We have seen an increase in ‘shadow cloud’ solutions, and their defining characteristics are often ill-configured security controls and a lack of integration with the security and monitoring processes that the legitimate IT function would employ. These solutions will usually result in an increased risk of exposure for data, personally identifiable information and intellectual property.
Shadow cloud solutions raised security concerns before the pandemic, but the forced and disruptive shift in working patterns, and rapid infrastructure changes during the pandemic, have accelerated their presence. In organizations whose security and technology teams were slow to adopt collaboration tooling to support remote working, teams and individual employees have turned to cloud-based solutions for collaboration, storage and continued productivity.
These applications may not be protected by multi-factor authentication or strict password policies and may not meet data localization and retention requirements. These can present both security and regulatory risks. For example, employees based in Europe may be unaware that the application they are using is transferring un-encrypted personally identifiable information (PII) to non-European data centers, which can result in non-compliance with the General Data Protection Regulation (GDPR). Moreover, many government organizations have strict internal policies to ensure their data remains in-country. We believe now is the time to ensure these services are governed and monitored by IT and risk professionals who can understand the threats they pose and the regulatory requirements they must meet.
When organizations enact efficient oversight and governance of cloud technology, staff and stakeholders will likely be discouraged from deploying shadow cloud solutions. Eliminating the mindset that propagates shadow cloud usage can be an effective security control.
Four tips to help keep shadow clouds at bay:
1. Address shadow cloud issues in policies and employee standards. - It's likely not enough to simply ban the use of cloud solutions lacking the permission of the security team. We recommend making leaders accountable for the control of shadow cloud solutions and implement clear protocols and disciplinary measures as needed.
2. Consider blocking access to unauthorized cloud-based applications - If cloud-based file sharing is authorized, we recommend settling on one platform and governing its use. We also recommend implementing permission lists, including sites or platforms that are approved for access, and blocking all others lacking approval.
3. Offer stakeholders a path for approval - It’s important to understand why users may want to “go rogue.” If employees have difficulty managing their work, collaborating or providing services via old architecture, a rapid cloud deployment can be a smart solution. However, to handle these requests quickly and effectively can potentially lure users into the shadows.
4. Some cloud services are free or carry minimal costs to employees - But some projects can cost thousands per year. We recommend discouraging the use of shadow cloud services by carefully managing expense reports and invoices payable to such services. While this may not limit the use of free cloud applications, shadow cloud deployments that house large or enterprise-wide projects will likely need to seek legitimacy and funding. Keep a close eye on whether licenses purchased are personal. Monitoring the purchase of licenses can help organizations avoid any fines or compliance issues associated with using the wrong type of license.
The excerpt was taken from the KPMG Thought Leadership publication entitled Securing the cloud – the next chapter in public services.