Organisations all over New Zealand have largely unregulated and unmonitored use of the 15000+ cloud services all over the world. They use these services to upload and download data and files, store Human Resources data and a great deal more.

Until recently, the software programs and IT systems that employees use were supplied exclusively by their own IT department. Commercial packages, databases, email systems, file storage and all the rest. Provided to the users from “I.T.”. Now there are hundreds of alternatives in the Cloud for whatever people want to do.

Cloud services are everywhere, and there are services for almost every requirement. Given how easy it is to find and consume these (often free) services, you would think that organisations would perform assessments of cloud services to ensure those services used are safe, secure, reliable etc. Then put in place controls to “encourage” their users to use the best (e.g. secure) cloud services if in-house programs don’t exist for the same purpose.

Having run Cloud Usage Discovery for a number of NZ organisations we have found that the average number of cloud services in use by each is over 700 – that’s 700+ cloud services in use by each and every organisation. In that 700 are over 100 collaboration services (not sure how you collaborate over 100 difference services?), file sharing, file conversion, storage, mobility, HR and every other service you can think of. This included  40 HR systems which typically store information about people, roles, responsibilities, contact details, email addresses, pay scales, performance reviews etc – that information could be about me or you.

Now that concerns me. Not because I think there is any malice involved but it seems that any cloud service can be hacked if someone is that determined and smart enough. Significant  businesses like Sony, Adobe, American healthcare providers, social networks, even security companies like RSA have been compromised and they seem somewhat powerless to prevent it. The smartest people in the room (or not in the room) seem to be the hackers so I would rather my information wasn’t indiscriminately shared in hundreds of cloud services if it can be avoided, even if it is done with the purest of intentions.

There is another issue that is less obvious. Uncontrolled use of cloud services endangers my PII (Personally Identifiable Information)  in non-cloud services as well. When a corporate user registers or signs up to a cloud service from their work computer, around 1/3rd of them will use the same password they used to logon to their work system first thing that morning. Again, no malice involved; just to avoid yet another password. So if that cloud service is hacked and information (like passwords) stolen, a third of those passwords will likely be able to access the user’s corporate system if the hacker knows their username, which for many users can be easily guessed (e.g. something like [email protected] or [email protected]).

The light at the end of the tunnel though is that with a bit of effort and the right tools, it is not hard to discover ALL the cloud services in use by your organisation and its people. Every single cloud service. What’s more it isn’t hard to identify the risky as opposed to the safer ones. It just takes some time, tools and commitment. Once an organisation knows the scope of the issue, you can then start to put some plans and controls in place to mitigate the risk.

I’m not talking about blocking everything or shutting down the use of these sites (although for some really risky ones you possible should), I’m talking about educating the users with informative splash screens that tell them the site that they are about to go to shouldn’t be used to store sensitive data and that there are alternative inhouse or sanctioned cloud services they can use.

And it’s not big brother; it is just trying to ensure that the data about the company, you and me is kept safe.

Robin Whitaker