It is 12 years since Donald Rumsfeld said “there are known knowns; there are things we know we know … there are known unknowns; … we know there are some things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know”. Is this where you are with cloud computing?
Most enterprises I have seen recently have cloud services that fall into all three categories. However, we also have a forth option – the unknown knowns – those things that someone knows inside the organisation, but are unknown to IT.
Our aim should be to migrate cloud services to known knowns and manage them for the good of the business, let’s take each one in turn.
A cloud service provider that the organisation has sanctioned for employee use. We probably have a contract with them, we have checked the legal and technical offering, it is McAfee (formerly Skyhigh Networks) Enterprise-Ready ™ providing the most stringent requirements for data protection, identifty verification, service security, business practices and legal protection.
For these known knowns we should continuous check their status and consider whether we are using the numbers of licenses we are paying for, whether we should add DLP, encryption, tokenization or other services, then promote them broadly to our users.
A common example of a “known known” is Salesforce.
Face it; we know that our employees are using public services to share data either within the company or with business partners. Even organisations that have signed an agreement with a cloud storage provider will often find that some employees continue to share data using these other services. This may not be a security problem, for example a marketing person sharing graphics and logos with a design house.
For these known unknowns we should identify what these services are and who is using them, and analyse whether they fit within the organisation’s data protection requirements. Identifying known unknowns can be a very important indicator of business needs, enabling IT to offer the appropriate low-risk services to users.
Once the known unknowns have been identified, they are unknowns no longer – choose the services the enterprise needs and treat as you would the known knowns. Then, services such as McAfee’s can integrate with your proxies and next generation firewalls to train users with splash pages and block those services that do not conform to your risk profile.
A common example of a “known unknown” is Dropbox.
In most organisations, someone, somewhere signs up with a provider without asking for IT, legal or management approval. Possibly for a short-term need, the employee is making their own decision and “I just signed up quickly as I didn’t want to bother anyone”. In fact in my last company I did this myself to get a cloud-based lead collection app for iOS devices for a one week exhibition – I am the type of employee that perhaps you want to control (sorry!)
So, the LOB makes a decision and acts upon it quickly. This may not be a risk, but it might be a disaster waiting to happen and IT and compliance should know. You need to be able to discover these (and as needs change you need to check on an ongoing basis – someone could be signing up for a new service this minute). Again, a good indicator of employee need – bring on-board those services you trust and turn them into known knowns.
A common example of an “unknown known” is QuickTapSurvey.
We don’t know what we don’t know – Donald was so right! Here’s a challenge, can you name 831 cloud services? No? Me neither, but in our latest Cloud Adoption and Risk Report, that’s the AVERAGE number of services being used in large enterprises.
There’s no doubt that we have unknown unknowns, of course, this is where many of the highest risk services live. Compliance, legal and IT are responsible for the data lost by employees and the organisation needs to identify these, decide which to support, then integrate with the proxies and firewalls as before and block or control those services your users shouldn’t be using.
A common example of an “unknown unknown” is LiveLeak.
The unknown unknowns are growing every day. McAfee’s database of cloud services is increasing by around 100 a week – keep checking as an employee may be signing up for a new risky service as you are reading this blog. Its time to act.
About the Author
Categories: Cloud Security