Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/7/2014
11:33 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

3 IT Practices That Add Risk To Cloud

Poor governance, sloppy data handling, and IAM missteps all increase cloud risk.

Over the past week, several studies have shed more light on how cloud and SaaS practices within enterprises are changing the face of IT security. The data, along with common sense, shows that IT is way beyond the point of no return when it comes to stopping cloud deployment for the sake of security. However, there may be hope for reducing risk from cloud usage through more engagement of the IT department from procurement, through deployment and administration.

Abdicating security oversight
One of the studies, a Ponemon Institute brief titled "The Challenges of Cloud Information Governance" (PDF), showcased one of the foundational risks of cloud deployment: lack of security oversight in the evaluation and administration of cloud assets. The survey showed that in 47% of organizations, the security team is rarely or never involved in cloud decisions. Which probably explains why only about one third of organizations polled have a policy that requires the use of security safeguards like encryption as a condition for using certain cloud applications.

Meanwhile, when evaluating potential cloud apps, just 53% of organizations say they evaluate security capabilities of the cloud provider prior to deployment. And even within that group, only 16% report that it is the security team most responsible for that evaluation.

The reason for the absence of security engagement is up for debate. Some would say that the security is simply being sidestepped by corporate IT and line-of-business users. However, there's a strong argument to be made that security's years-long, draconian rule-making when it came to cloud led to that -- and that these teams ultimately abdicated their oversight by refusing to work with users to give them what they needed to get work done. Regardless of where the finger's pointed, the fact is that without security experts in the mix, the risk of cloud application usage will remain high.

Surrendering unencrypted data without a fight
That same Ponemon report showed that 64% of organizations are letting their data hit the cloud completely unencrypted. That's pretty scary considering how lax many cloud providers are in their storage practices.

According to the "Netskope Cloud Report" released last week, 70% of data uploaded to cloud storage apps used by enterprises are ones that don't separate tenant data in the cloud. Even more terrifying are the terms of service for some cloud apps. Netskope found that 21% of data uploaded to business intelligence apps is to vendors who say they own that data in their terms of service.

Meantime, usage of cloud apps just continues to skyrocket. Netskope reported enterprises saw an average of 579 cloud apps in use by employees last month compared to 397 in January. And as they stream corporate data to those apps, the sad state of affairs is that nearly 89% of them are not enterprise ready, according to Netskope's benchmark scoring method based on the Cloud Security Alliance's security guidelines.

Failing to shoot zombie accounts in the head
Getting a handle on identity and access management (IAM) for cloud accounts could go a long way toward reducing cloud risks. Unfortunately, many organizations still lag in this regard, as evidenced by a report out this week by Adallom. At the moment, nearly 20% of enterprise users bypass IAM controls, the report showed.

Meantime, approximately 11% of all enterprise SaaS accounts today are "zombie" accounts. These accounts have access to the application, but have been inactive for three months or longer. These accounts "are at best eating up the cost of a license, and at worst increase the attack surface of the organization," the report explains.

Perhaps even more distressing, though, are orphan accounts. Enterprises still lag badly when it comes to deprovisioning cloud accounts after employees have left their positions. According to Adallom, 80% of companies have at least one former employee whose SaaS application credentials still remain enabled.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
11/13/2014 | 4:39:09 AM
shadow IT
Side-stepping security - not really a good idea. Had a good conversation not too long ago with someone about the idea of making sure security and line of business people met to discuss what apps were being used, what is needed and now and what may be needed in the future to prevent shadow IT from spiraling out of control. 
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
11/7/2014 | 6:59:31 PM
Ponemon on point
The Ponemon Institute is once again highlighting an under appreciated security risk. They do a good job of bird-dogging security issues. The three cited, Ericka, are good ones.
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-35128
PUBLISHED: 2021-01-19
Mautic before 3.2.4 is affected by stored XSS. An attacker with permission to manage companies, an application feature, could attack other users, including administrators. For example, by loading an externally crafted JavaScript file, an attacker could eventually perform actions as the target user. ...
CVE-2020-35129
PUBLISHED: 2021-01-19
Mautic before 3.2.4 is affected by stored XSS. An attacker with access to Social Monitoring, an application feature, could attack other users, including administrators. For example, an attacker could load an externally drafted JavaScript file that would allow them to eventually perform actions on th...
CVE-2020-23342
PUBLISHED: 2021-01-19
A CSRF vulnerability exists in Anchor CMS 0.12.7 anchor/views/users/edit.php that can change the Delete admin users.
CVE-2020-20950
PUBLISHED: 2021-01-19
Bleichenbacher's attack on PKCS #1 v1.5 padding for RSA in Microchip Libraries for Applications 2018-11-26 All up to 2018-11-26. The vulnerability can allow one to use Bleichenbacher's oracle attack to decrypt an encrypted ciphertext by making successive queries to the server using the vulnerable li...
CVE-2020-23522
PUBLISHED: 2021-01-19
Pixelimity 1.0 has cross-site request forgery via the admin/setting.php data [Password] parameter.