Security Experts:

Sometime We See A Cloud That's Dragonish

My daughter is still at an age when her imagination kicks into high gear when the lights go out. Sometimes those runaway thoughts get the better of her and I’m called upon to go to her aid and, turning on the lights, show her that everything’s okay. Whether it’s monsters under the bed, boogeymen in the closet or ogres lurking just outside the window it’s common for children to see things in the shadows of night that were never in evidence during the light of day.

Sometimes that tendency can linger well into adulthood. So what is it that fuels our fear and fools our mind’s eye into seeing frightening things that aren’t there? Often it’s a lack of confidence. The shadows are where suspicion and insecurity live. Allow me, then, to shine a reassuring light on the boogeyman known as Shadow IT.

As it is too often called in the context of Software-as-a-Service, Shadow IT is not the fearsome beast some would have us believe. It’s not a creature with sharp claws and gnashing fangs craving to compromise your valuable data for its sustenance. To the contrary, while novel cloud applications for businesses and professional use may be a mystery, most exist to help us solve problems and do what we do more efficiently. Such so-called rogue software applications aren’t conspiring to bring down the enterprise. In fact, the opposite is true: fear mongering over innovative SaaS applications simply because they are unfamiliar creates an atmosphere that is more risky to the enterprise.

The term Shadow IT was coined out of a vestigial, unenlightened human impulse to fear that which we do not understand. That’s why the first step in overcoming this irrational fear is to give it a new name: Emergent IT. The second step is to engage in a rational discussion about the vital role of Emergent IT and why it should be embraced, not feared, by today’s enterprise.

These days, the speed of innovation in cloud applications is astounding. With capital constraints all but eliminated, a handful of developers investing sweat equity can turn an idea into an application in a matter of weeks. Multiply that by hundreds of teams working to solve different business productivity challenges, mix in a liberal BYOD policy, and there’s no way any IT department can possibly keep pace with the number of applications that might exist within the network.

Early adopters of Emergent IT will jump in and kick the tires and evangelize the apps that work. Not all, but some will find a permanent home and be precisely what an individual, team or department needs to get the job done better than they could before.

It’s Jeffrey Moore’s Crossing the Chasm… on steroids.

Why would you want to discourage your employees from seeking ways to improve productivity through Emergent IT applications simply because you aren’t familiar with them? What kind of message does that send? Do that and they’ll either look for ways around your restrictions or grow discouraged. But if you allow those employees the freedom adopt Emergent IT and they’ll be happier, more productive and more efficient.

But what about data security, you ask; what about the shadows? That question isn’t about the security of Emergent IT, but belies an overall security posture that is not ready for the cloud era—and that kind of backward thinking is the real problem. After all, if your organization is not equipped to deal with the security of Emergent IT, it is probably not equipped to deal with the security of mainstream applications sanctioned by IT.

Such applications come with the implied security of trusted brand names like Google, Salesforce, and the tools themselves are likely secure, but when so many employees are using them, chances are many will operate within those environments on the assumption that, because IT or a line manager said it was okay, the application must be inherently secure. The assumption of security begets risky behavior putting data at risk. Measure the ever-present human error factor against some of the findings of the Cloud Usage Risk Report, published in November of 2014:

• 5% of an average company’s private files are publicly accessible;

• The average company shares files with 393 external domains;

• 29% of employees share an average 98 corporate files with their personal email accounts; and,

• 37% of our customers discovered they stored more cloud data in Salesforce than any other cloud storage service.

In Shakespeare’s romantic tragedy Antony and Cleopatra, as Antony despairs over his predicament and contemplates death, he observes that “sometimes we see a cloud that’s dragonish,” that the shapes we see in the clouds are illusions influenced by the attitudes by which we look upon them. It’s long past the time to change the way we look at enterprise security from regressive perimeter defense full of frightful dragons and move fully into the cloud era where security is agile and enlightened. That means understanding the new threat environment and adopting the right tools and philosophies needed to meet the challenge head on.

view counter
Danelle is CMO at Blue Hexagon. She has more than 15 years of experience bringing new technologies to market. Prior to Blue Hexagon, Danelle was VP Marketing at SafeBreach where she built the marketing team and defined the Breach and Attack Simulation category. Previously, she led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also Director, Security Solutions at Palo Alto Networks, driving growth in critical IT initiatives like virtualization, network segmentation and mobility. Danelle was co-founder of a high-speed networking chipset startup, co-author of an IP Communications Book and holds 2 U.S. Patents. You can follow her at @DanelleAu.