This content is part of the Essential Guide: Combat the latest cloud security challenges and risks

Shadow IT risks heightened in hybrid cloud

While shadow IT applications pose a security risk for every organization, they can especially cause a ruckus in hybrid cloud environments.

While there are many advantages to cloud computing, there are also drawbacks, including shadow IT. Driven by cloud's low-cost, as a service model, shadow IT shifts traditional IT and CIO functions to a business's line departments. And while shadow IT risks have been discussed before, a new risk is emerging, specifically within hybrid clouds.

To many companies, shadow IT is a way of decoupling a business's response to a problem or opportunity from a high-inertia IT world. A line department buys compute services from a cloud provider, and adjusts the services to fit business needs. The shadow IT model may not work for every application, but it works well for at least some applications in every enterprise -- and it's only going to expand as cloud adoption grows.

However, shadow IT risks are heightened when combined with hybrid cloud. Most companies have data security and compliance practices to protect not only their own information, but that of their customers and suppliers. These practices and policies assume that data is contained within a controlled environment. But if users create a hybrid cloud workflow that connects shadow IT software as a service (SaaS) applications to highly structured applications, they can violate security and governance requirements – a risk known as bandit hybridization.

The dangers of bandit hybridization are growing for two reasons. First, SaaS adoption is increasing, and line departments can easily adopt SaaS applications without IT support.

Second, SaaS providers are offering more applications, making it more likely that data from at least one of those applications will be combined with an organization's internal or other cloud data. This combination is especially subject to security and governance concerns.

A few bandit hybridization problems have come to light. Most issues develop after cloud application deployment, when management tries to integrate information to support worker productivity. For example, an organization could look at a CRM application and determine that adding customer order status would help the sales force. The SaaS provider then facilitates a link between the CRM application and the organization's order status information. But if the organization does not consider security and governance requirements, it can create an insecure link between its data center and the cloud. In some cases, operations security and internal governance teams may not even know about it.

The biggest problem in bandit hybridization occurs with the link between one cloud-hosted application and another. The industry is filled with examples of data combinations that violate security and governance policies when the individual data elements would not. And because two or more shadow IT cloud applications can be connected without internal IT knowledge, some of these violations never come to light -- until it's too late.

Three ways to minimize shadow IT risks with hybrid cloud

So how do you retain the agility created through shadow IT, while protecting your data and applications? There are focused and broad-brush approaches, but companies should pick one that matches their shadow IT use.

The broadest and most intrusive way to prevent bandit hybridization is to require IT operations, security and compliance reviews for all SaaS contracts, services and interfaces. This alerts IT to the way cloud computing is evolving within their company, and helps them prepare for a hybrid model. But while effective, these reviews can cause delays in SaaS deployment.

The second option is to allow line departments to adopt SaaS applications, as long as there is no data exchange or workflow connection with other applications. When a data exchange is needed, organizations should conduct the operations review mentioned above. It's also important to develop and certify any data exchange processes. This approach, however, has been met with mixed success; some companies report that operations personnel still bypass IT, while others say time is wasted reviewing what should be a simple process of application interconnection.

Another emerging approach is compliance contagion. Hybrid cloud components such as applications, data and workflows carry their own regulatory, security and governance requirements. In the contagion approach, the requirements of these hybrid cloud elements -- whether from the data center or from another cloud environment -- are published.  Any time a hybrid connection is created between one cloud application and another, each application will "catch" the other's requirements. As a result, IT must ensure both applications are compliant and secure.

But even this approach doesn't fully address the challenge of securing multiple shadow IT cloud applications in a hybrid environment, particularly if both applications come from the same cloud provider. The only alternative to doing a professional IT review of all hybrid applications and workflows, even within a single SaaS provider, is to educate line department managers about security and governance issues as a condition for cloud service contract approval.

As appealing as shadow IT is to many companies, and nearly all line departments, the risks of bandit hybridization are difficult to control without formal IT involvement. As SaaS providers expand their markets, there will be more SaaS applications that require connections to existing data center applications. With that in mind, it may be impossible to detect the subtle signs of bandit hybridization, making security and compliance reviews on every cloud project critical. While that won't put an end to shadow IT, it will at least bring more light to the issue.

About the author:
Tom Nolle is president of
 CIMI Corp., a strategic consulting firm specializing in telecommunications and data communications since 1982.

Next Steps

Cloud security tools only half the battle against shadow IT risks

What IT pros should do about shadow IT

Should your enterprise just embrace shadow IT?

What to do when shadow IT risks threaten your cloud

Dig Deeper on Cloud security tools