By Ken Shaw Jr.
If your customers aren’t fighting the "stealth cloud," they should be — it’s a huge problem that has only gotten worse.
CIOs and CTOs refer to the various publicly available online services their teams are using without their approval as the "stealth cloud." For example, CIOs don’t have any control over or access to business data stored in an employee’s personal Google account, and according to surveys, companies are banning use of sites like Dropbox to avoid potentially expensive and embarrassing data loss.
Consider an employee of a defense contractor using something like Microsoft SkyDrive. What happens to those files when the employee leaves the company? What are the implications that a third party might have unknown access to extremely sensitive data? That’s enough to give any CIO or CTO serious heartburn.
Why should your customers be concerned?
1. IT departments are slow and it’s easier to expense it.
You probably don’t have a lot of customers that claim their IT department is the fastest moving part of their company. Also, employees find it easier to use inexpensive and easily-available cloud-based services to get things done, and expense it along with other small purchases, instead of requisitioning their needs internally. Data can easily end up in unexpected places without anyone knowing.
2. It’s hard to actually find the problem so you need to be preventative.
The stealth cloud is difficult to root out — especially since services can usually be accessed from anywhere, such as insecure personal BYOD devices, with maybe just a simple password keeping the data safe. You can monitor Web traffic and block offending websites — but what about IP-hiding proxies and other “private VPNs" that completely undermine those security measures? By providing the right solutions internally you can prevent security breaches before they happen, since employees won’t have to leave your ecosystem to get work done.
3. Your customers are most likely doing this to themselves.
Internal departments may be thinking they’re doing the right thing by using various services to get the job done, but many times CIOs aren’t consulted on the use of these services and no proper technical evaluation is ever done to insure privacy of the right data when necessary. It’s important to constantly inventory your data — what it is, where to find it and who has access.
There are a few ways you can help you clients fight the stealth cloud:
- Put a private cloud in place for the most sensitive customers.
For many organizations it’s unacceptable for data to leave their security umbrella. Set up a private cloud for these types of customers. This can be as simple as a virtual machine hosted anywhere or as complex as an existing hybrid cloud that utilizes on-premises infrastructure and public clouds such as Amazon S3.
- Use local disk encryption.
Most common operating systems have local file encryption built in as an option, either of an entire disk/volume or of individual files/folders. Files copied surreptitiously from an encrypted machine won’t be easily opened on another without the appropriate security certificates.
- Use end-to-end encryption when storing data in any cloud.
Many cloud services provide a layer of encryption on their customers’ data — this is a prudent but mediocre security measure since that encryption layer is managed by the service provider, not your customer’s CIO. In other words, an untold number of the provider’s employees could potentially have access.
Some providers offer end-to-end encryption with a private key known only to the account holder (or CIO) used for the local encrypting. This means that data is protected before it leaves a computer and then stays encrypted in the cloud or wherever it might end up.
With a bit of research, you will find there are services available you can resell that can be deployed within your customers’ private clouds, or used publically with end-to-end encryption. Use them to provide “box-like" collaboration, sharing and syncing while mitigating stealth cloud security risks.
Ken Shaw Jr., CEO and CTO of InfraScale, is an experienced technologist and entrepreneur in the cloud storage and online backup industry. He has consulted for the U.S. government on offshore technology trade policy and ran two Australian businesses that focused on custom private cloud backup, storage and content management solutions for SMBs.