But the closest experience I have to shadow clouds is the Web itself. When the Internet first emerged, only the über geeks populated it, but I remember a turning point in the early 1990s where it seemed nearly every department in my company had an unauthorized Web presence. Even to this day, when I perform a Website survey for any company, I find far more sites on the Net than anyone in the company has documented. If you aren't aware of a security risk, how can you manage it?
Prepare for shadows in the cloud (services)
Managing various cloud services at your organization requires preparation, including finding answers to an array of questions. How secure is the cloud offering? What are the security policies and availability guarantees? What types of confidential information will be hosted in the cloud? What are the encryption and backup policies? Are the cloud's services redundant to other existing services? If the cloud closes, what happens to your company's information? Can it be resold to other vendors without your consent?
Non-IT users aren't likely to ask these types of questions. More likely, they will read the cloud vendor's marketing hype, try it for a short period, sign up, and begin using it.
I recommend that organizations follow these steps to prepare for cloud services.
- Create a cloud services/product policy. Define and approve the bare minimums that will be accepted for anyone to do business with any cloud vendor, and publish the new cloud policies along with your other computer security policies and make them available to end-users.
- Create a document or database that tracks the various approved or found cloud services or products. That way, you'll have one place for any IT person to see if a particular cloud is approved. If you don't implement this component, you'll have a hard time figuring out which cloud product is approved and which is a shadow cloud that needs remediation or mitigation.
- Lastly, it can't hurt to start thinking of ways to detect rogue shadow clouds.
This last one has me stumped because I can't think of an easy way to do it. Detecting rogue IM services was easy because all the major service providers used a fairly static set of domains or IP addresses. You could configure outbound firewalls or IDSes to send an alert when one was used.
But cloud services can essentially exist anywhere on the Web, so the detection problem becomes inherently harder. Readers, can you think of any easy ways to detect unauthorized shadow clouds?
This story, "Security forecast: High chance of 'shadow' clouds," was originally published at InfoWorld.com. Follow the latest developments in security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com.