Yes, we know, the word “cloud” has become a cliché — so much so, that CIOs are sick of hearing it. Not only that, but the CIO Journal suggests that everything has been cloud-washed to the extent that no one even knows what “cloud” means anymore.
But it’s not the word “cloud” that the information overlords ought to be worried about. God knows that John in Marketing, Sue in HR and Al in Accounting aren’t thinking “cloud” when they sign up for and log in to prosumer Software-as-a-Service (SaaS) solutions. All they want to do is to get their jobs done with the best and easiest to use solution. And there are plenty to choose from.
Who Is Using What?
These Get-Your-Own-Business apps aren’t generally IT approved. In fact, in many cases, IT has no idea they’re being used — and if it did, it would likely ban them. According to the Netskope Cloud Report that was released yesterday, around 90 percent of the cloud apps being used by companies aren’t enterprise grade.
And while you might think that these illicit apps are few and far between, Netskope’s research reveals that an average of 613 cloud apps can be found in the typical organization. What's more, 20 percent of companies they looked at had more than 1,000 cloud apps.
What this suggests is that CIOs are either unaware of how many cloud apps are running under their noses, or that they have an idea, but don’t want to look, or that they’re simply turning a blind eye because there’s nothing they can do about it, anyways. After all, can they keep workers from updating their Facebook pages or looking to hook up on Match.com or Tinder?
It’s interesting to note, though, that Netskope found that the most widely used cloud apps inside the enterprise, after Google Drive and Facebook, are YouTube, Twitter, Gmail, iCloud, Dropbox and LinkedIn — solutions geared specifically toward businesses.
These apps tend to be free (either initially or within certain limitations) or at a very low cost and require no involvement from IT or procurement to get started. As a result, business users tend to surf the web, pick a cloud app and get busy, without asking permission or notifying anyone. Some popular cloud apps that fit into this category might include Microsoft OneDrive, Box, Accellion, Evernote, HubSpot, Yammer, smartsheet, Concur, Slack …
Don't Ask, Don't Tell
Mind you, we’re not commenting on the enterprise worthiness of these solutions, but that users can get started without their employer’s knowledge. This is how shadow IT gets created.
It’s hard to see your shadow in the dark, said a report that was released by Cloud Security Alliance (CSA) earlier today. CSA’s Cloud Adoption, Practices and Priorities Survey indicates that nearly 72 percent of IT managers admitted that they did not know the number of shadow IT apps within their organization.
Needless to say, this puts the Enterprise, its assets and its security is risk.
But shadow IT is only part of the problem, compromised accounts also threaten the Enterprise. The Netskope study indicates that 15 percent of corporate users have had their credentials compromised. Possibly due to significant increases in data leaks from major corporations, websites, and cloud apps, a growing number of users are logging into their business cloud apps using compromised credentials, or login names and passwords that have been stolen as part of a data hack or exposure.
It probably comes as a surprise to no one that as many as half of all users reuse their passwords for multiple accounts. As a result, if a hacker can gain access to user credentials in lesser-known apps, it can use them to log into other apps like Salesforce, Box, Concur and WebEx where more sensitive data resides.
Potentially Huge Problem
While corporate IT goes a long way to protect sanctioned apps, they can’t do much to protect corporate data, which may reside in SaaS applications they don’t know about. Netskope researchers estimate that about 13.5 percent of an organization’s apps are at the intersection of unsanctioned and business critical. Those apps, according to the Netskope report, are most often not protected by single sign-on, nor is multi-factor authentication enforced in them. As a result, they are at risk of being accessed by users with compromised credentials.
Exposure in an unsanctioned app can have a spillover effect because the same credentials can then be used to log into a sanctioned or semi-sanctioned apps, leaving breaches difficult to detect.
And as if all of that weren’t problem enough, Netskope reports that Data Loss Prevention (DLP) violations run rampant. The study looked not only at content en route to or from cloud apps, but also at content residing within apps, irrespective of when it was uploaded. The conclusion? Eight percent of content contains DLP violations.
It’s interesting to note too, that beyond DLP, the report indicates that 25 percent of all files are shared with one or more people outside of the organization, 40 percent are shared within the organization and 35 percent are private.
Those with the highest volume include cloud storage, CRM/SFA and webmail.
What to do about all of this? There’s no easy answer. In an era of consumerized IT, users who need to solutions in a jiffy are going to find them, whether IT allows it, or not. Vendors are unlikely to raise their “try before you buy,” “free for individuals, departments, and small groups” policies or raise their prices.
But, regardless, it’s a problem that needs to get solved and now.
“The security of data in the cloud has shifted from the IT room to the boardroom, with 61 percent of companies indicating that executives are now involved in such decisions,” said Jim Reavis, CEO of the CSA.