. Data stored in the cloud is an insider threat, regardless of whether caused by naivety, negligence or, worse yet, malice. This data may include intellectual property, confidential business information, usernames, passwords, or highly regulated information such as healthcare, personal, or financial details.
The solution includes negotiation, education, and the ability to identify sensitive information at risk. Negotiation includes end users fessing up to what they are either using or storing, and IT teams should evaluate whether the users are justified and then can sanction activities as needed. Education would help, at least make end users think before they go to the cloud to discover software or upload confidential information.
Now we come to technology. Instead of wondering around in the dark, many of our clients use our software to generate an inventory of exactly what is in the hidden areas of the cloud and who owns it. Makes life a bit easier. Our content optimization offering is a platform-independent solution that is available on-premises, in the cloud, or in a hybrid environment. It can run in real time and notifies designated staff when violations occur. The solution provides detailed information on the ‘content in context’ found in file shares, the cloud, OneDrive for Business, emails, and attachments. And in a data discovery scenario, identifies specific subjects or topics, such as privacy or sensitive information vulnerabilities.
Because of the unique compound term processing capability that generates multi-term metadata, administrators can specify verbiage in the form of phrases, rather than keywords, within the taxonomy. The conceptClassifier platform generates multi-term metadata and classifies it against one or more taxonomies. The platform performs a detailed file analysis and content inventory. Based on classification decisions, action is taken on the content, enabling it to be either managed in place or automatically moved to a more appropriate repository.
Since 80 percent of an organization’s data is unstructured, without such technology, unstructured data will continue to be the Achilles heel of cyber defense.