Even with security and compliance concerns continuing to be inhibitors to cloud adoption by companies, the number of cloud purchases by individual business units is growing.
When business unit IT (BUIT) digital services are not sanctioned by centralized IT, they are often referred to as "shadow IT," suggesting IT assets that are invisible to the IT department. According to Brian Lowans, principal research analyst at Gartner, these unsanctioned cloud services purchases are driving increased risks of data breaches and financial liabilities.
“Most organizations grossly underestimate the number of shadow IT applications already in use,” says Lowans. “A data breach resulting from any individual BUIT purchase will result in financial liabilities affecting the organization's bottom line. Liabilities can be very large due to a mix of costs that include notification penalties, auditing processes, loss of customer revenue, brand damage, security remediation and investment, and cyberinsurance.”
Here are three key steps to mitigate risk:
Use Data Security Governance to Balance Local BUIT Growth Objectives Against the Risk of Data Breaches and Financial Liabilities
IT procurement controls are often bypassed, either by classifying Software as a Service (SaaS) or Business Process as a Service (BPaaS) as business services or by purchasing subscriptions below authorization thresholds via app stores or online. CIOs and CISOs must ensure data security governance is applied appropriately and proportionally to each business unit. BUIT purchasing should enable flexibility, innovation and growth of competitive advantage, but not at the expense of security.
While many clouds can be shown to have good security, the data access risks and threats posed by users and administrators must be addressed.
Deploy Shadow IT Discovery and Data Protection Tools to Enable the Safe Selection, Deployment and Notification of Unauthorized Cloud Services
While many clouds can be shown to have good security, the data access risks and threats posed by users and administrators must be addressed. If left unchecked, the adoption of SaaS or BPaaS applications by business units, or even by individuals, raises the risks of accidental or malicious posting of sensitive data.
Shadow IT discovery tools are available from a number of cloud access security brokers (CASBs) that can automatically scan the organization network infrastructure to detect SaaS and BPaaS applications. These can also provide a security perspective or software asset management perspective.
Use Data Security Governance to Develop and Orchestrate Consistent Security Policies Across All BUIT for Each Prioritized Dataset
Data security governance must prioritize datasets with the highest risks and establish appropriate security policies and controls. This needs stakeholder input from the business units, IT, risk, compliance, governance and security roles. A balance needs to be struck between the required controls and subsequent loss of functionality in each application.
Orchestration of data security controls must be coordinated and consistent across different clouds and cloud instances. For example, data residency is a critical compliance issue that affects the implementation of data security controls due to the geographic origin, geographic storage locations of each cloud, and the geographic location of staff accessing each dataset.