Over the past week, several studies have shed more light on how cloud and SaaS practices within enterprises are changing the face of IT security. The data, along with common sense, shows that IT is way beyond the point of no return when it comes to stopping cloud deployment for the sake of security. However, there may be hope for reducing risk from cloud usage through more engagement of the IT department from procurement, through deployment and administration.
Abdicating security oversight
One of the studies, a Ponemon Institute brief titled "The Challenges of Cloud Information Governance" (PDF), showcased one of the foundational risks of cloud deployment: lack of security oversight in the evaluation and administration of cloud assets. The survey showed that in 47% of organizations, the security team is rarely or never involved in cloud decisions. Which probably explains why only about one third of organizations polled have a policy that requires the use of security safeguards like encryption as a condition for using certain cloud applications.
Meanwhile, when evaluating potential cloud apps, just 53% of organizations say they evaluate security capabilities of the cloud provider prior to deployment. And even within that group, only 16% report that it is the security team most responsible for that evaluation.
The reason for the absence of security engagement is up for debate. Some would say that the security is simply being sidestepped by corporate IT and line-of-business users. However, there's a strong argument to be made that security's years-long, draconian rule-making when it came to cloud led to that -- and that these teams ultimately abdicated their oversight by refusing to work with users to give them what they needed to get work done. Regardless of where the finger's pointed, the fact is that without security experts in the mix, the risk of cloud application usage will remain high.
Surrendering unencrypted data without a fight
That same Ponemon report showed that 64% of organizations are letting their data hit the cloud completely unencrypted. That's pretty scary considering how lax many cloud providers are in their storage practices.
According to the "Netskope Cloud Report" released last week, 70% of data uploaded to cloud storage apps used by enterprises are ones that don't separate tenant data in the cloud. Even more terrifying are the terms of service for some cloud apps. Netskope found that 21% of data uploaded to business intelligence apps is to vendors who say they own that data in their terms of service.
Meantime, usage of cloud apps just continues to skyrocket. Netskope reported enterprises saw an average of 579 cloud apps in use by employees last month compared to 397 in January. And as they stream corporate data to those apps, the sad state of affairs is that nearly 89% of them are not enterprise ready, according to Netskope's benchmark scoring method based on the Cloud Security Alliance's security guidelines.
Failing to shoot zombie accounts in the head
Getting a handle on identity and access management (IAM) for cloud accounts could go a long way toward reducing cloud risks. Unfortunately, many organizations still lag in this regard, as evidenced by a report out this week by Adallom. At the moment, nearly 20% of enterprise users bypass IAM controls, the report showed.
Meantime, approximately 11% of all enterprise SaaS accounts today are "zombie" accounts. These accounts have access to the application, but have been inactive for three months or longer. These accounts "are at best eating up the cost of a license, and at worst increase the attack surface of the organization," the report explains.
Perhaps even more distressing, though, are orphan accounts. Enterprises still lag badly when it comes to deprovisioning cloud accounts after employees have left their positions. According to Adallom, 80% of companies have at least one former employee whose SaaS application credentials still remain enabled.