Policy, Education Key to Reining in Rogue Cloud

It used to be that rogue access points and USB drives kept IT administrators up at night, worrying about employees exporting sensitive corporate data. Now, with good reason, they’re worrying about employees using cloud services in ways that could compromise corporate data.

Controlling employee use of the cloud isn’t easy–there’s no simple way to block all unauthorized services. But creating a detailed policy and proactively educating users about it can make a big difference, experts say.

Because cloud services are designed to be easy to set up, employees are starting to use them in ways that could cause problems for their employers. They could be simply using services, like Google Docs, that are hosted in the cloud. Or, they could be running corporate applications or services on hosted offerings like Amazon Web Services.

For instance, one popular way to get data onto an iPad is using Dropbox, an online file backup service. An employee might upload a sensitive document to Dropbox in order to access it from an iPad.

“But where’s Dropbox’s data stored? You may have deleted it from Dropbox, but is it being backed up somewhere?” asked Ian Gotts, CEO of Nimbus, a company that offers business process management software and services.

The answers to those questions could comply with corporate policies, but might not, and the employee likely has no idea.

In addition to signing up for services, like Dropbox or Google Docs, that use the cloud, employees are also starting to use infrastructure-as-a-service offerings from companies like Amazon and in doing so may break IT policies. Users can sign up for Amazon Web Services online with a credit card and get started right away.

Rogue IT is a “massive source of business for many hosting companies,” said Phil Shih, an analyst with Tier 1 Research. “It has really spurred some of the momentum in the cloud business.”

Employees are using such services for different reasons. “It is very easy to provision a server and be able to spin it up,” said Allen Allison, chief security officer with NaviSite, a company that offers hosting and managed cloud services. “The reason could range anywhere from setting up a server for personal use because you like to blog about ‘Dancing with the Stars’ to hosting child porn.”

An employee could sign up for such services, however, because it’s simply an easier way to provision a server for a legitimate corporate application.

“The reality is, it points to internal developer frustration with internal IT,” said Kenneth Ziegler, president and chief operating officer for Logicworks, a company that recently launched a public cloud offering. IT administrators may take several months to provision a server for an employee. Services from companies like Amazon let users get started on a new server sometimes within minutes.

In doing so, an employee could not only break IT policies but also the law or agreements with a partner. That could happen if the employee uploads certain kinds of data to a cloud service that might store data outside of the country, for instance.

Creating an IT policy and then educating users about it are the first steps to preventing problems that could arise from employee use of cloud services. An IT policy for the cloud should be well-thought-out, said Gotts. “One that says we won’t have it happening isn’t a policy,” he said. “Because then they’ll buy laptops and 3G cards and circumvent the policy.”

But a fair, reasonable policy, such as one that stipulates that certain kinds of data can’t be stored outside the borders of the country, will resonate. “Business users will understand that,” he said.

IT organizations should also offer amnesty to people already engaging in cloud policies that break the rules, he said. That way the IT administrators can make an accurate risk assessment.

Then the IT department should develop a list of approved cloud service providers. The sooner that list is available, the better, because it could eliminate possible problems with encouraging workers to migrate from unapproved providers.

CIOs can now choose cloud providers that offer enterprises tools for controlling the way that workers use their services. Skytap is one cloud provider that has worked hard to develop management tools.

“What we hear from our enterprise customers, particularly the IT organizations, is ‘we’re not afraid of the cloud, we want to embrace it, but it’s now the wild wild West,'” Sundar Raghavan, chief product and marketing officer at Skytap, said.

New users may be unaware of how quickly they can rack up usage charges.

“One challenge with the cloud is that it’s easy to consume,” he said. That means people might leave an application running on a hosted service without really realizing “the meter is ticking,” he said. Then they’ll charge the company for that usage on an expense report, he said.

With Skytap, IT administrators can set policies and assign rights to individual employees. For instance, developers might have more rights to add new servers than a salesperson.

He thinks this capability will make a company like Skytap more likely to become an authorized cloud resource for large companies.

NaviSite also has a barrier to usage that makes it difficult for individual employees to use its service. In order to start doing business with NaviSite, a company has to first sign a contract.

“So we would have the ability to deny a rogue user or administrator from spinning up a server without the proper authority,” Allison said.

Logicworks also has features that let administrators set limits for users.

Amazon argues that its offering is better than rogue servers that employees might run surreptitiously because an IT administrator can view all systems running on Amazon Web Services. However, that only works if the employee uses a company account to run a service with Amazon. Since anyone can log on and use any credit card, an IT administrator has no way of knowing when users do so.

Once IT has identified authorized service providers, it has to work hard to educate users.

“It all starts with a level of education,” Gotts said. “The big, big issue here is that business users who are able to consume cloud services don’t know what they don’t know. Until they get to a level of knowledge and understanding, people will get hurt because they didn’t even know they were at risk.”

Without the education component, IT will struggle to limit workers to authorized providers.

“You can restrict access to Google Docs or Amazon, but at no time are you ever going to be able to deny all cloud service providers. There are a lot out there,” Allison said. “It’s just a matter of training your users, letting them know what’s acceptable and doing the best you can at enforcing those policies.”