If you think "cloud networks" and "cloud services" are just buzzwords or another set of technologies destined for extinction, think again: The cloud is here to stay. In the future, your company will subscribe to one or more cloud products -- if it hasn't already. A friend of mine asked if we would prevent unauthorized cloud products, which he called "shadow clouds," from starting to appear on our networks. His question isn't as strange as it might sound. Every new, big technology leap has also brought in a deluge of unmanaged instances -- think instant messaging or social network sites. Shadow clouds would, in fact, be a more significant threat to your company's confidential information than IM or social networking blogs. All computer services and presences need to be managed to ensure compliant security, content, and messaging, but with a shadow cloud, you're at greater risk because your company's confidential data is more likely to be hosted on the cloud provider's systems. Ridiculous or unusual though it may sound, IT security should start preparing now for the emergence of shadow clouds. [When IM went mainstream in the late 1990s, no IT person I know thought it was a necessary service or expected it would hang around long enough to become a legitimately used and approved corporate product. It just started popping up on various users' desktops -- and there was hardly any worry about the potential security risks or inadvertent information disclosure. Early on, most IT administrators went around uninstalling it where they found it and wagging a finger at what I mostly now call "early adopters." Social networking has a similar story. I don't think any of us foresaw the use of MySpace, Facebook, or Twitter as a business tool. Today, companies are often more worried about their Twitter followers than they are with how many people viewed their Super Bowl commercials. A new employee candidate might be hired or fired over what appears on his or her social network page. Get arrested, and all your online musings are reposted in the newspaper. But the closest experience I have to shadow clouds is the Web itself. When the Internet first emerged, only the über geeks populated it, but I remember a turning point in the early 1990s where it seemed nearly every department in my company had an unauthorized Web presence. Even to this day, when I perform a Website survey for any company, I find far more sites on the Net than anyone in the company has documented. If you aren't aware of a security risk, how can you manage it? Managing various cloud services at your organization requires preparation, including finding answers to an array of questions. How secure is the cloud offering? What are the security policies and availability guarantees? What types of confidential information will be hosted in the cloud? What are the encryption and backup policies? Are the cloud's services redundant to other existing services? If the cloud closes, what happens to your company's information? Can it be resold to other vendors without your consent? Non-IT users aren't likely to ask these types of questions. More likely, they will read the cloud vendor's marketing hype, try it for a short period, sign up, and begin using it. I recommend that organizations follow these steps to prepare for cloud services. Create a cloud services/product policy. Define and approve the bare minimums that will be accepted for anyone to do business with any cloud vendor, and publish the new cloud policies along with your other computer security policies and make them available to end-users. Create a document or database that tracks the various approved or found cloud services or products. That way, you'll have one place for any IT person to see if a particular cloud is approved. If you don't implement this component, you'll have a hard time figuring out which cloud product is approved and which is a shadow cloud that needs remediation or mitigation. Lastly, it can't hurt to start thinking of ways to detect rogue shadow clouds. This last one has me stumped because I can't think of an easy way to do it. Detecting rogue IM services was easy because all the major service providers used a fairly static set of domains or IP addresses. You could configure outbound firewalls or IDSes to send an alert when one was used. But cloud services can essentially exist anywhere on the Web, so the detection problem becomes inherently harder.