Study: Corporate-“Shadow” IT Gap Puts Cloud-based Data in Peril
As corporate data – much of it sensitive – flies to the cloud in growing volume, a serious disconnect between corporate and “shadow” IT has developed in recent years, one that has resulted in data security practices often handled in a decentralized, disjointed and non-compliant way, with even simple data security provisions often not put in place. These are the overall and rather alarming finding of a report commissioned by Gemalto, the Netherlands-based digital security giant, executed by Ponemon Institute and based on information provided by nearly 3,500 IT and IT security practitioners in the U.S. and worldwide.
Among the key findings of the report, titled “The 2016 Global Cloud Data Security Study,” are that roughly half of all cloud services and corporate data stored in the cloud are not controlled by IT departments, two-thirds of sensitive data stored in the cloud is left unencrypted, and more than half of companies are not proactive in their compliance with privacy and security regulations for data in cloud environments.
“The thing that really pops out to me is that over three-quarters of the respondents are using cloud-based services and that it’s not a part of their (corporate) organizations and operations today,” Joe Pindar, Gemalto director of research and development, told EnterpiseTech. “The question isn’t whether an organization or an enterprise is using the cloud, it’s how they’re using the cloud. And what we see is that customer information is the most common and fastest growing type of data being stored in cloud environments, and it’s also considered also to be the data most at risk.”
By “cloud,” Pindar said the report typically refers to a hybrid cloud implementation in which some applications and data reside in public cloud environments.
The survey found that although cloud-based resources are becoming more important to companies’ IT operations and business strategies, 54 percent did not agree that their companies have a proactive approach to managing security and complying with privacy and data protection regulations in cloud environments. This despite the fact that 65 percent of respondents said their organizations are committed to protecting confidential or sensitive information in the cloud. Furthermore, 56 percent did not agree their organization is careful about sharing sensitive information in the cloud with third parties such as business partners, contractors and vendors.
Many of these problems stem from the growth in shadow IT taking action beyond the reach of corporate governance. According to the survey, nearly half of cloud services are deployed by departments other than corporate IT, and an average of 47 percent of corporate data stored in cloud environments is not managed by the IT department.
In addition, only 21 percent of respondents said members of the corporate security team are involved in decisions regarding cloud applications or platforms. Sixty-four also said their organizations do not have a policy that requires use of security safeguards, such as encryption, as a condition to using certain cloud computing applications.
“The majority of people said they were committed to keeping data private,” Pindar said, “but as it came down to how many people had policies and processes, many just don’t have that. So it really shows something that’s been going on for about 10 years now, in that corporate IT and security have effectively been branded, administratively, as trying to block people. This is where shadow IT has come from…. But one of the core points is that compliance and regulations issues don’t go away simply because security and corporate IT aren’t included in purchasing decisions.”
Cloud security are most critical where customer information is concerned. According to the survey, the storage of customer information, emails, consumer data, employee records and payment information has increased from 53 percent in 2014 to 62 percent of respondents saying their company does this today. Fifty-three percent also consider this type of data being most at risk in the cloud.
Yet another concerning trend is a conflict between risk and action. Sixty-seven percent of respondents said the management of user identities is more difficult in the cloud than on-premises. Yet organizations are not adopting relatively easy cloud security measures. About half (45 percent) of companies are not using multi-factor authentication to secure employee and third-party access to applications and data in the cloud. This means many companies are still relying on user names and passwords to validate identities, according to the study. This puts more data at risk because 58 percent of respondents say their organizations have third-party users accessing their data and information in the cloud.
Likewise, while 72 percent of respondents said encryption or tokenizing sensitive data is important, only 34 percent of respondents use those techniques for sensitive data directly within cloud-based applications.
The study recommends cloud data security strategies that include comprehensive policies for data governance and compliance, that create guidelines for the sourcing of cloud services and establish rules for what data can and cannot be stored in the cloud.
“As companies store more data in the cloud and utilize more cloud-based services, IT organizations need to place greater emphasis on stronger user access controls with multi-factor authentication,” the report stated. “This is even more important for companies that give third-parties and vendors access to their data in cloud.”
Ponemon surveyed 3,476 IT and IT security practitioners in the U.S., Brazil, the U.K., Germany, France, Russian Federation, India, Japan and Australia. Industries represented among the respondents include financial services, retail, technology and software, public sector, healthcare and pharmaceutical, utilities and energy, education, transportation, communications, media and entertainment, and hospitality.