Security Risks from Internal End Users in a Hybrid Cloud Environment - dummies

Security Risks from Internal End Users in a Hybrid Cloud Environment

By Judith Hurwitz, Marcia Kaufman, Fern Halper, Daniel Kirsch

You can implement all the latest technical security controls in your hybrid cloud environment and still face security risks if your internal end users don’t have a clear understanding of their role in keeping the cloud environment secure.

Cloud services provide non-IT professionals with more control over their IT environment than ever before. As a result, the organization benefits from increased efficiency, flexibility, and productivity. However, there is also a much greater likelihood that an end user can impact security if they don’t understand the implications of their actions.

The cloud has helped bring IT into the hands of the non-IT professional. It is easy, fast, and cheap for a business user to contract with any number of cloud services. And with the increase in the use of mobile devices, business users can easily access and share company data wherever they are located. The IT team no longer holds all the control.

This democratization of IT brings with it the problem that non-IT professionals are just not aware of the risks that cloud computing can have. This is not their fault; they’ve never had to think about IT security in the past. Some of the reasons why include:

  • Their interactions with cloud computing are mostly through various SaaS (Software as a Service) programs ranging from enterprise-level applications like Workday and to consumer applications like Facebook, Flickr, Yelp, LinkedIn, and many others. Users of these SaaS offerings typically take for granted the complex security that is built into each level of the application.

  • Employees are used to acquiring computing resources from the IT team. The IT team is of course well aware of security risks and follows best practices for things like systems configuration, software maintenance, and access control.

  • Computing power that teams traditionally acquired from IT were from an internal data center that has strong security measures in place.

The reality is that non-IT teams typically don’t know why the data center is secure, nor have they ever cared — all they need to know is that it “works.” They don’t realize that most of the technologies involved in making the data center secure are not built into basic public cloud virtual machines. In fact, some cloud vendors make it very clear in their SLAs that users are completely responsible for securing their cloud environment.

Security measures taken by the IT department can be easily undermined by well-meaning business users who don’t understand best practices for maintaining security in cloud environments. For example, sharing of passcodes for a SaaS application is a common practice in some companies and can lead to secure information ending up in the wrong hands.