SAN JOSE, Calif. -- While enterprises may think they know just how many shadow cloud services their employees are...
using, they're almost always underestimating the number -- and the related risks -- according to security officials at Hewlett-Packard and SkyHigh Networks.
Shadow cloud and its risks were focal points of discussion at the Cloud Security Alliance Congress and International Association of Privacy Professionals' Privacy Academy events last week in San Jose. In one session, Andy Radle, cloud security architect at HP, and Harold Byun, senior product manager at SkyHigh Networks, discussed best practices for "corralling" and securing shadow cloud applications and services.
The first step, according to the session, is identifying just how much shadow cloud an enterprise is using. According to SkyHigh's recent Cloud Adoption & Risk Report for the second quarter this year, enterprise customers have roughly 738 cloud applications and services in use. The survey, which included more than 200 global enterprises and data from 11 million users, highlighted cloud storage services like Box, Dropbox and Apple iCloud as well as social media tool such as Facebook, Twitter and LinkedIn.
Byun said the number of shadow cloud apps within an enterprise can vary wildly. For example, he said when SkyHigh began working with Cisco, which has more than 70,000 employees worldwide, the company believed it had between 50 to 70 shadow cloud apps and services. "We ran the analysis and it turned out they had over 3,000," Byun said.
And even seemingly innocuous social media services can carry quite a bit of risk, Byun said. One particular SkyHigh customer discovered that an employee was uploading hundreds of large video files, with the same size, to Pinterest and YouTube. Byun said SkyHigh examined the uploads and determined that the employee was embedding sensitive documents in the files.
Andy Radlecloud security architect, Hewlett-Packard
Shadow cloud apps and services aren't necessarily a bad thing, Byun said, because employees are usually enabling themselves to improve productivity. But he stressed that it's important for enterprises to monitor usage of those services and apps to spot things like conspicuously large and repeated file uploads. "There is a way to get appropriate visibility into that usage and determine what is standard and what is not standard," Byun said.
Radle agreed, and argued that the second step is for enterprises to take a strategic look at shadow cloud apps and services instead of throwing up roadblocks. The use of shadow IT in general, he said, may be more of an indication that IT isn't being responsive to the needs of the business' employees and isn't as fast or as flexible to keep up with that demand. "Trying to stop that selection of [cloud] services is probably not going to win you a lot of friends," Radle said.
Instead, IT departments, CIOs and CISOs need to act as more of an enabler to help bring those cloud apps and services out of the shadows and properly secure and provision them, he said. To do that, they need to identify the cloud apps and services being used; Radle said HP uses a SkyHigh Discover to help with that effort but he also said there are simple ways to achieve visibility of those shadow cloud services and apps, including simple checks of employee expenses.
"Take advantage of your bookkeeping systems," Radle said. "For the most part, someone is paying for it, and you can find it in the bookkeeping because unless it's being miscategorized, then someone is being reimbursed for it."
Radle also said security teams need to monitor and analyze internal network information to see where traffic -- and data -- are going. HP looks at proxy login information to understand at least the on-premises traffic within the company, he said. Additionally, Radle said HP analyzes network flow information to gain additional visibility. If an employee is using Amazon Web Services, Radle said he'll look for SSH sessions to Amazon to determine if the employee is administering servers and developing software, for example.
As for security tools and products, Radle advocated the use a variety of security tools and services, from security event monitoring to identity and access management. "It's not just one tool. It's a set of things that you have to put together to look at this overall issue," Radle said.
HP uses many of its own products, Radle said, such as HP ArcSight for proxy and firewall data. The company is also using HP Autonomy to analyze a big data archive of proxy logins and other network information and look for odd incidents or behavior.
"In some cases we're actually looking for needles in a haystack, but that's what we want to be able to do," he said. "If something weird is happening, we want to be able to see it. And in some cases, weird could be a business opportunity or it could be a really bad attacker. But you''ve got to react."
In addition to the right tools and network information, Radle said privacy professionals can provide valuable insight and navigation for private customer data. In that regard, he said, privacy teams need "a seat at the table" when an enterprise is developing security policies and reviewing potential cloud apps and services.
But both Radle and Byun stressed that even careful monitoring of cloud apps services won't prevent cloud breaches and that enterprises need to have a response plan in place when such a breach occurs.
"The question as it relates to cloud isn't if the service has been breached or when were [enterprises] breached," Byun said, "but when are they going to be breached, when are they going to be breached again, and how can you respond in the wake of that."
Karima Saini, senior compliance officer at Union Bank, said she isn't too fearful about her company suffering cloud breaches of crucial data because in adherence with regulatory laws, that data is heavily protected. Still, she said, there are some cloud services employees use that could potentially leak data of lesser value.
"There are some areas like social media and marketing that banks like ours have to monitor," Saini said.
Attendees largely agreed that shadow cloud apps and services can be a good thing. Tal Klein, vice president of strategy & marketing at security vendor Adallom in Palo Alto, Calif., said he doesn't think companies should be afraid of shadow cloud and is seeing a change in how many companies view it. "I think CISOs used to serve as prison wardens when it came to cloud," Klein said. "But now they're acting more like crossing guards."
Read about best practices in response planning in the event of a cloud provider breach.