I See You – CIOs And The Problem Of Exposed Corporate Data

When we put information into the cloud, we don't want the world to see it
When we put information into the cloud, we don’t want the world to see it
Image Credit:
Jeff Easter

Wow – that cloud thing is a powerful tool for the person with the CIO job to use. Think about it, we have access to almost unlimited storage and the ability to spin up new servers anytime that we run into the need. Life sure has gotten better than it used to be. However, it turns out that moving to the cloud comes with its own special set of downsides. What can happen is that after we’ve moved our corporate data to the cloud, we may have ended up leaving it exposed for the world to see.

The Problem With Data In The Cloud

So what seems to be the problem here? When a company makes the decision to move its corporate data into the cloud, security is often one of their highest priorities. A great deal of time, energy, and effort is spent on making sure that the data will be accessible by the company’s applications, but not anyone else. However, the experts who study such things tell us that this is when problems first start to show up. What happens is that configuration errors are made that expose the data to the outside world.

Cloud storage systems come with a large number of parameters that can be configured in order to allow the owner of the data to precisely control who has access to the data. What seems to be happening is that configuration errors are being made. Users are setting access permissions so that a vendor outside of the company has the ability to both see and use the data. However, by doing this mistakes are being made and this is causing corporate data to be lost.

There is no doubt that more and more of us are moving our company’s IT operations into the cloud. The cloud computing market has grown 17% in the past year and should soon reach a value of US$247B. The most commonly used feature of the cloud is cloud-infrastructure services. This includes such things as basic storage, computing services, and networking. All of these services are good candidates for being misconfigured. The reason that cloud computing has become so popular, at least in part, is because it has offered non-IT departments a way to perform an end run around the IT department. The person with the CIO job knows that those outside departments have always been complaining about how slowly the IT department moves. Cloud computing has provided them with a way to eliminate this problem. However, the people who have been setting these cloud operations up don’t have the expertise needed to keep the company’s data secure.

Keeping Your Cloud Data Secure

So what’s causing the problem with all of that data that we’ve been moving into the cloud? What it comes down to is the simple fact that the people who are moving the data into the cloud are all new to the cloud environment. This means that they don’t fully understand it and so they are prone to making mistakes. These activities take place as a part of a company’s “shadow IT” in which other departments choose to play the role of the IT department. Many companies have tried to bring these efforts back under the control of the IT department, but they still exist. This causes a problem because the people who are making the decisions that these groups are executing don’t have a plan and rarely, if ever, have a governance model.

When a company moves its data into the cloud, the CIO knows that the IT department needs to be involved. The IT department has a lot of different tasks that it has to perform. Software is going to have to be patched, IT teams are going to have to understand how critical applications connect to each other, and everyone has to know when a potentially dangerous change is being made to any of the company’s cloud assets.

The good news is that the largest cloud providers have started to realize that their customers are making dangerous mistakes. They have started to roll out tools and services that are designed to help IT departments find ways to have more awareness of their cloud infrastructure. These tools help IT departments find out when they have misconfigured their data or if someone is trying to gain access to the company’s data who does not have the proper authorization. The hope is that over time the main cloud providers will enhance their tools and will help IT departments to do even more. One key area that could benefit an IT department would be if they could be notified if a company employee uses a corporate credit card to purchase cloud resources. There is a very good chance that this person does not have the training to correctly configure what they have just purchased.

What All Of This Means For You

The popularity of cloud computing has become clear as more and more firms are moving their valuable corporate data into the cloud where they can takeout advantage of cheap storage and computing. However, problems are starting to show up. Due to configuration errors, corporate data that is being stored in the web is becoming viable to outsides who should not be able to access it. What should a CIO do?

Firms are aware that they need to keep their corporate data that is being stored in the cloud secure. The reason that they are running into problems is because of configuration issues. What happens is that after the data has been transferred to the cloud, changes are made to the configuration of that data to allow outside vendors to gain access to the data. This is when the door gets opened for parties to also access the data. The fact that many departments see the IT department as moving slowly has led to the creation of shadow IT departments. These groups are setting up their own cloud computing sites. Unfortunately, the people who are running these sites often don’t know what they are doing and end up creating a lot of problems. The IT department needs to be involved when corporate data is moved into the cloud. IT knows what to do and how to properly maintain the data. The cloud providers are starting to realize that there is a problem and they have started to create tools to help the IT department detect problems early.

A company’s data is among it’s most valuable possessions. CIOs need to realize that people outside of the IT department are moving company data into the cloud and then doing a bad job of configuring it. CIOs need to step in and make sure that IT takes this job over so that it can be done right. The cloud is a valuable resource, but only if it can be used correctly.

– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: What steps can a CIO take to ensure that company data is not being exposed in the cloud?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.


P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

Let’s face it, if you were the person running your company you would have a lot of big issues that you needed to deal with in addition to worrying about the importance of information technology. One of these issues would be the simple fact that your health-care costs for employees are ballooning. Since we now live in the 21st Century, you’d probably look for a high-tech way to get your hands around this problem. You could give your employees activity trackers and introduce high-tech wellness programs that keep track of employee’s exercise, sleep, and nutrition. However, by doing this you are going to create a bunch of privacy issues that the CIO is going to have to find a way to deal with.