Cloud Application Threats in Terms of ITAM
Unless you work in an environment where access to cloud applications is revoked, cloud security issues are unavoidable. However beneficial emerging cloud services could be, security risks they pose to your company can cancel that out.
Ultimately, when improperly managed, use of cloud applications could lead to higher expenditures and reputational damages, which companies need to prevent.
Cloud Services Pitfalls to Keep Alert of
There are two kinds of issues that you could come across, if your employees use SaaS to do their jobs. The first group of issues arise from the provisions of Terms of Services (ToS). The second – from the cloud computing nature itself. However, both of them lie in the area of security, data security in particular. Employees often neglect this issue when opt to use cloud applications to store or process data, because it is quick and simple.
In ToS, it’s important to pay special attention to three provisions – concerning data residency, privacy and exit terms.
The cloud computing market is still evolving, and so is data protection legislation. In many countries numerous laws and regulations have been already adopted to protect privacy of personal data and information security, such as the ePrivacy Directive in the European Economic Area and HIPAA in the USA.
To avoid legal and/or reputational risks, it’s crucial to know where your data will be stored. For instance, if an employee of a company uploads corporate data, which are to be resident in the UK, to Dropbox, such uploading will violate this requirement since that data may no longer be located in the UK, and the employee hasn’t read the ToS, otherwise they would know that Dropbox stores data “in the United States and locations around the world – including locations outside your country.” Besides, US companies are subject to export restrictions of certain types of information, and in the European Economic Area it is prohibited to export personal data.
Data privacy is another important issue. As it is said above, many countries around the globe have existing laws and regulations protecting sensitive information such as personally identifiable information (PII). Personally identifiable information is any information that can be used to identify a specific person. Privacy of PII should be guaranteed by the service provider and specified in ToS, otherwise such data must not be uploaded to the cloud service.
Information security can also be violated when the employee decides to withdraw data from a cloud service, for instance, to migrate them back on premises or to change a service vendor, or just to terminate the contract. The ToS should stipulate the exit terms – how data will be extracted and removed from the SaaS – to avoid any disruption to the business. Cloud providers should at least help the user to remove data from their systems and guarantee not to use that data in the future.
However, these are not the only risks of using cloud services. Due to the nature of cloud computing, SaaS allows employees to bypass company’s SAM and security policies. In this case, SaaS becomes shadow IT, which represents the biggest threat and need to be controlled.
The information security threats cloud services could pose vary a lot – from data breaches to malicious insider. Credentials could be compromised and accounts – hijacked. As a consequence, sensitive data might be leaked or lost, which could lead either to lawsuits, fines, brand damage, or loss of business.
Needless to say, that all the above mentioned threats could cost too much to ignore. Proactive measures are eventually always more cost effective than reactive ones.
Danger Foreseen Is Half Avoided
To tackle the problem, the company needs an effective ITAM system in place, including technological tools, policies, educational programs and sanctions.
Software tools, such as Binadox, can help to monitor what software, including SaaS, company’s employees use, to ensure it is not shadow IT and its Terms of Services complies with the company’s policy.
However, technological tools are not enough. Companies need to implement relevant policies, governing use of cloud services in particular, to cap possible losses. Sanctions could play a prominent role in the enforcement of such policies.
An important part of the system is increasing awareness of employees of the SaaS threats to help them understand why it’s important to think about data when using cloud apps. Otherwise, people would go to Dropbox without hesitation because it’s a no-brainer.
According to Sid Nag, the Gartner research director, “the market for public cloud services is continuing to demonstrate high rates of growth across all markets and Gartner expects this to continue through 2017.” Thus, there is no way to avoid SaaS. On the contrary, it’s counterproductive. However, the company should stay aware of cloud-computing risks and be proactive to limit potential liabilities and expenditures, and to protect its reputation pursuing new technological trends.