More than half of companies adopting cloud services have experienced security incidents related to those cloud services, according to new research that also identified poor enforcement of policies around shadow IT, user logins and audit controls.
The findings of the Bitglass-Cloud Security Alliance (CSA)'s Mitigating Risk for Cloud Applications report, for which 176 CISOs or equivalent security professionals were surveyed, suggested a yawning gap between theory and action around shadow IT – the unsanctioned adoption of cloud services by employees.
While 93 percent of respondents said they are still concerned about shadow IT, only 62 percent have written policies discouraging employee use of unsanctioned apps and fewer still are actually using technology to block their use: just 38 percent block unsanctioned apps, while 29 percent said they use proxies or firewalls that intercept users trying to access such apps and redirect them to sanctioned equivalents.
The findings have concerning implications for enterprise security given that fully 59 percent of the organisations in the survey admitted to having had security incidents related to unwanted external sharing of data. Some 47 percent said they had had to deal with incidents involving access from unauthorised devices, while 32 percent said they had had cloud data synced to lost or stolen devices.
This, combined with suggestions that just 29 percent of businesses keep audit logs and 28 percent have visibility of user logins, suggests that most shadow IT activity continues to be conducted well outside of the scrutiny of CISOs and IT administrators.
Only 49 percent could even tell where and when sensitive data was being downloaded from the cloud. “Visibility into an organisation's cloud environment is still an issue,” the report's authors note, echoing long-standing concerns about visibility that some argue are forcing CISOs to take new approaches to risk management. “Employees are leveraging the easy deployment of SaaS applications for productivity and collaboration benefits but use of these products can stretch beyond the sight of IT departments.”
To tighten their cloud-security controls, some 32 percent of respondents said they were exploring options around introducing data leakage prevention while 20 percent said they were looking to control access from unmanaged devices.
User behaviour analytics and control were cited as priorities by 15 percent of respondents, while just under 15 percent were introducing cloud encryption – a security approach that has both good and bad sides. Interestingly, while compromises of employees' cloud credentials were also widely reported – with 29 percent of respondents dealing with such an issue and 22 percent saying they had had to deal with malicious insiders – two-thirds of respondents said they had moderate or no concerns about their cloud application vendors being compromised.
Despite their faith in the cloud platforms themselves, however, respondents still indicated lingering concerns about shadow IT – with 30 percent of respondents saying they were more concerned about shadow IT than last year and just 13 percent saying they were less concerned. Fully 19 percent of respondents admitted they had no policies about BYOD at all.
Such findings reflect ongoing concern about the need for effective and seamless identity management and reinforce the need for rapid action to tighten up security around cloud deployments. A recent Ponemon Institute study, for example, found similar problems, noting that Australian businesses were well behind other countries in areas such as proactively managing privacy and data-protection compliance, and in evaluating cloud providers' security before adopting their cloud solutions.
- In the Clouds of ANZ’s Changing Innovation Horizon
- The week in security: Cloud security passes tipping point; Microsoft security circumvented
- No breaches, but cloud and smartphones challenges still lie ahead
- Locky ransomware spreads with macro-enabled .docm Word docs
- Government guidance is helping CISOs impose controls on DevOps' cloud flexibility