Of course, it’s not always the vendor’s fault. Some people in charge of buying cloud services take a tick-box approach, purchasing functions like firewall intrusion detection, governance reporting and privilege access management, without deploying those functions and assessing them thoroughly.
With IDC recently reporting that 67 per cent of Australian organisations are moving to the cloud, more of these war stories will come to light unless CIOs get visibility into their environments quickly.
Even as the business becomes more engaged with technology and more tech-savvy, plugging potential security gaps and making real time threat management possible still sits very much in the domain of the CIO.
IT managers and CIOs have a greater role than ever in enabling security as-a-service and bringing shadow IT back into their control, without losing business momentum. It’s crucial to adopt more than a band-aid approach to achieve this. This is more than risk management, it’s a call to proactively decide which data types go where and understand what is in the current environment.
CIOs can address this in two ways. One, by ensuring their traditional IT delivery model becomes more agile – offering a similar level of on-demand service to those in the cloud but from a hybrid delivery model that controls cost blowouts and what data can go where. Two, they might elect to allow unfettered cloud access for development and proof of concept, but enforce policies on production environments that better manage the risk of data leakage – potentially considering a hybrid cloud model that spreads their risk across public and private clouds for example.
You can't prevent shadow IT and the business doesn’t want you to. A recent survey conducted by US security company Code42 of 1200 IT and business decision makers, found that 75 per cent of CEOs surveyed admitted using applications and programs not approved by their IT departments, even though 91 per cent recognised that the behaviour could pose a security risk.
Managing your cloud environment is not about stopping personnel in the business buying apps, because often you can’t. What you can do is deploy technology that reports on what's happening in the environment, and advises of any changes.
The good news is that over the last eight months or so, we have seen growing demand for the analytics features of these solutions as opposed to out-of-the-box deployment. CIOs are asking what types of information they can get, and how they can configure these tools.
It is one of the most achievable ways for an organisation to obtain a real time analysis of what's happening in the IT environment, notice any changes in data types, and identify them as they occur. Don’t wait for a breach to start looking – visibility from the outset means you can soar into the cloud with confidence.
Sign up for CIO Asia eNewsletters.