Skip Links

Policy, education key to reining in rogue cloud

Unauthorized employee use of cloud services is big business for providers but can cause security problems for enterprises

By Nancy Gohring, IDG News Service
December 15, 2010 11:02 AM ET

IDG News Service - It used to be that rogue access points and USB drives kept IT administrators up at night, worrying about employees exporting sensitive corporate data. Now, with good reason, they're worrying about employees using cloud services in ways that could compromise corporate data.

Controlling employee use of the cloud isn't easy--there's no simple way to block all unauthorized services. But creating a detailed policy and proactively educating users about it can make a big difference, experts say.

Because cloud services are designed to be easy to set up, employees are starting to use them in ways that could cause problems for their employers. They could be simply using services, like Google Docs, that are hosted in the cloud. Or, they could be running corporate applications or services on hosted offerings like Amazon Web Services.

For instance, one popular way to get data onto an iPad is using Dropbox, an online file backup service. An employee might upload a sensitive document to Dropbox in order to access it from an iPad. "But where's Dropbox's data stored? You may have deleted it from Dropbox, but is it being backed up somewhere?" asked Ian Gotts, CEO of Nimbus, a company that offers business process management software and services.

The answers to those questions could comply with corporate policies, but might not, and the employee likely has no idea.

In addition to signing up for services, like Dropbox or Google Docs, that use the cloud, employees are also starting to use infrastructure-as-a-service offerings from companies like Amazon and in doing so may break IT policies. Users can sign up for Amazon Web Services online with a credit card and get started right away.

Rogue IT is a "massive source of business for many hosting companies," said Phil Shih, an analyst with Tier 1 Research. "It has really spurred some of the momentum in the cloud business."

Employees are using such services for different reasons. "It is very easy to provision a server and be able to spin it up," said Allen Allison, chief security officer with NaviSite, a company that offers hosting and managed cloud services. "The reason could range anywhere from setting up a server for personal use because you like to blog about 'Dancing with the Stars' to hosting child porn."

An employee could sign up for such services, however, because it's simply an easier way to provision a server for a legitimate corporate application. "The reality is, it points to internal developer frustration with internal IT," said Kenneth Ziegler, president and chief operating officer for Logicworks, a company that recently launched a public cloud offering. IT administrators may take several months to provision a server for an employee. Services from companies like Amazon let users get started on a new server sometimes within minutes.

In doing so, an employee could not only break IT policies but also the law or agreements with a partner. That could happen if the employee uploads certain kinds of data to a cloud service that might store data outside of the country, for instance.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News