In a guest post today, David Klee, a solutions architect from House of Brick Technologies shares with us some of the top data disasters in recent IT, and one way he sees to avoid it:
What good is a security camera in the dark?
It’s not any good at all.
Without light (infra-red or otherwise), a security camera does nothing to help prevent or record theft, and the same goes for “Shadow IT.” When we don’t have data in the light and under surveillance, our ability to watch over it is drastically impaired.
Chief Security Officers and CIOs know that somewhere in their organization, a well-intentioned developer or business person is moving valuable data into the shadows by putting it in the cloud. This scares the “stuff” out of security minded executives because 2012 was another wild year of data (in)security around the world. How secure is your data? Do you know who has access to your sensitive data or where each and every copy of your data resides? Do you have a list of all the places corporate data lives in the cloud? If you don’t know, you are in the shadows.
Ten of the most recent public data breaches in the United States include:
Verizon’s 2012 DBIR is a super source of security info and paints a picture of how breaches happen. In my opinion, here are ten of the most recent, impactful, U.S. public data breaches:
- Heartland Payment Systems reaches the top of the list because 134 million credit card details were exposed through insecure code on public-facing web servers in 2008.
- Sony suffered a public relations nightmare in the form of a data breach in its PlayStation Network that exposed the personal information of 77 million users of its cloud-based systems.
- Steam, another online gaming network, suffered the exposure of encrypted payment information of 35 million customers.
- RSA Security experienced a breach of security with their two-factor authentication SecureID tokens, causing the vendor to replace 40 million tokens at over 30,000 companies.
- The South Carolina Department of Revenue lost 3.3 million bank account numbers and 3.8 million tax returns when an employee fell for a phishing attack and hackers gained access to the data.
- A payment processing company called Global Payments confronted a security breach of up to 1.5 million credit card numbers, and lost its PCI compliance status as a result.
- The California Department of Social Services lost 700,000 employee’s payroll information when the physical human-readable microfiche was damaged and some data went missing during its USPS transit.
- Over 780,000 people in Utah were exposed when hackers breached the security of the Utah Department of Health database servers.
- Another shipment of 800,000 health and financial records was lost when a tape shipment was lost in route from the California Department of Child Support Services.
- Citigroup was forced to reissue over 200,000 cards after a web site was breached. A second breach of one of its merchants caused another reissue of a smaller number of cards later in the year.
How did we get here?
These examples of security failures and many other breach-related headlines over the last few years are a directly related to traditional IT policies and procedures that have simply not kept up with the rapid-fire changes over the last decade. The cloud has multiplied the risk. Corporate IT can move slowly, and, at times, the business suffers from the slow pace of IT. If IT cannot deliver solutions when the business demands, business users will search for alternative options. “Shadow IT,” a term coined to describe uncontrolled processes built and operated without IT approval, moves in. These processes are unsupervised and unregulated. With Shadow IT, the people who are responsible for keeping data secure are in the dark.
The rush to the public cloud, primarily as means to help IT move as fast as today’s modern business, introduces an entirely new set of concerns—ones that even the board of directors will discuss. As the public cloud ecosystem materializes, business units and IT groups who adopt clouds “under-the-radar” of corporate IT governance are exposing their organizations to increasingly greater threats and vulnerabilities.
When data is in the public cloud, IT security may not know it exists, and data is the heart of Shadow IT process issues. Data flows between applications, systems, and users—thieves, hackers, and activists want it. With more unsecured Shadow IT processes in an organization, more data is also unsecured. Unsecured data puts corporations at risk, potentially exposing millions of dollars of information to the world.
One way to bring Shadow IT into the Light
Attacking Shadow IT properly means addressing the root causes, and understanding why business groups feel the need to work around corporate IT. Securing corporate data should be a high priority for everyone inside a company. VMware vFabric Data Director helps by providing a fenced and secured environment for your IT staff and business units to self-provision data at the speed of business.
Read our latest whitepaper, Increase Policy Compliance with VMware vFabric Data Director, and discover more about how vFabric Data Director can help you overcome Shadow IT and help your business. In the paper, you will find additional information about:
- Shadow IT’s Problems
- Public Cloud Adoption
- Introducing vFabric Data Director Inside Companies (relevant features)
|About the Author: David Klee (@kleegeek on Twitter) is a SQL Server performance and virtualization expert. With over fifteen years of IT experience, David spends his days virtualizing mission critical SQL Servers as a Solutions Architect for House of Brick Technologies. His areas of expertise are virtualization and performance, datacenter architecture, software engineering, security, and business process analysis.|