Security Bytes

Jan 15 2016   9:46PM GMT

Raising awareness: Cisco takes aim at shadow IT

Kathleen Richards Profile: Kathleen Richards

Cloud Security
Cloud Services
Shadow IT

Most people have encountered the cloud at work, whether it’s downloading files from an external business contact’s Dropbox or hearing through the grapevine that your department is now “moving” to a cloud service. Security controls in many of these initiatives is handled (you hope) by someone at the company who is setting policy about these rollouts and what types of applications and sensitive data can be placed in the cloud.

Turns out, that isn’t happening as much as it should. Shadow IT spending often may exceed 30% of IT budget spending, according to Matt Cain, research vice president at Gartner, who expects that number to go up because employees want applications and services before IT can authorize and support them.

This week Cisco is rolling out Cloud Consumption as a Service to help large to mid-sized businesses track their employees’ use of shadow cloud services. Cisco also offers consumption services through its global service organization.

According to Cisco, Cloud Consumption as a Service will help companies monitor public cloud services in use and better control data protection, cost and regulatory compliance. The software as a service (SaaS) enables companies to sort cloud providers by risk, remove redundant services and benchmark cloud usage to help CIOs gain control of costs, which are sometimes hidden. In addition to discovering shadow services and identifying who is using them; security professionals can create triggers and alerts to detect abnormal usage patterns. The cost of these services is $1 to $2 per month per employee.

Sounds like a good idea, but tracking cloud usage isn’t the only problem.

Many security professionals describe shadow IT services as “circumventing” IT and security teams. In some cases, that is probably true. According to Gigaom Research, 81% of employees admitted to using unauthorized public cloud services but only 38% deliberately avoided the IT approval process.

In many organizations, there is still no policy in place about public cloud services and how they should be handled at the company. Do you really need a tool to monitor cloud usage or a policy that IT and department heads can use as guidance for these cloud initiatives? The problem often isn’t circumvention or too much Red tape—it’s a failure to get policy and procedures (and bodies) in place in front of a coming storm. Virtualization machines that go unchecked; unpatched legacy applications that newbies on staff don’t really know how to fix; and now, with a mobile workforce that has moved beyond Sharepoint, the inevitable cloud sprawl.

When security questions come up in a department meeting about a cloud deployment and people look confused and say, “I think Joe in IT probably knows the answer to that question.” Turns out he doesn’t.

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Kevin Beaver
    Good write-up Kathleen. Users are almost always going to take the path of least resistance to get done what they want to get done. It's incumbent on IT/security teams and management to do what it takes to set everyone up for success!
    27,520 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: