Posted on 04 Feb 2013 by Neilson
A survey from Symantec Corp. shows many companies are reporting exposure of their confidential information from rogue cloud deployments.
It's normally not done maliciously, but in their zeal to save the company money, or to avoid the corporate bureaucracy, some employees choose to store sensitive company information in the cloud without working with their IT department to make sure the information is stored in a way that can better protect it from possible breaches.
Done maliciously or not, companies can be subject to legal action if data improperly stored in the cloud is used in a way that harms a customer or an employee, as well as the black mark that could taint their reputation and brand.
Symantec's survey found, for those companies that reported rogue cloud deployments, 40% reported exposure of confidential company information, and more than 25% had to deal with account takeover issues, defacement of Web properties and stolen goods or services. Three-quarters of those surveyed said the issue of rogue cloud information was found in their organization.
The Symantec survey was conducted in September and October 2012 and queried business and IT executives at 3,236 companies from 29 countries.
One example of such a rogue cloud deployment would be an employee using an unauthorized file-sharing service to share private company information with outside vendors, or a sales manager signing up his staff to an outside service without working through the IT department.
Asked why they would do this, 20% of those surveyed said they didn't know they were exposing their company to a risk of a data breach, with most saying they did so to save time and money and to avoid IT because they would make the process harder.
The survey asked "How is the frequency of rogue cloud projects changing over time," and found 50% saying the frequency remained the same, 25% saying it was becoming slightly more frequent, 4% saying it was becoming much more frequent, 14% saying it was becoming slightly less frequent and 7% saying it was becoming much less frequent.
"Normally people have good intentions, or they're trying to do something more conveniently rather than going through IT, but it poses a real danger by circumventing all IT security systems," said Eric Friedberg, co-president of Stroz Friedberg, a New York-based data-risk management and investigations firm. "The solution ends up behind different forms of log analysis and scanning to be able to detect that employees are doing that," as in many cases a company cannot interview all of its employees to find out what they are putting in the cloud.
Friedberg said his company conducts sweeps of the Internet to see what information a company has out there. Most of the rogue information is subject to public exposure because employees misconfigure their cloud servers to make that information publicly available. "One of the reasons that companies are victimized by rogue cloud implementations is because they are not regularly doing data-privacy audits and data mapping," he said. "Data mapping is an exercise whereby you really take stock of what systems you have and what data is on them."
The phenomenon of rogue cloud implementations is similar to what companies faced in the early days of corporate Wi-Fi when employees set up unauthorized and unencrypted hotspots that allowed people on the street to connect into a corporate network, Friedberg said, adding the problem was solved as practices matured and privacy audits became standard to search for unauthorized wireless entry points into the network.
"Now, because of cloud implementation, security audits and privacy audits have to encompass what data from their servers is out on the Web that they are not familiar with," Friedberg said. "That is the solution to that."
Education is key to making sure employees understand the risks involved in going rogue when its comes to posting and storing company information, he said. "Education is one of the great risk reducers," Friedberg said.
Companies also can purchase cyber liability insurance as a way to protect themselves from lawsuits and the costs of investigating breaches and notifying potential victims.