Shadow IT may sound like something straight out of a spy movie, but in truth it is very real, and having an impact on cloud adoption and security alike. The term refers to the practice of employees availing themselves of cloud resources without their organisation’s knowledge. This, explained Trevor Coetzee, the regional director for South Africa and sub-Saharan Africa at Intel Security, is also growing as cloud adoption is increasing.
Speaking at a roundtable event in Illovo, Coetzee elaborated that there are currently between a whopping 100 to 200 cloud applications that are in use without an IT department’s go ahead worldwide.
Part of the reason for this is the ease of access that using the cloud to store or transfer files offers. He elaborated that, while a company’s IT department may understand that security is an enabler, it often wants to align its security strategy, have a firm grasp of its security requirements and have a plan in place to leverage cloud access for greater profitability.
All of this is well and good, but too often it is simply bypassed by a user who can simply log into a cloud application provider, enter their payment details, and have access to the service in question much more rapidly than if they had to wait for their IT department. Only exacerbating matters is the fact that users today are accustomed to and increasingly demand instant gratification, and often users are highly intolerant of waiting any length of time.
Trevor Coetzee, regional director, South Africa and sub-Saharan Africa, Intel Security.
You can’t protect what you can’t see
Coetzee continued that this results in companies having no control over their expanding cloud footprint, which is being used to store workloads that they don’t have visibility on. “You can only enforce a policy or security mitigation process if you know what is happening, and a lot of organisations don’t,” he added.
However, by circumventing the IT department in this way, Coetzee pointed out that it presents a trust issue. No less of an issue is unauthorised access, namely who is accessing the data that is stored on a cloud and how are they using that information. This includes data that is stored on unmanaged mobile phones.
This results in an organisation having little to no visibility on what data is moving where, which makes crafting a cloud security strategy, and protecting itself from cyber threats, considerably more difficult.
An Invisible War
And the threats to an organisation are very real. One of the major ones, ransomware, is reminiscent of a plot point in a sci-fi cyber thriller.
With this, cybercriminals infiltrate a server or network, and lock the company out of access to their data. They are then extorted to pay a sum of money in order to be given a key which unlocks the ransomware and enables them to resume business. The threat of failure to pay is often accompanied by the chilling prospect of their vital data being erased permanently. Furthermore, incidences of ransomware are growing at a frightening rate.
“In just one quarter, we saw 1.3 million new variants in ransomware, with just one of those variants generating more than $630 million in damage income for its perpetrators,” said Coetzee.
Just like Agent Jones
The effect of ransomware attacks aren't just financial.Coetzee cited an example of an unspecified hospital in the US, which had a large amount of its PCs incapacitated from ransomware. They chose not to pay the ransom, but rather took all the computers offline and restored them all, one by one. The ransom was 4 Bitcoins - $1600 - and yet lives were still placed in jeopardy.
Coetzee pointed out that ransomware, or denial of service attacks on actual service providers could be far reaching. For example, could providers could be extorted for 30 000 Bitcoins, or else be forced to contend with their entire user base being deprived of access until the ransom has been paid. Worse yet, simply inoring the problem can actually make it worse, since some ransomware attacks expire after a specified time. Should they go unanswered, the business owner could find themselves completely locked out of their data, with no way to get back in.
This is bad enough for large companies, but it can be ruinous for SMEs, added Andre Jansen, the chief information security officer at Nedbank. Indeed, what quickly became clear during the roundtable, was that companies are effectively fighting an invisible war. Jansen pointed out that it is one thing to take a bank hostage using a gun, but quite enough when a perpetrator is sitting in another country and effectively holding an organisation’s livelihood hostage.
Additionally, the former method is considerably easier for law enforcement to combat. Ransomware, however, has apparently even had the FBI advising the affected party to pay the ransom in order to keep their business alive in certain cases.
The only way out is through
Indeed, it does bring up a knotty Catch-22, with companies potentially not going onto cloud fast enough for fear of opening themselves up to threats, and yet by not doing so, having to contend with shadow IT filling the gap, potentially making them more vulnerable to the likes of ransomware.
The answer may not be cut and dry, but one thing it isn’t is trying to halt cloud adoption. This is hardly possible, considering that there are three new internet based companies created every second globally, according to Intel. Instead, fostering employee awareness of security, particularly with regards to ensuring employees don’t share sensitive information, is essential.
Coetzee also encouraged organisations to more diligently move towards greater visibility across their network so as to built trust, have service level agreements in place with cloud providers and ensure business continuity planning. Whether the cyberwar is winnable, one undeniable fact remains: cloud is here to stay.