IT security vs cloud creep – the menace that comes from within

Cloud creep, or Shadow IT (external cloud services) is having a serious impact on the functionality of central IT departments.

Today, many organisations are finding it increasingly difficult to track and control which cloud services are being used within their business. In sectors such as finance and banking, especially, where highly sensitive data is handled on a daily basis, the potential risks can be extremely detrimental.

>See also: 10 cyber security trends to look out for

As an example, if a marketing department decides to purchase a subscription to a cloud email-marketing tool and input customer email information, they could potentially be breaking the bank’s individual data protection guidelines around the security of customer data.

The challenge

A report from Gigaom revealed that security was a priority concern among businesses looking to access cloud services, which conflicts with the increase in employees using unauthorised cloud applications.

The survey also states that 81% of line of business (LOB) employees admit to using unauthorised SaaS applications at work. Of those who do, 38% claim that this is due to the long purchasing cycles involved in getting IT department approval for new projects.

>See also: Cyber security is a ‘people problem’

This study clearly highlights a struggle between LOB employees and IT departments, with a clear trend of employees opting to go against in-house IT regulations in order to increase the productivity of their own role.

Taking back control

In order to avoid this conflict, it is fundamental that a company’s IT department looks to create an efficient and precise framework for all cloud purchasing. It should be expected that each department will insist on having a say as to which cloud applications they prefer to use, therefore IT teams should strive to advise each sector accordingly.

In fact, forward-thinking IT teams are now considering creating service catalogues that include all application and compute requirements for both IT and business users. This means that all services are available in an online store-style environment, which can be purchased or requested depending on user permission levels.

Grouping services together into a centralised catalogue offers individual departments the opportunity to decide which cloud applications best suit their needs, while IT is able to maintain control of the procurement of the solutions, as well as having final say over their delivery.

Most importantly, IT teams can then determine whether new SaaS products comply with appropriate regulations and the larger compliance agendas in play across high-security technology environments.

>See also: The state of IT security in UK businesses

Service catalogues also help to drive standardisation and productivity within IT departments. For example, keeping tabs on the maintenance issues of cloud services such as expenditures and renewals is a smooth and stress-free task to carry out, once all services are centrally tracked and managed.
IT – Everyone’s favourite department

If incorrectly deployed, issues with software can result in data not being stored as securely as required in order to meet industry regulatory compliance levels for encryption. When this information is put at risk, it’s not just a company’s internal data that is compromised; it is the data of their customers and service users.

The overall aim is to get each department on side, whatever their job function and level. IT cannot eradicate cloud creep through force – as people will always seek out loopholes that allow them to get their task done in less time.

However, if staff members are shown that it is easy and efficient to have the IT team involved when implementing new tools, it is natural that they will request the same support in the future when companies engage in new projects. A service catalogue that provides adequate choice, but also dictates strategic parameters, delivers a balance between flexibility and security.

Ridding your company of cloud creep services, especially when working in a high-security sector, also supports the requirements of departments such as Legal Counsel, which dedicate a significant amount of time to making sure that software licencing is in order, and conforms to the fundamental requirements that keep both users and customers secure.

>See also: The role of artificial intelligence in cyber security

A helping hand

Cloud isn’t going away. SaaS applications aren’t getting any less popular. Therefore, businesses need a flexible way of managing different types of cloud, because one size doesn’t fit all.

This principally means that all organisations are now adopting a multi-cloud strategy. By employing multi-cloud solutions software, organisations can access private cloud and public cloud services, all delivered and managed from a single management system.

The advantage of the multi-cloud strategy is that by standardising each layer, it is much simpler to automate and orchestrate activities, diminishing the time and effort required to get new services up and running.

>See also: 7 cyber security threats to SMEs and how to secure against them

Now more than ever, security is a central issue for all businesses, with external threats attacking from a multitude of different angles. It is therefore essential that organisations ensure all internal threats are managed, before attempting to tackle anything else.

By increasing efficiency and coordination, IT departments can create harmony within their organisation, whilst eradicating the potential menace that is cloud creep, for good.


Sourced by Paul Mills, managing director of Converged & Partner Solutions at Six Degrees Group

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...