CIO Discovers the ‘Terrifying’ Reality of Cloud Apps Running Wild
Rogue cloud services are ripping gaping holes in the security fabric of most companies, putting the CIO in a tough spot. But as the fallout from the Target attack shows, IT and business leaders will go down together if the breach hits the fan.
CIO Michael Keithley has held the top tech post at Hollywood talent company Creative Artists Agency for nearly a quarter of a century, so you’d think he knows just about everything going on technically at the firm. He thought so, too.
Keithley figured there were 50 or so cloud services running on Creative Artists Agency’s global enterprise network, but decided to make sure.
He ran Skyhigh Networks cloud security software that shines a light on shadow IT, and the report spit out an outrageous number: more than 1,600 cloud services in play. Some of the nastiest sites came out of the Eastern Bloc and were clearly trying to trick people to give up sensitive data.
“CIOs can tell business managers, if you choose to take the risk … and the data is compromised, it’s going to be you and me in front of the board of directors, not just me alone.”
— Rajiv Gupta, Skyhigh
“Once you get over the shock of the gap, you look at the risk profiles of those services, and that’s just downright terrifying,” Keithley says.
CIOs Become Cloud Enablers
Rogue cloud services have ripped open gaping holes in the security fabric of a company, putting both the firm at grave risk and the CIO in a tough spot. However, rogue cloud services also show the critical need for a tech-savvy consultant — or cloud services broker — to patch holes, maintain compliance, negotiate cloud contracts and enforce service level agreements.
Faced with a massive amount of rogue cloud services, Keithley’s first instinct was to block them, but that would solve nothing. After all, IT’s history of blocking unfamiliar technology most likely spawned these rogue cloud services in the first place. Instead, Keithley needed to change the reputation of his IT department from a blocker to an enabler.
For starters, Keithley enlisted chief counsel to educate employees on why the most high risk cloud services needed to be shut down; let the lawyer be the bad guy, not the CIO. With medium to low-risk sites, Keithley’s team created a more compelling alternative.
For instance, some 60 rogue cloud services were of the file, sync and share variety, meaning they trafficked potentially sensitive corporate data. Keithley sent out an RFP, settled on Box and ironed out an enterprise licensing agreement. Then he integrated Box with single sign-on and added provisioning and connectivity to the HR system so new employees would automatically be given a Box account.
Getting Line of Business Buy-In
Keithley pitched the Box package to line-of-business managers and other key influencers, asking them to use this instead of their rogue cloud service. The managers bought in, and that’s how Keithley became a cloud enabler. CIOs need to acknowledge that their role is changing, he says, and so they must evolve or end up on the scrap heap, also known as the other kind of CIO — “career is over.”
Of course, the leap to tech-business-cloud consultant is easier said than done. Making matters worse, there seems to be a disparity over the CIO’s business savvy.
A recent Red Hat survey showed 78 percent of tech executives rating their knowledge of the business as either “excellent” or “good,” and 66 percent saying their receptiveness to new ideas coming from business units as “excellent” or “good.” Yet an explosion of rogue cloud services underscores what many line-of-business managers think about CIOs: untrusted blockers who don’t undestand business process and must be kept out of the loop.
At the heart of this busy intersection lies the risk of data loss and the odds of falling out of compliance, which skyrockets with cloud services. How perilous is the situation? Just follow the logic.
Organizations on average use 759 cloud services, up from 626 last quarter, according to Skyhigh Networks data based on 8.3 million users. Overall, of the 3,571 different cloud services found in Skyhigh Networks’ database, only 7 percent are deemed enterprise-ready. What’s worse is that 5 percent are considered highly risky. All tallied, one out of three cloud services was vulnerable to Heartbleed.
It’s Going to Get Worse
Barbarians are at the gate, too. Malware writers have taken dead aim at cloud services dealing with business critical data: 16 percent of companies had anomalous cloud access to services storing data such as credit card numbers, health records and Social Security numbers, which means malware was used to surreptitiously access business services like Salesforce or Workday, according to Skyhigh Networks.
For the most part, CIOs can’t do anything about it. As in the case of Creative Artists Agency, the vast majority of cloud services fly under the CIO’s radar. On average, the IT department is aware of only 5 percent to 8 percent of cloud services used at the company.
“This is not conjecture, not hyperbole, not me getting sentimental — this is fact-based data,” says Skyhigh Networks CEO Rajiv Gupta. “This is the risk you’re undertaking right now.”
Even cloud services known by CIOs aren’t necessarily safe havens. WinMagic’s security survey found that 35 percent of IT decision makers allow employees to use personal cloud storage in the workplace. Only six in 10 said their company has enforced encryption capabilities for tablets and mobile phones.
At the end of this road, huge dollars hang in the balance. The average cost of a data breach for a company in the United States jumped from $5.4 million last year to $5.9 million this year, according to the Ponemon Institute.
Perhaps unfairly, CIOs are on the hook to ensure security and compliance from leaky cloud services, as well as rogue cloud services they don’t even know about. CIOs can’t control — as in, block — many of the rogue cloud services; they can only advise line-of-business managers about risk.
Sounds like a no-win situation, right?
Hang Together or Hang Separately
Creative Artists Agency’s Keithley says it’s important to remind line-of-business managers that they share in the liability. He does so by pointing out the recent case involving retail giant Target. Its headline-sweeping data breach in December led to CIO Beth Jacob falling on her sword three months later.
While it’s typical for the tech chief to get fired in the aftermath of a well-publicized breach, Jacob wasn’t alone. The fallout finally reached the top business post this month with the resignation of Target CEO Gregg Steinhafel.
Keithley tells line-of-business managers that everyone will pay the price in a data breach. The risks are higher with cloud services, he adds, especially rogue cloud services not vetted by IT.
Then there’s the direct approach.
“CIOs can tell business managers, if you choose to take the risk, go ahead,” Gupta says. “But tomorrow if there’s a breach and the data is compromised, if compliance regulations are not met, then it’s going to be you and me in front of the board of directors, not just me alone.”
Tom Kaneshige has been covering business and technology in Silicon Valley for two decades. As senior online writer at CIO.com, Tom covers Silicon Valley culture, BYOD and consumer tech in the enterprise.