One of those was for storing presentations by the board of directors. Only a limited number of people would be interested in such an application, and after a few calls, the CEO's administrative assistant told me, "Sure, we've been using that app for almost a year now." She had used her own credit card to sign up for one year of service for $3,000 and then filed an expense report. What's the harm, right? Well, after looking into this app a bit, I found that it uses no encryption, has a poor authentication model and offers no process to remove users once they no longer need access. I don't think we want our board presentations uploaded to such a rickety infrastructure.
We also found that a business group had contracted for the use of a SaaS knowledge base for our customers. Some very sensitive, proprietary information was being stored on that site, which offered no encryption in transit (SSL) or at rest, no proper account management and no redundancy if the site went down. Sadly, our intellectual property was potentially being put at risk of exposure in this way when we already have a very robust knowledge base. Unfortunately, this particular group knew nothing about it and set off on its own to fill its needs.
We found several other rogue IT projects that will have to be dealt with either by sanctioning them or forcing them into an early retirement in favor of more robust corporate solutions.
All in all, not a great week, but I guess it's better to know about all of this stuff than it is to remain blissfully ignorant.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.