Shadow cloud services pose a growing risk to enterprises
By Jaikumar Vijayan, Computerworld | August 25th, 2014
Non-approved SaaS apps are growing rapidly, says PwC.
A growing tendency by business units and workgroups to sign up for cloud services without any involvement from their IT organization creates serious risks for enterprises.
The risks from shadow cloud services include issues with data security, transaction integrity, business continuity and regulatory compliance, technology consulting firm PricewaterhouseCoopers (PwC) warned last week.
“The culture of consumerization within the enterprise — having what you want, when you want it, the way you want it, and at the price you want it — coupled with aging technologies and outdated IT models, has propelled cloud computing into favor with business units and individual users,” PwC said in a report.
Increasingly, workgroups and even individual users in companies are subscribing directly to cloud services for business reasons because it is easy and relatively inexpensive for them to do, said Cara Beston, cloud risk assurance leader at PwC.
“There is a new form of shadow IT and it is likely more pervasive across the company” than many might imagine, given the easy access to cloud services, Beston said. “It is harder to find, because it is being procured at small cost and is no longer operating within the bounds of the company.”
Some typical use cases for shadow cloud services include collaboration software, storage, customer relationship management apps and human resources.
The Software as a Service (SaaS) delivery model allows business units and workgroups to quickly deal with business process challenges without having to wait for IT to help out. The fact that the cost for such services is usually an operating expense rather than a capital expense is another advantage.
“Shadow cloud is happening under the radar” at many organizations, Beston said. Without governance, such cloud services present significant data security risks and the potential for technology and service redundancies.
Risks include inadvertent exposure of regulated data, improper access and control over protected and confidential data and intellectual property and breaching of rules pertaining to how some data should be handled.
Companies in regulated industries face a real risk of becoming non-compliant with data security and privacy obligations without even realizing it. Importantly, while many business users sign onto cloud services because of the perceived lower costs, a lack of control over how the services are being used can often result in service duplication and higher-than-anticipated operational costs, she said.
Cloud services for work groups of between five and 10 business users can range from as little as a few hundred dollars a month to a few thousand dollars. But the costs can quickly get out of control when all the different groups that might be using similar services within an organization are counted.
“Suddenly, shadow cloud is a potentially pervasive gateway to new and unknown risks, spiraling growth of operating costs, and potential increase in redundancies,” the PwC report said.
Getting a handle on the issue is a job for the CFO and the CIO, Beston said. The first challenge is just to discover all the cloud services that might be operating under IT’s radar, she said.
That task can require a combination of automated and manual discovery methods to locate where cloud services are being used and what kind of data might be hosted or shared with the provider.
Once all shadow cloud services have been uncovered, companies need to create a cloud services portfolio listing the services that should be banned or restricted for any reason, those that are approved and those that need to be managed centrally to minimize risk.
Other reports have echoed a similar resurgence is shadow IT in recent times as the result of consumerization and the easy availability of cloud services.
In a survey of 300 IT employees and 300 line-of-business managers ( download PDF) conducted by Frost & Sullivan on behalf of McAfee last September, 80% of the respondents said they used SaaS applications that had not been approved by IT. Surprisingly, more IT users admitted to using non-approved IT cloud services than line-of-business users.
On average, companies covered in the survey used about 20 SaaS applications, of which 35% were non-approved.
“The high penetration of non-approved apps argues that such usage is no longer in the shadows, but very open.”