A Sense of Security Blog

Bringing Shadow IT Out of the Shadows

We saw some good chatter about the identification of unsanctioned “rogue clouds” in IT infrastructure going on at the #CIOchat and here:  http://www.enterprisecioforum.com/en/blogs/jdodge/rogue-cloud-management-playbook-yet-be-w

While it certainly is not popular and most likely unproductive (and impossible, practically) for a CIO to “shutter” rogue clouds (i.e. clouds unknown to the IT organization), it is essential that the CIO be aware of any increased risk profile that rogue resources pose to the overall data and intellectual property (IP) of the organization. Loss of IP and customer information though unmanaged, invisible, soiled, compute and networking resources in the cloud are real concerns. And we’ve seen of late almost daily revelations about the cost to customers, corporate reputation, careers and real financial losses associated with compromised or lost customer and corporate data.

Many (if not most) rogue clouds whether private or public laaS, are in fact connected via physical or virtual private networks to the enterprise data-center. It is essential that the activity in all enterprise infrastructure (physical or virtual, rogue or sanctioned) be assessed and monitored, increasingly in near real-time, to avoid serious threat and risk of loss.

While it may not make sense or be possible to stop shadow IT or rogue infrastructure, it certainly needs to be brought into the light, with critical network policy violations (like network topology changes) understood by those internal IT organizations still being held responsible for the safety of corporate assets. This will help prevent loss of IP and customer information, as well as other problems that are associated with rogue clouds.