Use #itsaexpo #itsa365

25 - 27 October 2022 // Nuremberg, Germany

it-sa Newsroom

When company data migrates to the cloud undetected

© ©

Thanks to lockdowns and people working from home, the cloud sector is booming, but not every cloud service meets company guidelines. Numerous problems are the result.

Fuelled by the pandemic, a second IT environment has evolved unnoticed in a lot of companies. Companies were often caught off guard by the crisis. Staff had to suddenly work from home, but suitable applications to enable this were not available at the company. But employees are inventive, and if their employer cannot offer a solution then they create one themselves. As a result, employees are sharing data via cloud storage systems like Dropbox, exchanging messages using messaging services like WhatsApp, or using Google calendar to make appointments with people from outside the company. Cloud-based conversion software is also popular, for example for turning PDFs back into MS Word documents. But what users don’t usually consider at that point is that this transfers the content of the text file, i.e., company or even customer data, into the hands of an outsider, namely the provider of the conversion software.

The downsides of cloud use

Even in the years before the pandemic, a separate IT environment was developing in the background at many companies. The problem is familiar to IT security specialists, who call it “shadow IT” that is used throughout the company unchecked. These applications are not normally controlled by the company’s own IT department and in some cases, their use may even be prohibited by company guidelines. The extent of this phenomenon should not be underestimated: The Institute of Process Control at the University of Konstanz has initiated its own research project on shadow IT. A survey conducted as part of the project showed that at larger companies, 10 to 50 percent of the company’s IT was shadow IT.

The causes for this are manifold and often lie in a company’s organizational deficits. Users think nothing of it when they need to do something quickly, so the cloud solution seems a logical step. The consequences are multi-faceted and may well be severe.

Security risk of shadow IT

When you no longer know which data are located where, it is also not possible for protective mechanisms to take effect. The precautions put in place by the IT department come to nothing, and data security and data privacy can virtually not be guaranteed. The attack surface vulnerable to cyber-attacks gets larger and there is a risk of malware being introduced into the company’s IT systems via unregulated cloud software.

The users are left to their own devices as the providers of these cloud solutions do not normally offer customer support, and their IT department does not provide support for these kinds of applications. This area is also outside the scope of a company’s IT planning, potentially resulting in parallel structures and overlaps. For their part, the providers of such services do not offer any planning certainty. At short notice, such services can be radically changed, made subject to charges or become more expensive, and in some cases may even be discontinued. But because there is no oversight of the shadow IT, it is difficult to migrate data from this irregular area into company applications. In a worst-case scenario, this results in a permanent pool of “grey” data. What might seem in the short term to be a fast and efficient solution for the individual results in inefficiencies in the longer term, the consequence of which may be a loss of productivity.

Technical solutions can significantly improve control of cloud applications. Details are provided in this article.