Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:33 AM
Connect Directly

3 IT Practices That Add Risk To Cloud

Poor governance, sloppy data handling, and IAM missteps all increase cloud risk.

Over the past week, several studies have shed more light on how cloud and SaaS practices within enterprises are changing the face of IT security. The data, along with common sense, shows that IT is way beyond the point of no return when it comes to stopping cloud deployment for the sake of security. However, there may be hope for reducing risk from cloud usage through more engagement of the IT department from procurement, through deployment and administration.

Abdicating security oversight
One of the studies, a Ponemon Institute brief titled "The Challenges of Cloud Information Governance" (PDF), showcased one of the foundational risks of cloud deployment: lack of security oversight in the evaluation and administration of cloud assets. The survey showed that in 47% of organizations, the security team is rarely or never involved in cloud decisions. Which probably explains why only about one third of organizations polled have a policy that requires the use of security safeguards like encryption as a condition for using certain cloud applications.

Meanwhile, when evaluating potential cloud apps, just 53% of organizations say they evaluate security capabilities of the cloud provider prior to deployment. And even within that group, only 16% report that it is the security team most responsible for that evaluation.

The reason for the absence of security engagement is up for debate. Some would say that the security is simply being sidestepped by corporate IT and line-of-business users. However, there's a strong argument to be made that security's years-long, draconian rule-making when it came to cloud led to that -- and that these teams ultimately abdicated their oversight by refusing to work with users to give them what they needed to get work done. Regardless of where the finger's pointed, the fact is that without security experts in the mix, the risk of cloud application usage will remain high.

Surrendering unencrypted data without a fight
That same Ponemon report showed that 64% of organizations are letting their data hit the cloud completely unencrypted. That's pretty scary considering how lax many cloud providers are in their storage practices.

According to the "Netskope Cloud Report" released last week, 70% of data uploaded to cloud storage apps used by enterprises are ones that don't separate tenant data in the cloud. Even more terrifying are the terms of service for some cloud apps. Netskope found that 21% of data uploaded to business intelligence apps is to vendors who say they own that data in their terms of service.

Meantime, usage of cloud apps just continues to skyrocket. Netskope reported enterprises saw an average of 579 cloud apps in use by employees last month compared to 397 in January. And as they stream corporate data to those apps, the sad state of affairs is that nearly 89% of them are not enterprise ready, according to Netskope's benchmark scoring method based on the Cloud Security Alliance's security guidelines.

Failing to shoot zombie accounts in the head
Getting a handle on identity and access management (IAM) for cloud accounts could go a long way toward reducing cloud risks. Unfortunately, many organizations still lag in this regard, as evidenced by a report out this week by Adallom. At the moment, nearly 20% of enterprise users bypass IAM controls, the report showed.

Meantime, approximately 11% of all enterprise SaaS accounts today are "zombie" accounts. These accounts have access to the application, but have been inactive for three months or longer. These accounts "are at best eating up the cost of a license, and at worst increase the attack surface of the organization," the report explains.

Perhaps even more distressing, though, are orphan accounts. Enterprises still lag badly when it comes to deprovisioning cloud accounts after employees have left their positions. According to Adallom, 80% of companies have at least one former employee whose SaaS application credentials still remain enabled.


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
11/13/2014 | 4:39:09 AM
shadow IT
Side-stepping security - not really a good idea. Had a good conversation not too long ago with someone about the idea of making sure security and line of business people met to discuss what apps were being used, what is needed and now and what may be needed in the future to prevent shadow IT from spiraling out of control. 
Charlie Babcock
Charlie Babcock,
User Rank: Ninja
11/7/2014 | 6:59:31 PM
Ponemon on point
The Ponemon Institute is once again highlighting an under appreciated security risk. They do a good job of bird-dogging security issues. The three cited, Ericka, are good ones.
Cybersecurity Industry: It's Time to Stop the Victim Blame Game
Jessica Smith, Senior Vice President, The Crypsis Group,  2/25/2020
Google Adds More Security Features Via Chronicle Division
Robert Lemos, Contributing Writer,  2/25/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-27
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.
PUBLISHED: 2020-02-27
openssl_x509_check_host in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
PUBLISHED: 2020-02-27
openssl_x509_check_email in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
PUBLISHED: 2020-02-27
openssl_x509_check_ip_asc in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
PUBLISHED: 2020-02-27
Type confusion in V8 in Google Chrome prior to 80.0.3987.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.