Even with security and compliance concerns continuing to be inhibitors to cloud adoption by companies, the number of cloud purchases by individual business units is growing.
When business unit IT (BUIT) digital services are not sanctioned by centralized IT, they are often referred to as “shadow IT,” suggesting IT assets that are invisible to the IT department. According to Brian Lowans, principal research analyst at Gartner, these unsanctioned cloud services purchases are driving increased risks of data breaches and financial liabilities.
“Most organizations grossly underestimate the number of shadow IT applications already in use,” said Mr. Lowans. “A data breach resulting from any individual BUIT purchase will result in financial liabilities affecting the organization’s bottom line. Liabilities can be very large due to a mix of costs that include notification penalties, auditing processes, loss of customer revenue, brand damage, security remediation and investment, and cyberinsurance.”
Here are three key steps to mitigate risk:
Use Data Security Governance to Balance Local BUIT Growth Objectives Against the Risk of Data Breaches and Financial Liabilities
IT procurement controls are often bypassed, either by classifying Software as a Service (SaaS) or Business Process as a Service (BPaaS) as business services or by purchasing subscriptions below authorization thresholds via app stores or online. CIOs and CISOs must ensure data security governance is applied appropriately and proportionally to each business unit. BUIT purchasing should enable flexibility, innovation and growth of competitive advantage, but not at the expense of security.
While many clouds can be shown to have good security, the data access risks and threats posed by users and administrators must be addressed.
Deploy Shadow IT Discovery and Data Protection Tools to Enable the Safe Selection, Deployment and Notification of Unauthorized Cloud Services
While many clouds can be shown to have good security, the data access risks and threats posed by users and administrators must be addressed. If left unchecked, the adoption of SaaS or BPaaS applications by business units, or even by individuals, raises the risks of accidental or malicious posting of sensitive data.
Shadow IT discovery tools are available from a number of cloud access security brokers (CASBs) that can automatically scan the organization network infrastructure to detect SaaS and BPaaS applications. These can also provide a security perspective or software asset management perspective.
Use Data Security Governance to Develop and Orchestrate Consistent Security Policies Across All BUIT for Each Prioritized Dataset
Data security governance must prioritize datasets with the highest risks and establish appropriate security policies and controls. This needs stakeholder input from the business units, IT, risk, compliance, governance and security roles. A balance needs to be struck between the required controls and subsequent loss of functionality in each application.
Orchestration of data security controls must be coordinated and consistent across different clouds and cloud instances. For example, data residency is a critical compliance issue that affects the implementation of data security controls due to the geographic origin, geographic storage locations of each cloud, and the geographic location of staff accessing each dataset.
Read complimentary research: Five Golden Rules for Creating Effective Security Policy.
Watch the webinar: The New Risks of Digital Business.
Gartner clients can learn more in “Unsanctioned Business Unit IT Cloud Adoption Will Increase Financial Liabilities.” This report is part of the Gartner Special Report “Coming to Terms with Business Unit IT to Prepare for Digital Business,” a collection of research focused on not letting the problem of business unit IT hinder the changes needed to harness the power of digital.
Gartner analysts will provide additional analysis on cloud security trends at the Gartner Security & Risk Management Summits 2016 taking place in National Harbor, Maryland, Tokyo, Sao Paulo, Sydney, Mumbai and London. Follow news and updates from the events on Twitter at #GartnerSEC.