As security professional prioritize for 2015, cloud security initiatives once again sit on top of their to-do lists. According to two surveys out in the past week, insider threat and shadow IT concerns continue to thrust cloud security to the forefront, with cloud identity and access management and cloud governance among those controls needing the most help.
“As companies move data to the cloud, they are looking to put in place policies and processes so that employees can take advantage of cloud services that drive business growth without compromising the security, compliance, and governance of corporate data,” said Jim Reavis, CEO of the Cloud Security Alliance, which together with vendor Skyhigh released a report that showed cloud security as the top security priority for IT organizations in 2015.
The highlights from the survey detailed in that report showed that only about 8 percent of organizations today believe they truly know the scope of unauthorized cloud purchasing—so-called shadow IT. This jibes with findings in another report released last week from Netskope, which showed that IT professionals constantly underestimate the extent of shadow IT in their organization—with organizations estimating one-tenth of the actual number of apps found by cloud app audits.
This poses scary consequences as organizational data exits corporate boundaries within unsanctioned apps. For example, 17 percent of organizations last year experienced an insider incident, according to the CSA report, and 15 percent of corporate cloud users have had their credentials compromised, according to the Netskope report.
Part of the reason this situation has arisen is that security organizations are ill-equipped help their businesses move quickly toward the cloud through well-crafted and balanced cloud governance policies. According to the CSA survey, about a third of organizations today are full-steam ahead with cloud adoption and 51 percent of respondents feel pressured to approve services that don't meet security or compliance requirements. But just 16 percent of organizations have a fully enforced cloud governance policy.
What's more, even among organizations with policies or in the middle of creating a policy through a cloud governance committee, just 43 percent of them include line-of-business representation.
“Employees today have shifted from thinking of apps as a nice-to-have to a must-have, and CISOs must continue to adapt to that trend to secure their sensitive corporate and customer data across all cloud apps, including those unsanctioned by IT,” says Sanjay Beri, CEO and founder of Netskope.
As the CSA concludes in its report, IT in 2015 must find better ways to govern data in the cloud similar to data on premises. Not only will that take investment in enforcement technology, but also collaboration with the very stakeholders who are driving cloud adoption in the first place.
"IT will also need to work more collaboratively with busiess users to understand the motivations behind shadow IT and enable the cloud services that drive employee productivity and growth in the business without sacrificing security," the report concludes.