Cloud adopters still struggling to see what shadow-IT users are doing

More than half of companies adopting cloud services have experienced security incidents related to those cloud services, according to new research that also identified poor enforcement of policies around shadow IT, user logins and audit controls.

The findings of the Bitglass-Cloud Security Alliance (CSA)'s Mitigating Risk for Cloud Applications report, for which 176 CISOs or equivalent security professionals were surveyed, suggested a yawning gap between theory and action around shadow IT – the unsanctioned adoption of cloud services by employees.

While 93 percent of respondents said they are still concerned about shadow IT, only 62 percent have written policies discouraging employee use of unsanctioned apps and fewer still are actually using technology to block their use: just 38 percent block unsanctioned apps, while 29 percent said they use proxies or firewalls that intercept users trying to access such apps and redirect them to sanctioned equivalents.

The findings have concerning implications for enterprise security given that fully 59 percent of the organisations in the survey admitted to having had security incidents related to unwanted external sharing of data. Some 47 percent said they had had to deal with incidents involving access from unauthorised devices, while 32 percent said they had had cloud data synced to lost or stolen devices.

This, combined with suggestions that just 29 percent of businesses keep audit logs and 28 percent have visibility of user logins, suggests that most shadow IT activity continues to be conducted well outside of the scrutiny of CISOs and IT administrators.

Only 49 percent could even tell where and when sensitive data was being downloaded from the cloud. “Visibility into an organisation's cloud environment is still an issue,” the report's authors note, echoing long-standing concerns about visibility that some argue are forcing CISOs to take new approaches to risk management. “Employees are leveraging the easy deployment of SaaS applications for productivity and collaboration benefits but use of these products can stretch beyond the sight of IT departments.”

To tighten their cloud-security controls, some 32 percent of respondents said they were exploring options around introducing data leakage prevention while 20 percent said they were looking to control access from unmanaged devices.

User behaviour analytics and control were cited as priorities by 15 percent of respondents, while just under 15 percent were introducing cloud encryption – a security approach that has both good and bad sides. Interestingly, while compromises of employees' cloud credentials were also widely reported – with 29 percent of respondents dealing with such an issue and 22 percent saying they had had to deal with malicious insiders – two-thirds of respondents said they had moderate or no concerns about their cloud application vendors being compromised.

Despite their faith in the cloud platforms themselves, however, respondents still indicated lingering concerns about shadow IT – with 30 percent of respondents saying they were more concerned about shadow IT than last year and just 13 percent saying they were less concerned. Fully 19 percent of respondents admitted they had no policies about BYOD at all.

Such findings reflect ongoing concern about the need for effective and seamless identity management and reinforce the need for rapid action to tighten up security around cloud deployments. A recent Ponemon Institute study, for example, found similar problems, noting that Australian businesses were well behind other countries in areas such as proactively managing privacy and data-protection compliance, and in evaluating cloud providers' security before adopting their cloud solutions.

Join the CSO newsletter!

Error: Please check your email address.

Tags shadow ITUnknown assetsit administratorscloud securitycloud security alliancecloud computingunauthorised accesscyber securityCSA

More about CSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts