Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Sometime We See A Cloud That’s Dragonish

My daughter is still at an age when her imagination kicks into high gear when the lights go out. Sometimes those runaway thoughts get the better of her and I’m called upon to go to her aid and, turning on the lights, show her that everything’s okay. Whether it’s monsters under the bed, boogeymen in the closet or ogres lurking just outside the window it’s common for children to see things in the shadows of night that were never in evidence during the light of day.

My daughter is still at an age when her imagination kicks into high gear when the lights go out. Sometimes those runaway thoughts get the better of her and I’m called upon to go to her aid and, turning on the lights, show her that everything’s okay. Whether it’s monsters under the bed, boogeymen in the closet or ogres lurking just outside the window it’s common for children to see things in the shadows of night that were never in evidence during the light of day.

Sometimes that tendency can linger well into adulthood. So what is it that fuels our fear and fools our mind’s eye into seeing frightening things that aren’t there? Often it’s a lack of confidence. The shadows are where suspicion and insecurity live. Allow me, then, to shine a reassuring light on the boogeyman known as Shadow IT.

As it is too often called in the context of Software-as-a-Service, Shadow IT is not the fearsome beast some would have us believe. It’s not a creature with sharp claws and gnashing fangs craving to compromise your valuable data for its sustenance. To the contrary, while novel cloud applications for businesses and professional use may be a mystery, most exist to help us solve problems and do what we do more efficiently. Such so-called rogue software applications aren’t conspiring to bring down the enterprise. In fact, the opposite is true: fear mongering over innovative SaaS applications simply because they are unfamiliar creates an atmosphere that is more risky to the enterprise.

The term Shadow IT was coined out of a vestigial, unenlightened human impulse to fear that which we do not understand. That’s why the first step in overcoming this irrational fear is to give it a new name: Emergent IT. The second step is to engage in a rational discussion about the vital role of Emergent IT and why it should be embraced, not feared, by today’s enterprise.

These days, the speed of innovation in cloud applications is astounding. With capital constraints all but eliminated, a handful of developers investing sweat equity can turn an idea into an application in a matter of weeks. Multiply that by hundreds of teams working to solve different business productivity challenges, mix in a liberal BYOD policy, and there’s no way any IT department can possibly keep pace with the number of applications that might exist within the network.

Early adopters of Emergent IT will jump in and kick the tires and evangelize the apps that work. Not all, but some will find a permanent home and be precisely what an individual, team or department needs to get the job done better than they could before.

It’s Jeffrey Moore’s Crossing the Chasm… on steroids.

Why would you want to discourage your employees from seeking ways to improve productivity through Emergent IT applications simply because you aren’t familiar with them? What kind of message does that send? Do that and they’ll either look for ways around your restrictions or grow discouraged. But if you allow those employees the freedom adopt Emergent IT and they’ll be happier, more productive and more efficient.

Advertisement. Scroll to continue reading.

But what about data security, you ask; what about the shadows? That question isn’t about the security of Emergent IT, but belies an overall security posture that is not ready for the cloud era—and that kind of backward thinking is the real problem. After all, if your organization is not equipped to deal with the security of Emergent IT, it is probably not equipped to deal with the security of mainstream applications sanctioned by IT.

Such applications come with the implied security of trusted brand names like Google, Salesforce, and the tools themselves are likely secure, but when so many employees are using them, chances are many will operate within those environments on the assumption that, because IT or a line manager said it was okay, the application must be inherently secure. The assumption of security begets risky behavior putting data at risk. Measure the ever-present human error factor against some of the findings of the Cloud Usage Risk Report, published in November of 2014:

• 5% of an average company’s private files are publicly accessible;

• The average company shares files with 393 external domains;

• 29% of employees share an average 98 corporate files with their personal email accounts; and,

• 37% of our customers discovered they stored more cloud data in Salesforce than any other cloud storage service.

In Shakespeare’s romantic tragedy Antony and Cleopatra, as Antony despairs over his predicament and contemplates death, he observes that “sometimes we see a cloud that’s dragonish,” that the shapes we see in the clouds are illusions influenced by the attitudes by which we look upon them. It’s long past the time to change the way we look at enterprise security from regressive perimeter defense full of frightful dragons and move fully into the cloud era where security is agile and enlightened. That means understanding the new threat environment and adopting the right tools and philosophies needed to meet the challenge head on.

Written By

Danelle is CMO at Ordr. She has more than 20 years of experience in bring new cybersecurity technologies to market. Prior to Ordr, she was CMO at Blue Hexagon (acquired by Qualys), a company using deep-learning to detect malware, and CMO at SafeBreach where she helped build the marketing organization and define the Breach and Attack Simulation category. Previously, she led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also Director, Security Solutions at Palo Alto Networks, driving growth in critical IT initiatives like Zero Trust, virtualization and mobility. Danelle was co-founder of a high-speed networking chipset startup, co-author of a Cisco IP communications book and holds 2 US patents. She holds an MSEE from UC Berkeley.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.