Bring your own device (BYOD) may have been a hot topic over the past decade, but now CIOs are grappling with something else: bring your own cloud. Employees, frustrated with in-house IT services that don’t measure up, are signing up for external SaaS services without the IT department’s consent.
These services may not align with corporate security policies, and yet users can still store sensitive data in them and even use them to handle company data while not on the enterprise network. What should IT departments be doing about it?
CIOs seem more confident today about employees’ cloud usage than they did two years ago. The 2016 Global Data Cloud Security report, researched by the Ponemon Institute, found that 54 per cent of respondents are confident or very confident about employees’ cloud usage today. This means that a little under half of all respondents aren’t confident about what cloud services their workers are using.
It’s difficult for IT departments to guarantee security in a cloud environment at the best of times, but even more so when they are dealing with an unknown quantity. In a worrying proportion of cases where companies see users bringing their own cloud services (40 per cent), it’s simply because security evaluations aren’t a priority.
Even when companies do care, they’re largely unable to stop users bringing consumer-grade cloud services to their door. Seven in 10 IT pros in this group said they couldn’t control their users. In 41 per cent of cases, no one is in charge of this process, and even when people are, there simply aren’t enough resources to evaluate what users are doing.
What can companies do about this? A security policy is the obvious answer, restricting employees from using unapproved services. But the stick rarely works without a carrot.
Brendan O’Connor, security researcher and senior security advisor at Seattle-based Leviathan Security Group, argues that IT departments should adopt the Peelian principles of policing. Named for U.K. home secretary Sir Robert Peel back in 1829 as the first official police forces came into being, they outlined how police should behave. Enforcers shouldn’t maintain law and order through force unless absolutely necessary, these principles said, but by working with the public and obtaining their consent.
The same goes for security pros, said O’Connor, arguing that security shouldn’t be an end in itself, but rather a support function. “So let’s cast ourselves in the support team role. The security person should say ‘yes, I will do the research to figure out how we can make that happen.’”
In an environment where consumers are conditioned to demand convenient online services, IT departments must cater to them. Doing that in-house may be difficult — after all, it isn’t every IT team that can afford a portfolio of in-house software to satisfy users’ every whim.
The alternative is to broker external cloud services for employees, which would give the IT department an opportunity to evaluate their security and approve them.
This reliance on external services is already making its way into some communities, such as state governments in the U.S., pointed out Doug Robinson, executive director of NASCIO, which represents state-level CIOs south of the border.
“The [U.S. is] moving toward a more service-centric environment, where they’ve been traditionally system-centric and focused on buying, operating and running. I think the future is going to be more contracting and managing in a hybrid world,” said Robinson. “They’ll move to consuming these services on subscription rather than being capital-intensive.”
This will require a measure of agility in IT departments, which must be nimble enough to hear users’ demands, procure a solution and evaluate it for security.
The Ponemon report suggests this may present its own challenges. If anything, the onus on evaluating the security of cloud providers is shifting to the end-user. Three in 10 companies rely on users to tell whether cloud services are secure. Corporate IT decides in just 23 per cent of cases, and information security pros in just 15 per cent, according to the report.
Moving to a more collaborative relationship between IT and users may be a daunting prospect for many CIOs used to a more authoritarian model of IT. The alternative isn’t very appealing, though, as it involves buying tools to stamp out unauthorized use of consumer cloud services. Those games of IT whack-a-mole can be expensive, and frustrating for all concerned.
Image courtesy of Free Digital Photos