06:41 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly

Survey Exposes New Cloud Security Flaws

SailPoint's survey found that business users have gained more autonomy to deploy cloud applications without IT involvement

AUSTIN, December 11, 2012 - According to SailPoint's annual Market Pulse Survey, released today, enterprises are running one-third of their mission-critical applications in the cloud today and expect to have half of all critical applications running in the cloud by 2015. The survey also found that, in many cases, IT organizations are not fully aware of which cloud applications are in use across the enterprise, which makes it more difficult than ever for enterprises to monitor and control user access to mission-critical applications and data. In fact, only 34% of companies bring IT staff into the vendor selection and planning process when a cloud application is procured without using IT's budget, making it very difficult to proactively address security and compliance requirements for those applications. The 2012 Market Pulse Survey, conducted by the independent research firm Loudhouse, is based on interviews of 400 IT and business leaders at large companies in the US and UK.

SailPoint's survey found that business users have gained more autonomy to deploy cloud applications without IT involvement, yet they do not feel responsible for managing access control. In fact, 70% of business leaders believe that IT is ultimately responsible for managing user access to cloud applications. Adding to IT’s challenge, more than 14% of business leaders admit they have no way of knowing if sensitive data is stored in the cloud at all. This lack of visibility and control greatly increases an organizations risk of security breaches, exposure to insider threats and failed audits.

"As organizations adopt cloud applications, they are very likely to increase their risk exposure by putting sensitive data in the cloud without adequate controls or security processes in place," said Jackie Gilbert, VP and GM of SailPoint's Cloud Business Unit. "And this year's survey illustrates how 'at risk' companies already are. Many companies lack visibility not only to what data is in the cloud, but also to who can access that data. It's imperative that companies put in place the right monitoring and controls to mitigate these growing risks."

The consumerization of IT has led to employees taking advantage of new technologies, but will require organizations to evolve their identity and access management processes. For example, while work-based policies such BYOD (bring your own device) give business users the flexibility to use their own mobile devices, those very same mobile devices are being used to access corporate applications in more than 95% of cases. The ability for users to access corporate applications and data outside of the corporate network puts identity and access management under further strain because IT must now account for user access from a wider variety of devices not completely under their control.

This "consumerization" phenomenon is not only affecting devices but also applications, as many corporate employees are moving beyond BYOD to "bring your own application"(BYOA). BYOA means that today's business users are much more comfortable using consumer or “non-approved” applications for work activities. Less than a third of companies are fully locked down when it comes to application usage at work, which means that these activities frequently take place outside the purview of IT. Alarmingly, the trend also extends to employees using the same passwords for a variety of accounts spanning their personal and professional lives. About half of the business leaders surveyed stated they frequently use the same password for personal web applications as they do for sensitive work applications. This exposes enterprises to new risks and security vulnerabilities should any of those personal applications experience a security breach.

"For the third year in a row, our Market Pulse Survey shows that the majority of large companies remain very concerned about security breaches and their ability to meet regulatory compliance requirements," said Kevin Cunningham, president of SailPoint. "This is due in part to the ever changing IT landscape that make existing identity management issues even larger. The consumerization of IT has put enterprises in a difficult position: they want to provide business users the convenience and flexibility promised by cloud and mobile devices, but they must also make sure controls are in place to monitor and manage who has access to what. Regardless of where customers are with their IAM strategy, they need to proactively consider how to govern these new technologies and behaviors within their corporate policies."

The 2012 SailPoint Market Pulse Survey interviewed 200 business leaders responsible for various key business departments and 200 IT decision makers at companies with at least 5,000 employees. Respondents were spread evenly across the US and UK. Interviews were conducted via an online panel. Loudhouse, an independent research agency, conducted the research on behalf of SailPoint. To download the 2012 SailPoint Market Pulse Survey results, please visit: www.sailpoint.com/2012survey.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.