How Internal End Users Impact Security Risks
The cloud has helped to bring IT into the hands of the non-IT professional. It is easy, fast, and cheap for a business user to contract with any number of cloud services. And with the increase in the use of mobile devices, business users can easily access and share company data wherever they are located. The IT team no longer holds all of the control. This democratization of IT brings with it the problem that non-IT professionals are just not aware of the risks that cloud computing can have. This is not their fault; they’ve never had to think about IT security in the past. Some of the reasons why include:
For the most part their interactions with cloud computing is through various SaaS programs ranging from enterprise level applications like Workday and Salesforce.com to consumer applications like Facebook, Flickr, Yelp, LinkedIn, and many others. Users of these SaaS offerings typically take for granted the complex security that is built into each level of the application.
Employees are used to acquiring compute resources from the IT team. The IT team is of course well aware of security risks and follows best practices for things like systems configuration, software maintenance, and access control.
Compute power that teams were traditionally acquiring from IT were from an internal data center that has strong security measures in place.
The reality is that non-IT teams typically don’t know why the data center is secure, nor have they ever cared — all they need to know is that it “works.” They don’t realize that most of the technologies involved in making the data center secure are not built into basic public cloud virtual machines. In fact, some cloud vendors make it very clear in their SLAs that users are completely responsible for securing their cloud environment — not something somebody pulling out their corporate card to spin up a virtual machine is likely to appreciate.
Security measures taken by the IT department can be easily undermined by well-meaning business users who do not have an understanding of best practices for maintaining security in cloud environments. For example, sharing of passcodes for a SaaS application is a common practice in some companies and can lead to secure information ending up in the wrong hands.