Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/7/2014
11:33 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

3 IT Practices That Add Risk To Cloud

Poor governance, sloppy data handling, and IAM missteps all increase cloud risk.

Over the past week, several studies have shed more light on how cloud and SaaS practices within enterprises are changing the face of IT security. The data, along with common sense, shows that IT is way beyond the point of no return when it comes to stopping cloud deployment for the sake of security. However, there may be hope for reducing risk from cloud usage through more engagement of the IT department from procurement, through deployment and administration.

Abdicating security oversight
One of the studies, a Ponemon Institute brief titled "The Challenges of Cloud Information Governance" (PDF), showcased one of the foundational risks of cloud deployment: lack of security oversight in the evaluation and administration of cloud assets. The survey showed that in 47% of organizations, the security team is rarely or never involved in cloud decisions. Which probably explains why only about one third of organizations polled have a policy that requires the use of security safeguards like encryption as a condition for using certain cloud applications.

Meanwhile, when evaluating potential cloud apps, just 53% of organizations say they evaluate security capabilities of the cloud provider prior to deployment. And even within that group, only 16% report that it is the security team most responsible for that evaluation.

The reason for the absence of security engagement is up for debate. Some would say that the security is simply being sidestepped by corporate IT and line-of-business users. However, there's a strong argument to be made that security's years-long, draconian rule-making when it came to cloud led to that -- and that these teams ultimately abdicated their oversight by refusing to work with users to give them what they needed to get work done. Regardless of where the finger's pointed, the fact is that without security experts in the mix, the risk of cloud application usage will remain high.

Surrendering unencrypted data without a fight
That same Ponemon report showed that 64% of organizations are letting their data hit the cloud completely unencrypted. That's pretty scary considering how lax many cloud providers are in their storage practices.

According to the "Netskope Cloud Report" released last week, 70% of data uploaded to cloud storage apps used by enterprises are ones that don't separate tenant data in the cloud. Even more terrifying are the terms of service for some cloud apps. Netskope found that 21% of data uploaded to business intelligence apps is to vendors who say they own that data in their terms of service.

Meantime, usage of cloud apps just continues to skyrocket. Netskope reported enterprises saw an average of 579 cloud apps in use by employees last month compared to 397 in January. And as they stream corporate data to those apps, the sad state of affairs is that nearly 89% of them are not enterprise ready, according to Netskope's benchmark scoring method based on the Cloud Security Alliance's security guidelines.

Failing to shoot zombie accounts in the head
Getting a handle on identity and access management (IAM) for cloud accounts could go a long way toward reducing cloud risks. Unfortunately, many organizations still lag in this regard, as evidenced by a report out this week by Adallom. At the moment, nearly 20% of enterprise users bypass IAM controls, the report showed.

Meantime, approximately 11% of all enterprise SaaS accounts today are "zombie" accounts. These accounts have access to the application, but have been inactive for three months or longer. These accounts "are at best eating up the cost of a license, and at worst increase the attack surface of the organization," the report explains.

Perhaps even more distressing, though, are orphan accounts. Enterprises still lag badly when it comes to deprovisioning cloud accounts after employees have left their positions. According to Adallom, 80% of companies have at least one former employee whose SaaS application credentials still remain enabled.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
11/13/2014 | 4:39:09 AM
shadow IT
Side-stepping security - not really a good idea. Had a good conversation not too long ago with someone about the idea of making sure security and line of business people met to discuss what apps were being used, what is needed and now and what may be needed in the future to prevent shadow IT from spiraling out of control. 
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
11/7/2014 | 6:59:31 PM
Ponemon on point
The Ponemon Institute is once again highlighting an under appreciated security risk. They do a good job of bird-dogging security issues. The three cited, Ericka, are good ones.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.