Cloud creep: Is your business in control?

Imagine a business development manager is on a Skype call with a potential customer and they feel like they're ready to close if they can just show the contract terms then and there. Instead of sending a hard copy by courier, they send it through Skype's chat facility.

They've just sent very secret information about your business to some server heaven-knows-where, where it will sit for heaven-knows how long, run by a service whose security policies you know nothing about and have no say in. The service may even be run by one of your competitors.

The potential for data leaks like the above happens every day when organisations don't have the knowhow or the policies for employees using the cloud. You need what's called a cloud posture, and if it's 'we don't use cloud services', it might be even more important to take a close look at your organisation. According to at least one expert, you do use cloud services — you just don't know it.

The shadow cloud

Your organisation's approved, official cloud services are probably locked down infrastructure- or software-as-a-service (IaaS, SaaS) products from an approved provider where you control the workflow and security. But many of your staff — just like they do on their personal computers and devices — use Facebook, Twitter, Pandora, Dropbox, OneNote and a host of other tools to access and move data. They're all cloud services, and thanks to their ease of use, and low footprint and bandwidth profile, they might be causing 'cloud creep', exposing your organisation to a threat profile you've never considered.

Jason Ha, national manager of security practice for Dimension Data in Australia, has frightened plenty of executives by showing them how much cloud exposure they really have, and he says there are as many ways your intellectual property (IP) or security might be at risk as there are tools out there and staff using them.

"Approaching a data provider to get an audit of your exposure is a good — and sometimes free — start."

"It's not as painful or intrusive as it sounds, because your cloud profile can usually be taken from a simple set of logs."

"It can be done as a snapshot in time or set up to provide live monitoring of your data channels over time to find the cloud creep culprits."

"It can be quite innocent, but when you look into that collaboration service, you discover it's a code sharing site hosted in China," he says, "and your developers are putting your IP into it because they think someone's going to test their code for free."

Ha adds that in most cases when he performs an audit, his customers have an average of six times the cloud exposure they thought they did. "Just because you have a positive position on IaaS doesn't mean you have a sufficient risk posture around off-the-shelf services," he says.

When asked how many companies are using cloud services they don't know about, Ha doesn't hesitate: "I'd say 100 percent."

"Some organisations have a better handle on either IaaS services or off-the-shelf products. Some have no handle on either — they're using cloud services they've never heard of before. That's when we scare the bejesus out of them."

Other cloud services and independent experts ZDNet spoke to confirmed Dimension Data's experience. It's also becoming a bigger problem because of mobile, says Eyal Iffergan, CEO of technology consulting firm Hyperion Global Partners.

"Cloud based tools are part-and-parcel to mobility devices and there's no way to completely eliminate or control their use," he says.

None of the above means your organisation is full of spies selling your business intelligence to Eastern European hackers. Usually the one off utilities that cause cloud creep are simple to find, install, use, and fulfill an immediate business need — some users might not even realise they're cloud-based.

Whatever the case, the first step is to find out what's being used, make sure it's being used legitimately, and assess what sort of controls you need to put in place.

Technicalities and impacts

It might be tempting to think you can use technology to defend against cloud creep the way some organisations block access to social media, but it can be an uphill battle, and it will take work and money — work and money you could be putting towards more important IT needs.

"You can use internet proxy policies to block certain categories of traffic, like file storage and sharing tools," says Pierre-Olivier Blu-Mocaer, Asia-Pacific head of IT for asset management firm Schroders. "Those categories and their lists of sites are managed by third-parties, and some blacklisting can be done internally. You can also implement desktop policies to prevent users from installing or using unauthorised software."

But such an approach might only lead to false positives by blocking legitimate applications, and even if you respond to every possible contingency, users are smart enough to search for workarounds when a new need arises.

And even if you have a strict 'no cloud' policy, Dr Trevor Nagel — who wrote a 2012 report on Cloud Computing for the World Bank — says you'll still be reliant on technology.

"A 'no-cloud' policy means you're completely dependent on firewalls for data protection," he says, "and the history of data breaches throughout the world is evidence they're not necessarily safe."

Unknown cloud exposure can put you at risk of all sorts of business impacts. Even aside from the business risk of IP flung to the four corners of the globe, some data sovereignty or protection is covered by law, and can expose your business and directors to significant risk — especially if you hold details on customers.

Catherine Leyen, CEO of medical software startup, Radiup, tells the story of a US hospital executive who was strictly forbidden to use any cloud services.

"With a potential fine of $10,000 per incident for the release of patient information of any kind, they will only sign contracts with companies that guarantee a 'no leakage by accident' policy," she says.

It's also about more than just security. Resources can take an unexpected hit, as technology and cloud consultant Christian Petrou of desktop-as-a-service company VDI Space explains. Web based services, for instance, can create what he calls 'ridiculous' amounts of temp files. Even seemingly robust services like box.com can create cumulatively large log data.

"The last job we had to troubleshoot for a client involved in excess of 12GB of log files in a single 24 hour window," Petrou says.

Stamping out creep

So what's the answer? Step one, obviously, is to have an organisation-wide cloud policy, because even if it's still 'no cloud', you need guidance systems to avoid the problems above.

Next should be an effort to deploy approved, closely-monitored applications for whatever your staff want to do, and that means getting everybody who is going to be affected together from the beginning.

"The whole visibility and assessment side of cloud exposure [among management] isn't designed to understand the fundamental usage profile of the organisation," Dimension Data's Jason Ha says. "Often it's the business that drives the desire to do something before IT is at the table. Then IT security comes along and wonders what all these services are that are being used."

In a bigger company where divisions are semi-autonomous and even more disconnected from IT projects and budgets, cloud creep can be even more insidious. Paul Diamond, technology engineer of telecommunications and data centre provider Markley Group, uses the term BYOC (bring your own cloud), and he warns that IT or management inaction can make things worse.

"Department heads are budgeting to purchase [cloud services] themselves and hiding it as a cost of doing business while the corporation takes its time deciding what to do," he says. "It goes without saying this poses a huge security risk."

Technology consultant Neil Sly adds that the key is to get ahead of the curve and give your staff options you can control.

"Listen to your users, give them what they need, and move on with enabling solution building, not problem avoidance," he says. "A 'don't use the cloud' memo isn't going to cut it."